Re: [gentoo-user] ssh defaults to coming in as user "root"?
On 2020.07.10 19:08, Walter Dnes wrote: I've done the preliminary setup on my laptop install, and copied the package names I wanted into the world file. With dependancies thrown in, the laptop is now compiling 268 ebuilds of various sizes. One thing I noticed while setting up. I ssh in from my desktop PC to the Thinkpad laptop (named "thimk" ) to set things up. The default seems to be to come in to the root account, unless I override. User "waltdnes" on my desktop does not default to coming in as user "waltdnes" on my laptop. I have to specify a non-root user. See below. [i660][waltdnes][~] ssh thimk [thimk][root][~] [i660][waltdnes][~] ssh waltdnes@thimk [thimk][waltdnes][~] Is this a recent change? Have you tried ssh -v, or even multiple -v's? What versions? I've got openssh-8.3_p1-r2, and haven't seen any such issues. I do have a problem where ssh from my laptop (artix linux) to my desktop (Gentoo) almost immedaitely closes the connection, but if I ssh from laptop to a different laptop or desktop, and then to the Gentoo desktop, it works fine. If it annoys me enough, I'll eventually post it here as a new issue. I'd also check UID's not just names, just in case, although I can't think why it would matter. Is there anything strange in ssh.config or sshd.config on either side? You might compare sshd.config on the two boxes.
Re: [gentoo-user] Configure sshd to listen on specific interfaces?
On 27/08/2020 14:40, Grant Edwards wrote: > I do _not_ want it to listen on 0.0.0.0. > > I want it to listen on 127.0.0.1 and on whatever IP addresses are > assigned to two specified interfaces. As far as I'm aware, I don't think OpenSSH allows for listening on a specific interface. You can, however, work around this in a rather unusual way via ip/nftables and DNAT. You will need to enable IP[v6] forwarding via sysctl (or sysctl.conf): net.ipv4.ip_forward=1 net.ipv4.conf..route_localnet=1 The latter option is critical as, by default, the kernel will not allow you to route to 127.0.0.0/8 as a security precaution. iptables (1) iptables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination 127.0.0.1:22 [2] ip6tables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination [::1]:22 nftables (json-like) table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; iif "" tcp dport 22 dnat ip to 127.0.0.1:22 iif "" tcp dport 22 dnat ip6 to [::1]:22 } } nftables (cmdline) == [1] nft add table inet nat [2] nft add chain inet nat prerouting { type nat hook prerouting priority dsnat\; } (3) nft add rule inet nat prerouting iif tcp dport 22 dnat ip to 127.0.0.1:22 [4] nft add rule inet nat prerouting iif tcp dport 22 dnat ip6 to [::1]:22 As always, 1-2 are not required if you already have a relevant table/chain. Adjust as needed for multiple IFACEs. - V signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] ssh key type ed25519
On Saturday, 21 November 2020 15:22:03 GMT n952162 wrote: > I tried to ssh to another machine and got a failing man-in-the-middle > warning. When keys have changed at the remote end and the new key is not listed in ~/.ssh/known_hosts, you will get a warning whether you want to accept the key and continue connecting or not. This is the moment, or ideally in advance of this moment, you contact the remote system's sysadmin to find out what the fingerprint of the new key might be. > The fingerprint given to check didn't match that of the target host. On > closer inspection, the entries in known_hosts are *ecdsa-sha2-nistp256* > and the offending key was of type *ed25519*, as reported by the client. > > These are both gentoo machines, relatively recently updated. Therefore this update seems to have generated new keys and set ed25519 as the default. > Everything on the net talks about how to generate key files of the > appropriate type, but I'm don't want to generate a key file. > > Apparently, this is a gentoo configuration issue. USE flags of openssh > on both machines are the same. > > There are two news items related to ssh, but neither seems relevant. > > Has there been a changed system-wide determination of the key type and > what would be the best way to make them consistent across all machines? Take a look in /etc/ssh and/or ~/.ssh/ for the config files to set preferences for ssh client and sshd server either generically or per remote host. However, you'll need to be reviewing and adjusting these regularly, because ciphers and algos become deprecated when vulnerabilities are discovered. signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: ssh from linux to Windows
On 2024-01-08, the...@sys-concept.com wrote: > On 1/6/24 20:09, the...@sys-concept.com wrote: >> I installed openssh server on Windows 11 and tried to ssh to it >> using the id_rsa.pub key >> but I didn't have luck. I copied the key to .ssh\authorized_keys file. >> On linux the last line ending with "\" on Windows Notepad replaces >> it with the "+" sign. >> >> ssh with password is working but windows doesn't recognize the >> public key or maybe it is wrong directory C:\Users\Garry >> Server\.ssh\authorized_keys > > Trying to run: "ssh -vv" I get: > > debug1: Authenticating to 10.0.0.130:22 as 'Glen Server' > debug1: load_hostkeys: fopen /home/joseph/.ssh/known_hosts2: No such > file or directory > > Where is it taking the : "known_hosts2" in home directory .ssh/ I only > have file "known_hosts" > In /etc/ssh/sshd_config (computer ssh is initiated from) I can not > find any reference to "known_hosts2" > > Nor, windows \ProgramData\ssh\sshd_config contain any reference to > "known_hosts2" I think the file to check would be ssh_config on the client side, not sshd_config. But it's possible it's not mentioned there either, as it seems to be part of the default at least in some systems, see for example https://serverfault.com/questions/1091575/why-does-ssh-think-i-still-have-a-known-hosts2-file This is just the usual approach of a user-specific file not existing unless it is created. I'd say you can just ignore this message and focus on the verbose messages about the authentication mechanisms. -- Nuno Silva
Re: [gentoo-user] Re: ssh from linux to Windows
On 1/8/24 01:41, Nuno Silva wrote: On 2024-01-08, the...@sys-concept.com wrote: On 1/6/24 20:09, the...@sys-concept.com wrote: I installed openssh server on Windows 11 and tried to ssh to it using the id_rsa.pub key but I didn't have luck. I copied the key to .ssh\authorized_keys file. On linux the last line ending with "\" on Windows Notepad replaces it with the "+" sign. ssh with password is working but windows doesn't recognize the public key or maybe it is wrong directory C:\Users\Garry Server\.ssh\authorized_keys Trying to run: "ssh -vv" I get: debug1: Authenticating to 10.0.0.130:22 as 'Glen Server' debug1: load_hostkeys: fopen /home/joseph/.ssh/known_hosts2: No such file or directory Where is it taking the : "known_hosts2" in home directory .ssh/ I only have file "known_hosts" In /etc/ssh/sshd_config (computer ssh is initiated from) I can not find any reference to "known_hosts2" Nor, windows \ProgramData\ssh\sshd_config contain any reference to "known_hosts2" I think the file to check would be ssh_config on the client side, not sshd_config. But it's possible it's not mentioned there either, as it seems to be part of the default at least in some systems, see for example The ssh_config on the client side id default, never changed anything in it. https://serverfault.com/questions/1091575/why-does-ssh-think-i-still-have-a-known-hosts2-file This is just the usual approach of a user-specific file not existing unless it is created. I'd say you can just ignore this message and focus on the verbose messages about the authentication mechanisms. In the link above the suggest fix for "...fix $HOME/.ssh/known_hosts2: No such file or directory" to add "UserKnownHostsFile ~/.ssh/known_hosts" I tried to add it to sshd_config but ssh wouldn't even start. The above error message it just might be the noise, linux to linux all connections work, it is just linux to windows it is not working.
Re: [gentoo-user] ssh from linux to Windows
looking for known_hosts2 (and also /etc/ssh/ssh_known_hosts and /etc/ssh/ssh_known_hosts2) also happens on my machines, both a debian install and my gentoo machine, the files not being present does not prevent the ssh connection from working though. So this is probably not the issue. Judging from comments [1] it appears to be an undocumented legacy feature. [1] https://github.com/search?q=repo%3Aopenssh%2Fopenssh-portable+known_hosts2=commits On 08.01.24 01:32, the...@sys-concept.com wrote: On 1/6/24 20:09, the...@sys-concept.com wrote: I installed openssh server on Windows 11 and tried to ssh to it using the id_rsa.pub key but I didn't have luck. I copied the key to .ssh\authorized_keys file. On linux the last line ending with "\" on Windows Notepad replaces it with the "+" sign. ssh with password is working but windows doesn't recognize the public key or maybe it is wrong directory C:\Users\Garry Server\.ssh\authorized_keys Trying to run: "ssh -vv" I get: debug1: Authenticating to 10.0.0.130:22 as 'Glen Server' debug1: load_hostkeys: fopen /home/joseph/.ssh/known_hosts2: No such file or directory Where is it taking the : "known_hosts2" in home directory .ssh/ I only have file "known_hosts" In /etc/ssh/sshd_config (computer ssh is initiated from) I can not find any reference to "known_hosts2" Nor, windows \ProgramData\ssh\sshd_config contain any reference to "known_hosts2" OpenPGP_0x7AAC0ED205503D09.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[gentoo-user] openssh login problems
Hi, when I try to log in with openssh, this happens: ssh -v -v [EMAIL PROTECTED] OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to stud4.tuwien.ac.at [193.170.75.14] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version 3.2.3 SSH Secure Shell (non-commercial) debug1: no match: 3.2.3 SSH Secure Shell (non-commercial) debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 518/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host 'stud4.tuwien.ac.at' is known and matches the DSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 499/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password [EMAIL PROTECTED]'s password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 10 rmax 16384 There it hangs and I can't kill with crtl-c. Didn't change anything in /etc/ssh, if you still need to see the files let me know! Tried putty and it worked. Thanks, Stefan -- gentoo-user@gentoo.org mailing list
[gentoo-user] openssh login hangs
Hi, when I try to log in with openssh, this happens: ssh -v -v [EMAIL PROTECTED] OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to stud4.tuwien.ac.at [193.170.75.14] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version 3.2.3 SSH Secure Shell (non-commercial) debug1: no match: 3.2.3 SSH Secure Shell (non-commercial) debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 518/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host 'stud4.tuwien.ac.at' is known and matches the DSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 499/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password [EMAIL PROTECTED]'s password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 10 rmax 16384 There it hangs and I can't kill with crtl-c. Didn't change anything in /etc/ssh, if you still need to see the files let me know! Tried putty and it worked. Thanks, Stefan -- gentoo-user@gentoo.org mailing list
[gentoo-user] openssh login hangs
Hi, when I try to log in with openssh, this happens: ssh -v -v [EMAIL PROTECTED] OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to stud4.tuwien.ac.at [193.170.75.14] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version 3.2.3 SSH Secure Shell (non-commercial) debug1: no match: 3.2.3 SSH Secure Shell (non-commercial) debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 518/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host 'stud4.tuwien.ac.at' is known and matches the DSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 499/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password [EMAIL PROTECTED]'s password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 10 rmax 16384 There it hangs and I can't kill with crtl-c. Didn't change anything in /etc/ssh, if you still need to see the files let me know! Tried putty and it worked. Thanks, Stefan ___ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server
On Thursday 31 May 2007 07:42, Mick wrote: On Wednesday 30 May 2007 21:42, Mauro Faccenda wrote: On Wednesday 30 May 2007 16:57, Mick wrote: I find it confusing. First of all I do not have a id_rsa. it tries the default keys (id_rsa or id_dsa), if exists. id_rsa does not exist in my local /home/michael/.ssh/ only id_dsa is there and the public key that I have saved in /home/mic/.ssh/authorized_keys on the server is my corresponding id_dsa.pub. if you don't want it to try it, you can use the -i parameter to ssh pointing to your private key (ssh -i ~/.ssh/id_dsa user@server), Trying with the -i option also fails: == $ ssh -v -p 22 -i /home/michael/.ssh/id_dsa mick@blah-blah [snip] debug1: Found key in /home/michael/.ssh/known_hosts:18 debug1: ssh_rsa_verify: signature correct debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Offering public key: /home/michael/.ssh/id_dsa debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: password == that's strange. which version of openssh do you use in the server and the client? mine: client: OpenSSH_4.5p1 server: OpenSSH_4.4p1 here mine output doing ssh to a server with only key authentication enabled: i don't have the id_dsa.pub in my local machine too. === debug1: Found key in /home/faccenda/.ssh/known_hosts:8 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: id_dsa debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type unknown Enter passphrase for key 'id_dsa': === the failed part was because my key is password protected, so it asks me. That's right, so why does it: == debug1: Trying private key: /home/michael/.ssh/id_rsa --this doesn't exist debug1: Offering public key: /home/michael/.ssh/id_dsa --this is my private key == i didn't noticed this line... really strange. how your id_dsa was created? is it corrupted or does it has a public key on it instead? you should try creating your key pair again with: $ ssh-keygen -t dsa i would like to see the content of this file (or, at least the headers), but its a PRIVATE key. ;) the headers of mine: -BEGIN DSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,933FEB2C1C691496 PS. Not sure if this is relevant but although my user name on the server is mick, for reasons better known to him the sysadmin has created my home directory as /home/mic - could it be that sshd is looking for /home/mick? that messages isn't from the server, is from client running locally. but it doesnt matter for what you want. It matters if the server is trying to find id_dsa.pub in a non-existing directory. but as i said, that message isn't from the server. being a redhat, i suppose that it uses redhat with more less the default configuration, that tries to read your public key on your user home in the server (~/.ssh/authorized_users or ~/.ssh/authorized_users2). and openssh knows where to look at. even when the home of the user isn't the default which is your case, right? hope it helps, .m -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] limewire won't start
maxim wexler wrote: --- Chad Feller [EMAIL PROTECTED] wrote: methinks java is not in your path. if you type: which java does it return anything? that failing find out where it (java) is on your system. something like this should help: locate javac | grep bin (I chose javac instead of java as you shouldn't get a mile of output, but likewise you could do a locate java instead - nevertheless they should be in the same place). if locate returns something, then take a peek at your path (echo $PATH) and that should reveal your problem. [EMAIL PROTECTED] ~ $ which java which: no java in (/usr/local/bin:/usr/bin:/bin) [EMAIL PROTECTED] ~ $ locate javac | grep bin /opt/blackdown-jdk-1.4.2.02/bin/javac [EMAIL PROTECTED] ~ $ echo $PATH /usr/local/bin:/usr/bin:/bin Hey, you're right! How'd that happen? I wonder does this have something to do with an emerge -C openssh? Before it ran it warned me that openssh was part of my profile and could cause me problems. But java? Too weird! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com So we have to get Java back into your path... I've got Sun Java, so mine will be slightly different than yours, but in your /etc/env.d/ and /etc/env.d/java directory you should have a couple of files in there. First you will have something like /etc/env.d/java/20sun-jdk-1.4.2.10. Each file in /etc/env.d/java/ represents each version of java you have installed on your system (thus you could have multiple versions and switch between them). my /etc/env.d/java/20sun-jdk-1.4.2.10 contains the following. # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/dev-java/sun-jdk/files/sun-jdk-1.4.2.10,v 1.2 2006/01/08 23:27:53 nichoj Exp $ VERSION=Sun JDK 1.4.2.10 JAVA_HOME=/opt/sun-jdk-1.4.2.10 JDK_HOME=/opt/sun-jdk-1.4.2.10 JAVAC=${JAVA_HOME}/bin/javac ADDPATH=${JAVA_HOME}/bin:${JAVA_HOME}/jre/bin:${JAVA_HOME}/jre/javaws ADDLDPATH=${JAVA_HOME}/jre/lib/i686/:${JAVA_HOME}/jre/lib/i686/native_threads/:${JAVA_HOME}/jre/lib/i686/client/:${JAVA_HOME}/jre/lib/i686/server/ MANPATH=/opt/sun-jdk-1.4.2.10/man ENV_VARS=JAVA_HOME JDK_HOME JAVAC ADDPATH ADDLDPATH MANPATH You should also have something like /etc/env.d/20java This would be the version of java you currently have set (active). In my case, because I only have one java installed, it will largely be the same. its contents are: # Autogenerated by java-config # Command: --set-system-vm=sun-jdk-1.4.2.10 JDK_HOME=/opt/sun-jdk-1.4.2.10 JAVAC=/opt/sun-jdk-1.4.2.10/bin/javac PATH=/opt/sun-jdk-1.4.2.10/bin:/opt/sun-jdk-1.4.2.10/jre/bin:/opt/sun-jdk-1.4.2.10/jre/javaws ROOTPATH=/opt/sun-jdk-1.4.2.10/bin:/opt/sun-jdk-1.4.2.10/jre/bin:/opt/sun-jdk-1.4.2.10/jre/javaws LDPATH=/opt/sun-jdk-1.4.2.10/jre/lib/i686/:/opt/sun-jdk-1.4.2.10/jre/lib/i686/native_threads/:/opt/sun-jdk-1.4.2.10/jre/lib/i686/client/:/opt/sun-jdk-1.4.2.10/jre/lib/i686/server/ # VERSION=Sun JDK 1.4.2.10 MANPATH=${MANPATH}:/opt/sun-jdk-1.4.2.10/man JAVA_HOME=/opt/sun-jdk-1.4.2.10 Now if you have a file in /etc/env.d/java/something but don't have an /etc/env.d/20java (or if you do, it is empty), then you should be able to fix that with java-config (man java-config). However if both files /etc/env.d/java/something and /etc/env.d/20java seem legit, then we need to see why bash isn't sourcing the env.d files. In fact now that I think about it, that might be your problem, as your path did seem to be quite short. Mine for instance is: echo $PATH /usr/lib/ccache/bin:/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.4.5:/opt/sun-jdk-1.4.2.10/bin:/opt/sun-jdk-1.4.2.10/jre/bin:/opt/sun-jdk-1.4.2.10/jre/javaws:/usr/qt/3/bin:/usr/games/bin Before I start speculating any further, let me know where the above leads you... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: systemd? [ Was: The End Is Near ... ]
On Thu, Mar 22, 2012 at 5:13 PM, Walter Dnes waltd...@waltdnes.org wrote: On Wed, Mar 21, 2012 at 09:35:55PM -0400, Michael Mol wrote What we're talking about with systemd vs openrc, and things like ssh'd first-time initialization is all within the realm of responsibility of the packager. It's a shift in the way the distribution itself works. We're not talking about a scenario where you shunt things upstream, so the whole your position would have rejected Linux angle is a red herring. This is a frustrating game of whack-a-mole. Person A comes up with a position, I rebut it, and then person B comes up with a different position, and I have to rebut it.. There have been people in this thread who have said that the program best knows what it needs, and should handle its own initialization. That was what I was replying to. I'll reply to your position now. Why does that spawned process have to be sshd? Why can't it be some shell script which does the one-time checks, and then launches sshd itself? So instead of the initscript doing the checking+setup and launching the service, it launches a a second script... which does the checking+setup and launches the service FACEPALM. See my post with the joke of digging a second hole to dump the dirt from the first hole into. Instead of one script, we now have two scripts. This is *NOT* simplification. No. In a system V scenario, you'd probably just symlink to the genericized init script. In the systemd scenario, as I understand it, you have a configuration file (distinct from a script), and you'd include the path to the genericized init script there. What I'm talking about is an implementation of the adapter pattern. http://en.wikipedia.org/wiki/Adapter_pattern If there are going to be competing init systems (and there will be), and a service needs to be compatible with both (and there will be such services), then that's going to be the most elegant solution. Why does that shell script need to be distributed as part of the init system's package, and not part of the package associated with the service? I don't understand what you're arguing here. *THE INITSCRIPT IS OWNED BY THE SERVICE PACKAGE*, not by the init package. E.g. net-misc/openssh, not sys-apps/openrc. waltdnes@d530 ~ $ equery b /etc/init.d/sshd * Searching for /etc/init.d/sshd ... net-misc/openssh-5.8_p1-r1 (/etc/init.d/sshd) Sure. And that's what I was arguing. Though by the sound of it, there's stuffed in the openrc package which doesn't need to be there, and a blog post flameeyes posted today suggests the systemd package is intended to absorb the hardware database. ( http://blog.flameeyes.eu/2012/03/refreshing-a-4-years-old-problem ) Having the shell script be part of the package associated with the service keeps bugs related to that script associated with that package. That's the way it is right now. See above. And that's the way it should be. At least, that's the way I see it. Any issue of compatibility between the two can be addressed by the service's package manager, either by adaption via that script, or by expressing an explicit dependency on one init architecture or another. My point in this whole argument is that there is some checking and setup that has to be done before launch. Therefore shuffling off some or all of the shellscript code to another script is a pointless shell game (sorry) that adds no value. See reference to the adapter pattern above. Systemd has its merits in its capabilities. System V init has merits in that it's far more portable. Open source software which operates as a system service will need to support both. There are, of course, things I loathe. I loathe the apparent mindset behind systemd and behind udev, wherein all things belong as part of a monolithic system. That runs counter to principles of modular design, portability and even systemic stability in changing things. I loathe the desire to lunge forward without working out a transition plan, or even having the appearance of interest in one. And I loathe the terrible PR. -- :wq
Re: [gentoo-user] Re: OT: Linus ranting about Gnome3
On Sat, Jun 16, 2012 at 6:59 PM, Michael Mol mike...@gmail.com wrote: On Sat, Jun 16, 2012 at 6:42 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:30 PM, Michael Mol mike...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:10 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:00 PM, Nikos Chantziaras rea...@gmail.com wrote: On 16/06/12 21:27, walt wrote: I guess they figure the desktop will be extinct relatively soon and their customer base will vanish unless they capture the smartphone market. Ah yes, the death of the desktop PC, which is happening for 15 years now. Are we dead yet? I'm not holding my breath. There will always be a divide for the power users. A single, under-powered interface isn't going to cut it for a lot of us. X provides us with the flexibility that isn't available with the mobile interface. Even in the Microsoft world, I can't easily imagine them ditching the old UI paradigm for their Windows Server products. They've come a long way in making Windows CLI-friendly (see PowerShell), but they haven't yet (AFAIK) provided a good mechanism for remote CLI access. True, and they've been working hard to get it to the state it is in now. In many cases, sys admins have had to unlearn relying on their mouse for complete power. The CLI provides options that are, obviously, very difficult to express in a simple GUI (I know I'm preaching to the choir). Powershell has made huge progress in this respect, but it still has a long way to go in order to compete with what we have. And I doubt the server environment would ever become stripped down to the state we're talking about. Actually, they're there as of Windows Server 2008. It's called Windows Server 2008 Core. According to Windows Server 2008: The Definitive Guide, you log into one of these systems and all you get (by default) is a terminal window with an instance of cmd.exe. It goes on to list seven server roles this configuration supports: * Active Directory and Active Directory Lightweight Domain Services (LDS) * DHCP Server * DNS Server * File Services (including DFSR and NFS) * Print Services * Streaming Media Services * Windows Server Virtualization (Curiously, one of the things you _can't_ do is run Managed Code.) Huh, I didn't know about this. It's still too limited, though. At least they've duplicated a lot of the core gui elements on cli. Not that they won't be able to bolt one in easily enough; CSRSS means they should be able to provide, e.g. an SSH daemon, give the connecting user a PowerShell login session[1], and give it equal privileges and security controls as they have for any other login session. How many years have they had? I'd given up on this years ago. SFU is available in the Server Core configuration. I imagine you could run OpenSSH under there. Or some commercial entity could come along and provide an SSH+screen(ish) component to snap into the CSRSS framework. I'd actually forgotten about that, I would never trust their implement though. Apparently there's a binary available of OpenSSH that runs on SFU (so says wiki [1]). I've been out of the Windows Server environment for a few years now, so I guess I've missed out on some of the progress MS has made in this area. It's good they are pushing the CLI now. Perhaps in a few releases they'll implement their own of encrypting telnet sessions with a screen/tmux lookalike. Microsoft never ceases to amaze me - with the good and the bad. [1] http://en.wikipedia.org/wiki/Windows_Services_for_UNIX
Re: [gentoo-user] Re: OT: Linus ranting about Gnome3
On Sat, Jun 16, 2012 at 7:40 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 6:59 PM, Michael Mol mike...@gmail.com wrote: On Sat, Jun 16, 2012 at 6:42 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:30 PM, Michael Mol mike...@gmail.com wrote: [snip] True, and they've been working hard to get it to the state it is in now. In many cases, sys admins have had to unlearn relying on their mouse for complete power. The CLI provides options that are, obviously, very difficult to express in a simple GUI (I know I'm preaching to the choir). Powershell has made huge progress in this respect, but it still has a long way to go in order to compete with what we have. And I doubt the server environment would ever become stripped down to the state we're talking about. Actually, they're there as of Windows Server 2008. It's called Windows Server 2008 Core. According to Windows Server 2008: The Definitive Guide, you log into one of these systems and all you get (by default) is a terminal window with an instance of cmd.exe. It goes on to list seven server roles this configuration supports: * Active Directory and Active Directory Lightweight Domain Services (LDS) * DHCP Server * DNS Server * File Services (including DFSR and NFS) * Print Services * Streaming Media Services * Windows Server Virtualization (Curiously, one of the things you _can't_ do is run Managed Code.) Huh, I didn't know about this. It's still too limited, though. At least they've duplicated a lot of the core gui elements on cli. I dunno. That's everything I might possibly want a Windows system for. DNS comes with AD. Their DHCP server is probably the best on the market right now; it's the only common one[1] which handles DDNS updates for IPv4 and IPv6 hosts in the same domain. Everything else, I can easily do as-well-or-better on a Linux box. Being able to be an AD controller on a stripped-down version of the platform is also a plus, if you need to run in an AD environment. That makes adding redundancy and load distribution cheaper.[2] [1] That I know of; if anyone knows of a DHCP client for Linux which handles DDNS updates for IPv4 and IPv6 in the same domain, I'd love to hear about it. ISC's doesn't. [2] Samba 4 can do this too, and I'm looking forward to seeing someone sell Shiva Plugs with Samba 4 preinstalled. And, yeah, Samba 4 has had some big news events this year. Not that they won't be able to bolt one in easily enough; CSRSS means they should be able to provide, e.g. an SSH daemon, give the connecting user a PowerShell login session[1], and give it equal privileges and security controls as they have for any other login session. How many years have they had? I'd given up on this years ago. SFU is available in the Server Core configuration. I imagine you could run OpenSSH under there. Or some commercial entity could come along and provide an SSH+screen(ish) component to snap into the CSRSS framework. I'd actually forgotten about that, I would never trust their implement though. Apparently there's a binary available of OpenSSH that runs on SFU (so says wiki [1]). I've been out of the Windows Server environment for a few years now, so I guess I've missed out on some of the progress MS has made in this area. It's good they are pushing the CLI now. Perhaps in a few releases they'll implement their own of encrypting telnet sessions with a screen/tmux lookalike. Microsoft never ceases to amaze me - with the good and the bad. Where security concerns are relevant, I'd favor the implementation which comes with security updates pushed through the platform vendor's channel. With Debian, that means I avoid building my own packages. On Gentoo, that means I keep up with Portage. On Windows, that means using things which come through Microsoft Update. (Anything which doesn't, I could probably replace with something running on a Linux box. Again, this is a server context we're talking about.) Also, did you know Windows domain environments support dynamic application of IPSec-based security policies to enforce host patching policies? Some awesome stuff. Got me wanting to learn enough to be able to do the same thing using, e.g. Chef.[3] [3] http://www.opscode.com/chef/ [snip] -- :wq
Re: [gentoo-user] ssh -X problem [no help sofar on ssh group]
On Sun, Dec 21, 2014 at 1:17 AM, Harry Putnam rea...@newsguy.com wrote: This properly belongs on the ssh group, but posting there has not gotten any responses... and the list is quite slow to boot. I like using ssh -X to other lan remotes but with new versions of openssh or perhaps the configs, it only works 1 way. I can `ssh -X' to the gentoo host from a debian host but not the other way round. Two different versions of openssh appear to be involved. But not sure how different they are. RHOST=a debian HOST LHOST= Gentoo HOST ssh -vN $RHOST 21|grep remote software version [...] OpenSSH_6.7p1 Debian-3 ssh -vN $LHOST 21|grep remote software version [...] OpenSSH_6.7p1-hpn14v5 One thing I tried to do was to copy the RHOST sshd_config and ssh_config to LHOST. Restart and try again... there were a few incompatible bits in the files so after commenting a few out until no config errors. However ssh -X still displayed the error and would NOT work when: ssh -X RHOST from LHOST ({Note that plain ssh LHOST or RHOST works in any direction} Error outut with ssh -X $RHOST xterm , | Warning: untrusted X11 forwarding setup failed: xauth key data not generated | Warning: No xauth data; using fake authentication data for X11 forwarding. | Invalid MIT-MAGIC-COOKIE-1 keyxterm: Xt error: Can't open display: localhost:10.0 I believe you're looking for the xhost command and its archaic permissions setup settings. The idea is that the machine hosting the X server has an additional permissions setting that controls which hosts are allowed to use the X displays. Since you say that it's apparently the debian host that doesn't allow launching of X programs, what happens if, from the working GUI on the debian host, you run: xhost + Before you try connecting to it from the gentoo machine? It should say something like access control disabled, clients can connect from any host And you should be able to open your xterm using ssh -X. ` [Full Error output with ssh -vv -X is very lengthy so is attached at the end] I'm not seeing how to debug this further. So going back to the stock version of sshd_config ssh_config on gentoo with two changes: commented out this line: PasswordAuthentication no added this: X11Forwarding yes --- --- ---=--- --- --- Full sshd_config on LHOST: sudo grep ^[^#] /etc/ssh/sshd_config --- --- ---=--- --- --- UsePAM yes X11Forwarding yes PrintMotd no PrintLastLog no UsePrivilegeSeparation sandbox# Default for new installations. Subsystem sftp/usr/lib/misc/sftp-server AcceptEnv LANG LC_* --- Config END--- --- --- ---=--- --- --- Full ssh_config on LHOST: sudo grep ^[^#] /etc/ssh/ssh_config --- --- ---=--- --- --- ForwardX11 yes SendEnv LANG LC_* --- Config END--- ### Now the same info for RHOST --- --- ---=--- --- --- Full sshd_config on RHOST: ssh root@RHOST grep ^[^#] /etc/ssh/sshd_config --- --- ---=--- --- --- HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ed25519_key AcceptEnv LANG LC_* ChallengeResponseAuthentication no IgnoreRhosts yes HostbasedAuthentication no KeyRegenerationInterval 3600 LogLevel INFO LoginGraceTime 120 PermitEmptyPasswords no PermitRootLogin yes Port 22 PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes RSAAuthentication yes RhostsRSAAuthentication no ServerKeyBits 1024 SyslogFacility AUTH StrictModes yes Subsystem sftp/usr/lib/misc/sftp-server TCPKeepAlive yes UsePAM yes UsePrivilegeSeparation sandbox X11Forwarding yes --- Config END--- --- --- ---=--- --- --- Full ssh_config on RHOST: ssh root@RHOST grep ^[^#] /etc/ssh/ssh_config --- --- ---=--- --- --- Host * ForwardX11 yes SendEnv LANG LC_* HashKnownHosts yes --- Config END--- The only thing more I can think to include is the full lengthy output of ssh -vv -X -- This email is:[ ] actionable [ ] fyi[ ] social Response needed: [ ] yes [ ] up to you [ ] no Time-sensitive: [ ] immediate[ ] soon [ ] none
Re: [gentoo-user] openvpn and nfsmount
It isn't good idea to mount nfs over openvpn. Both are highly unstable. You should try openssh and it's simple tunnel and ftp over it or any other networked file system. If you really need to use nfs set it to use tcp. -- Morpheus: No, what happened, happened and couldn't have happened any other way. On Tue, 28 Aug 2007, Patrick Holthaus wrote: Hello! I am having difficulties in setting up nfs with my laptop. I have an openvpn server running at home that can be reached via dynamic dns from the outside world. Now i would like to mount my nfs exports from everywhere I am. These exports are only available in the vpn subnet (10.8.0.*). There are basically three scenarios (all via net.wlan0): 1. Home: - Direct connection to the openvpn server with a static private IP adress (192.168.1.xxx) - ESSID is fixed (e.g. home) - The openvpn service can be started via /etc/init.d/openvpn.home start (it is properly configured via /etc/openvpn/home.conf - After that net.tap0 can be started and gets an ip adress inside the vpn (e.g. 10.8.0.100) if i have the following in /etc/conf.d/net: config_tap0=( dhcp ) mac_tap0=00:FF:22:33:44:55 RC_NEED_tap0=openvpn.home 2. Remote: - Connection via internet - This time the openvpn service has to be started via /etc/init.d/openvpn.remote start (because the config for that resides in /etc/openvpn/remote.conf) - You see that i have to change a line in /etc/conf.d/net to get things to work: config_tap0=( dhcp ) mac_tap0=00:FF:22:33:44:55 RC_NEED_tap0=openvpn.remote Question is: Can I avoid changing these lines everytime I travel around? 3. Remote via vpnc: - Connection via internet (so openvpn.remote has to be used) - ESSID fixed (e.g. unibi) - Additionally: The vpnc service (/etc/init.d/vpnc.uni) has to be active Second question: Can I start the vpnc service by knowing the ESSID of my wireless network, and if I can: how? Thanks for your time Patrick -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] udev-140
On Monday 16 March 2009 22:20:37 Paul Hartman wrote: I wouldn't really have minded the inconvenience, except that while all this was going on, the largest data centre in the Southern Hemisphere was dropping off the air one router at a time, my desktop machine was panicing after 4 minutes of use (so that's why I stopped using it 6 months ago!) and I had to use putty on the GF's Thinkpad to do my bit to rescue all this. Putty sucks, really badly. The only thing that sucks worse than Putty on Windows is Putty on Symbian, even on a Nokia Communicator with a semi-decent keyboard (for a phone) :-) What sucks about PuTTY on Windows? I use it all the time and it seems to do everything... Granted, I just use it for simple serial port devices and SSH stuff, no exotic terminal emulations. Putty itself isn't too bad if you look at it as a Windows app. It can never be anything other than a Windows app and as such is restricted to how Windows apps must behave. And therein is the problem - I'm way too used to openssh, I want a command line to fire up my ssh client, I want to 'ssh m...@there' in a console and it must work. I don't want to have to poke around in a vast tree structure to enter my options - I know what they are, I just want to type them. Without a mouse. So Putty doesn't really suck in isolation. It does work and can really operate any different way. *Using* Putty on it's host platform sucks to someone who is used to much more efficient way to accomplish the same task. PuTTY on Symbian only does SSH but it seems to do it well enough. Running it full-screen with the smallest font is actually not so bad, even on my 240x320 screen. Being able to connect to my computer wherever I have a cellular signal is convenient... typing with T9 on a numeric phone keypad, not so much... but that's the phone's fault, not PuTTY's. :P I've been meaning to set up a simple menu script that allows me to run all of my common tasks with phone-friendly keystrokes. emerge -uDvptN blah blah blah really sucks to tap out on the 0-9 keys :) Thank god for bash command history... On Symbian it's a life saver when all other methods fail. Again, Putty is OK, using the device is actually what sucks. I still can't find a pipe character! And the screen is almost unreadable (it wasn't three years ago...) -- alan dot mckinnon at gmail dot com
[gentoo-user] USE=mysql
Hi, trying to install cacti, at the end it gives me next error: md5 files ;-) cacti-0.8.6g.ebuild md5 files ;-) cacti-0.8.6g_p20051023.ebuild md5 files ;-) cacti-0.8.6h.ebuild md5 files ;-) cacti-0.8.6h_p20060108.ebuild md5 files ;-) files/digest-cacti-0.8.6g_p20051023 md5 files ;-) files/postinstall-en.txt md5 files ;-) files/digest-cacti-0.8.6g md5 files ;-) files/digest-cacti-0.8.6h_p20060108 md5 files ;-) files/digest-cacti-0.8.6h md5 src_uri ;-) cacti-0.8.6g.tar.gz md5 src_uri ;-) short_open_tag_parse_error.patch md5 src_uri ;-) graph_properties_zoom.patch md5 src_uri ;-) script_server_snmp_auth.patch md5 src_uri ;-) mib_file_loading.patch !!! ERROR: net-analyzer/cacti-0.8.6g_p20051023 failed. !!! Function pkg_setup, Line 48, Exitcode 1 !!! php cli sapi must be compiled with USE=mysql Which package is php cli sapi refering to?¿ after adding mysql USE flag: # emerge -p --newuse world --newuse implies --update... adding --update to options. These are the packages that I would merge, in order: Calculating world dependencies ...done! [ebuild R ] net-ftp/proftpd-1.2.10-r7 [ebuild R ] sys-devel/make-3.80-r3 [ebuild R ] net-misc/openssh-4.2_p1-r1 [ebuild R ] mail-filter/spamassassin-3.1.0 [ebuild R ] net-mail/fetchmail-6.2.5.2-r1 [ebuild R ] mail-mta/postfix-2.2.5 [ebuild R ] net-fs/samba-3.0.14a-r2 [ebuild R ] x11-libs/qt-3.3.4-r8 [ebuild R ] kde-base/kdelibs-3.4.3-r1 [ebuild R ] mail-client/sylpheed-claws-2.0.0 [ebuild R ] kde-base/kdemultimedia-kioslaves-3.4.3 [ebuild U ] media-sound/amarok-1.3.8 [1.3.6] [ebuild U ] net-dns/bind-9.3.2 [9.2.5-r6] [ebuild U ] net-dns/bind-tools-9.3.2 [9.2.5] I don't see any reference to php cli or sapi, and I wouldn't like to recompile kdelibs or qt just for a use of one specific package. I'd use package.use .. Thanks in advance. -- Arnau Bria La parte contratante de la primera parte será considerada como la parte contratante de la primera parte. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] USE=mysql
El Tue, 28 Feb 2006 08:25:47 -0700 Richard Fish dijo: On 2/28/06, Arnau Bria Ramírez [EMAIL PROTECTED] wrote: From the ebuild: I've been looking for this in google and I did not go to the source of the error?¿ I must stop my google dependency! pkg_setup() { webapp_pkg_setup built_with_use virtual/php mysql || \ die php cli sapi must be compiled with USE=mysql built_with_use virtual/httpd-php mysql || \ die php apache/cgi sapi must be compiled with USE=mysql } So whatever package is providing virtual/php on your system (most likely dev-lang/php) needs to have USE=mysql. So does virtual/httpd-php, but that should be the same package (dev-lang/php). You're right: * dev-lang/php Latest version available: 5.0.5-r5 Latest version installed: 5.0.5-r5 Size of downloaded files: 4,853 kB Homepage:http://www.php.net/ Description: The PHP language runtime engine How may I know which package is serving each virtual service? But, why if I set mysql to my make.conf and try to emerge with --newuse, php is not a candidate of rebuild? # cat /etc/portage/package.use sys-libs/glibc userlocales =dev-lang/php-5.0.5-r5 dba mysql Calculating world dependencies ...done! [ebuild R ] net-ftp/proftpd-1.2.10-r7 [ebuild R ] sys-devel/make-3.80-r3 [ebuild R ] net-misc/openssh-4.2_p1-r1 [ebuild R ] mail-filter/spamassassin-3.1.0 [ebuild R ] net-mail/fetchmail-6.2.5.2-r1 [ebuild R ] mail-mta/postfix-2.2.5 [ebuild R ] net-fs/samba-3.0.14a-r2 [ebuild R ] x11-libs/qt-3.3.4-r8 [ebuild R ] kde-base/kdelibs-3.4.3-r1 [ebuild R ] mail-client/sylpheed-claws-2.0.0 [ebuild R ] kde-base/kdemultimedia-kioslaves-3.4.3 [ebuild U ] media-sound/amarok-1.3.8 [1.3.6] [ebuild U ] net-dns/bind-9.3.2 [9.2.5-r6] [ebuild U ] net-dns/bind-tools-9.3.2 [9.2.5] Many thanks! -Richard -- Arnau Bria La parte contratante de la primera parte será considerada como la parte contratante de la primera parte. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ssh configuration guide
Ssh disconnects on its own accord even with keepalive. I disable all methods of authentication except for public keys. You'll have to create a pub/private pair and copy the public key to $HOME/.ssh/authorized_keys. I'm on my blackberry so I can't type out full directions but gentoo has docs. On 10/10/08, David Rioja [EMAIL PROTECTED] wrote: Andrey Falko escribió: On Thu, Oct 9, 2008 at 1:06 AM, David Rioja [EMAIL PROTECTED] wrote: This is my very first post to the list, so hello you all :) I've been editing /etc/ssh/sshd_config in order to configure SSH as told in the guide at gentoo.org. The options you have to set for a quick start configuration are: Port 22 Protocol 2 ServerKeyBits 2048 SyslogFacility AUTH LogLevel INFO LoginGraceTime 60 PermitRootLogin no RSAAuthentication no PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no PAMAuthenticationViaKbdInt no Compression yes KeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 4 I have encountered two issues in that: 1.- When restarting the sshd service you are told PMAAuthenticationViaKbdInt is deprecated. 2.- KeepAlive is not commented in the default configuration file, there is TCPKeepAlive instead. I suppose same options are the same. Could anyone confim that? Thanks! If you want are truely quick start configuration, you should use the defaults that get installed after you install ssh. Basically, thost default will give you a working ssh that is secure and that is more than likely to work out of box. I'm not sure which Gentoo quickstart guide you are following, but it is an out of date guide. I recommend emerge -1 openssh, then running etc-update and applying the default configuration. Your goal is to get a basic working ssh daemon, right? Yes, I wanted only make it work over the lan. Default options seemed not to work when I tried, perhaps I forgot to start the service... who knows? :-/ By the way, besides unabling ssh access for root, I is not a good idea enabling KeepAlive? So won't be great problems if anyone go away leaving his session active. Am I mistaken?
Re: [gentoo-user] Curious pattern in log files from ssh...
On Thursday 04 December 2008 21:03:17 Christian Franke wrote: On 12/03/2008 09:02 PM, Steve wrote: I've recently discovered a curious pattern emerging in my system log with failed login attempts via ssh. I'm not particularly concerned - since I'm confident that all my users have strong passwords... but it strikes me that this data identifies a bot-net that is clearly malicious attempting to break passwords. Sure, I could use IPtables to block all these bad ports... or... I could disable password authentication entirely... but I keep thinking that there has to be something better I can do... any suggestions? Is there a simple way to integrate a block-list of known-compromised hosts into IPtables - rather like my postfix is configured to drop connections from known spam sources from the sbl-xbl.spamhaus.org DNS block list, for example. I just don't see what blocking ssh-bruteforce attempts should be good for, at least on a server where few _users_ are active. Two reasons: a. Maybe, just maybe, you overlooked something. Belts, braces and a drawstring for good measure is not a bad thing. b. You probably want to get all that crap out of your log files off into some other place where you can cope with it. Parsing auth log files that are 95% brute force attempts is no fun. I like to have the crap in place A and the real stuff in place B, makes my job so much easier The chance that security of a well configured system will be compromised by that is next to zero, and on recent systems it is also impossible to cause significant load with ssh-login-attempts. Uh-huh. We all said that for many years. Then some bright spark actually looked at the patches the debian openssh maintainer was applying and we all had one of those special oops... moments Did you have any idea of just how weak certs made on a debian box were before it hit the headlines? No-one I know did. Also, things like fail2ban add new attack-possibilities to a system, I remember the old DoS for fail2ban, resulting from a wrong regex in log file parsing, but I think at least this is fixed now. Whereas that is true enough in itself, the actual risk of such is rather low in comparison to the gains. Hence it is not a valid reason to not use fail2ban and such-like apps. If it were, we should all just stop using iptables and libwrap and openssl on the off-chance that maybe, just maybe, they open an attack vector. But that's silly reasoning right? -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] [bit OT] 32 vs. 64 bits
On Monday 08 December 2008 17:09:04 Albert Hopkins wrote: On Mon, 2008-12-08 at 14:59 +0100, pat wrote: Hello, I've bought a new laptop with Core 2 Duo processor which is 64 bit. My question is if applications (see below) compiled and running over 64 bits are stable enough or if I should compile for 32 bits. The applications are: - Seamoneky/Firefox - Java - Flash - Audacious - mplayer - VirtualBox/VMware - Qemu - Kerberos/OpenLDAP/OpenSSH (for these I think they are stable) - X.org/fluxbox - system suspending With very very few exceptions, stability shouldn't be much of an issue for you. It's pretty much the same source code base. What you should be more concerned about is application availability, especially WRT: * if the application is closed-source is there a 64-bit version * have the Gentoo maintainers marked it (yet) for amd64 (stable). Gentoo is (or at least used to be) a bit slower at marking things amd64 just because there are (were) fewer testers. I think this is pretty much a non-issue nowadays. * if it has code optimized in assembler is there optimized x64/compabile assembler. We (well, I) still use the closed-source (well, binary) versions of java. IBM's Java at least has a 64-bit port. Adobe just released a Linux x64 port of Flash (in Alpha). From my experience it's just as stable (or rather unstable) as the x86 version. win32codecs will not work unless it's used by a 32-bit exe (You can run 32-bit apps on x64). System suspending if largely kernel. Anyway probably more than you wanted to know, but I don't think stability is ever really a factor. Linux has supported 64-bit processors for at least 15 years (I think). Usually the only issue (just like running Linux on *any* non-x86 architecture) is the availability of proprietary apps. -a I am using amd64/x86 Gentoo for 3 years. Both of them are really really great. Especially amd64 machine which is my desktop/development can run simply everything. All the mainline applications can run perfect on in So if you want my advise, forget about the x86 and go install amd64. You wont regret it :) -- Markos Chandras
[gentoo-user] what is a normal 'emerge -ep system'?
What does a normal 'emerge -ep system' look like on x86 with a 2005.0 profile? Just now I saw someone mention having 158 packages in system. Here I have only 103: # emerge -ep system | grep ebuild | wc -l 103 But when I do an 'emerge --depclean -p' it ends with: Packages installed: 406 Packages in world:105 Packages in system: 62 Unique package names: 403 Required packages:417 Number to remove: 3 Only 62 packages in system? Okay, maybe only the basic packages count, not the ones they depend on: # emerge -ept system | grep ebuild | grep -v '] ' | wc -l 27 Hmm! Where does the 62 come from? # emerge -ept system | grep ebuild | grep -v '] ' [ebuild N] sys-devel/bin86-0.16.17 [ebuild N] sys-apps/hdparm-5.7-r1 [ebuild N] sys-libs/pwdb-0.62 [ebuild N] net-misc/openssh-3.9_p1-r2 [ebuild N] sys-apps/module-init-tools-3.0-r2 [ebuild N] app-editors/nano-1.3.4 [ebuild N] sys-fs/udev-056 [ebuild N] sys-devel/make-3.80-r1 [ebuild N] sys-apps/shadow-4.0.5-r3 [ebuild N] sys-process/psmisc-21.5 [ebuild N] sys-process/procps-3.2.4-r3 [ebuild N] sys-apps/net-tools-1.60-r11 [ebuild N] sys-apps/man-pages-2.01 [ebuild N] sys-apps/less-382-r2 [ebuild N] sys-apps/kbd-1.12-r3 [ebuild N] sys-apps/findutils-4.1.20-r1 [ebuild N] sys-apps/ed-0.2-r6 [ebuild N] net-misc/wget-1.9.1-r3 [ebuild N] net-misc/rsync-2.6.0-r4 [ebuild N] net-misc/iputils-021109-r3 [ebuild N] app-shells/sash-3.7 [ebuild N] app-arch/tar-1.15.1 [ebuild N] app-arch/gzip-1.3.5-r5 [ebuild N] app-arch/bzip2-1.0.2-r5 [ebuild N] sys-libs/libstdc++-v3-3.3.4 [ebuild N] x11-terms/xterm-200-r1 [ebuild N] sys-apps/man-1.5p Apart from the exact version numbers, is this normal? Benno -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] gcc-4.0.0?
last I checked, the gcc4 ebuild isn't even hard-masked yet... it exists, but that's about it. Don't know if the gentoo-user list is the best place to ask this question at this moment. OTOH, searching around on the gentoo forums, it seems that some people are adventurous enough. Some problems they reported: glibc 2.3.5 does not adhere to gcc4's strictness wget won't compile openssh won't compile e2fsprogs won't compile ...and more There's one gigantic gcc 4.0 thread in the forums, it began life as gcc 3.4.0 thread, however, go a bit past half way before you hit the 4.0 stuff. to quote irf2003 whom many on the thread agreed as the one to listen to: Don't mess ur box up! You are on stable, with gcc4 you need to go beyond ~x86. Play with it in a chroot. The only advantage of gcc4 at this time is that it compiles fast. If you want a real boost to your system, go for gcc-3.4.x, you will not regret it. It's literally like having a hardware upgrade, when one is migrating from gcc 3.3. Give it a try. HTH, W On Sun, Apr 24, 2005 at 12:57:30AM -0400, Jerry McBride wrote: Anyone done anything big with the new compiler yet? Like an emerge -e world? -- ** Registered Linux User Number 185956 FSF Associate Member number 2340 since 05/20/2004 Join me in chat at #linux-users on irc.freenode.net Buy an Xbox for $149.00, run linux on it and Microsoft loses $150.00! 1:03am up 15 days, 8:10, 3 users, load average: 0.00, 0.00, 0.00 -- gentoo-user@gentoo.org mailing list -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * The longest word in the English language is the one that follows And now a word from out sponsor. ~Jack Benny Sortir en Pantoufles: up 12 days, 15:40 -- gentoo-user@gentoo.org mailing list
[gentoo-user] ssh Failed to add the host to the list of known hosts
For some reason, my SSH (openssh-4.5_p1-r1) refuses to remember any hosts I connect to, and even if I keep connecting to the same machine over and over, it still wants me to OK the RSA fingerprint manually. Here's the verbose output when I try to connect to a known machine: ssh -v XX.xx.xxx OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to XX.xx.xxx [xxx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/myuser/.ssh/identity type -1 debug1: identity file /home/myuser/.ssh/id_rsa type -1 debug1: identity file /home/myuser/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY The authenticity of host 'XX.xx.xxx (xxx.xxx.xx.xx)' can't be established. RSA key fingerprint is (SOME RSA KEY GOES HERE) Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/myuser/.ssh/known_hosts). debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/myuser/.ssh/identity debug1: Trying private key: /home/myuser/.ssh/id_rsa debug1: Trying private key: /home/myuser/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password It would not create any files under my /home/myuser/.ssh/ directory. When I tried to create a file there manually, it said permission denied. Do I need to be added to some group to fix these permissions? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Hosted server as distcc machine
On Friday 24 March 2006 13:25, Grant [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] Hosted server as distcc machine': It's probably better to use distcc over ssh, using an ssh-agent and PKI authentication. How would ssh and PKI be set up in the workflow? It isn't mentioned here: http://www.gentoo.org/doc/en/distcc.xml 1) On the server, set up the shell account that will use distcc via ssh. 2) On the client, generate the private key for that account and use ssh-copy-id to give the server the public key. 3) On the server, if possible, disable password logins to force the use of the private key for that user. 4) On the client, add a line like [EMAIL PROTECTED] to your distcc_hosts. 5) Prior to invoking distcc on the client, start an ssh-agent (I prefer the keychain meta-agent.) and optionally add your private key to the agent. (If you don't start an agent, each compile that goes to an ssh host will ask for a password -- very troublesome with parallel make; If you don't add your private key to the agent, you'll get prompted for the passphrase the first time you need a key -- still moderately troublesome.) There is no need to run distccd on the server at all. You /will/ need sshd. It sounds like this would make the remote distcc idea as secure as ssh and I won't have to worry about the fact that distcc wasn't built with security in mind. Is that right? Yes. Since you aren't running the distccd server it's lack of security is not concern for you. You'll be depending on the security of ssh. While not completely spotless (e.g. the zlib vulnerability bit openssh) it was, at least, designed with security in mind. Also, I'm the only user on all of my systems so it would be OK to use plain ssh without PKI right? Unfortunately, no. Not because it's less secure (though, it might be depending on the strength of your passwords vs passphrases), but because there's no such thing (AFAIK) as an ssh-password-agent. This means that each compile job has to ask you for the password -- that's not gonna be real useful, most likely. See the parenthetical notes at the end of step 5. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hosted server as distcc machine
It's probably better to use distcc over ssh, using an ssh-agent and PKI authentication. How would ssh and PKI be set up in the workflow? It isn't mentioned here: http://www.gentoo.org/doc/en/distcc.xml 1) On the server, set up the shell account that will use distcc via ssh. 2) On the client, generate the private key for that account and use ssh-copy-id to give the server the public key. 3) On the server, if possible, disable password logins to force the use of the private key for that user. 4) On the client, add a line like [EMAIL PROTECTED] to your distcc_hosts. 5) Prior to invoking distcc on the client, start an ssh-agent (I prefer the keychain meta-agent.) and optionally add your private key to the agent. (If you don't start an agent, each compile that goes to an ssh host will ask for a password -- very troublesome with parallel make; If you don't add your private key to the agent, you'll get prompted for the passphrase the first time you need a key -- still moderately troublesome.) There is no need to run distccd on the server at all. You /will/ need sshd. It sounds like this would make the remote distcc idea as secure as ssh and I won't have to worry about the fact that distcc wasn't built with security in mind. Is that right? Yes. Since you aren't running the distccd server it's lack of security is not concern for you. You'll be depending on the security of ssh. While not completely spotless (e.g. the zlib vulnerability bit openssh) it was, at least, designed with security in mind. Nice. Also, I'm the only user on all of my systems so it would be OK to use plain ssh without PKI right? Unfortunately, no. Not because it's less secure (though, it might be depending on the strength of your passwords vs passphrases), but because there's no such thing (AFAIK) as an ssh-password-agent. This means that each compile job has to ask you for the password -- that's not gonna be real useful, most likely. See the parenthetical notes at the end of step 5. So you're saying if I don't use PKI, the remote system is going to prompt me for a password after I'm already logged in? You say each compile that goes to an ssh host will ask for a password. At what point in the emerge process does this happen? - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Problems with domainname
On Mon, Mar 27, 2006 at 07:04:44PM -0800, maxim wexler wrote Okay, I'll try it. Can you give me some hints on how to edit the config file keeping in mind it's only for a crossover LAN and security is _not_ and issue? It's to spare me the ordeal of downloading to one machine and then having to burn to a CD just so I can put it on another machine 5 feet away. Step 1 is to make sure that you can traceroute or ping from one machine to the other. Once you know that you're connected, you can emerge openssh. You can run with /etc/ssh/sshd_config left at default values. But you'll want to make a few changes after that. The reasons for using keys rather than passwords are security and convenience. A 1024-bit key is a helluva lot harder to break than brute-forcing userID password combos. And you won't have to enter your password each time you connect to the host. This allows you to use scp in scripts and even in cron jobs. Make sure that sshd is running on the target machine. /etc/init.d/sshd start starts it. Put it into default with etc-update to have it come up at bootup. Some notes... - 1st time you try to connect to a host you'll be asked to confirm. If you say yes, the host will be listed in ~/.ssh/known_hosts. If that host ever changes IP address, ssh will scream blue murder when you try to connect to it. - to start a telnet-like SecureSHell (hence the name ssh) session you connect like one of the following example lines... ssh [EMAIL PROTECTED] ssh [EMAIL PROTECTED] - to copy file(s) from target machine to you... scp [EMAIL PROTECTED]:filename . scp [EMAIL PROTECTED]:photos/*.jpeg myphotos/ - to copy entire directory from target machine to you... scp -r [EMAIL PROTECTED]:photos . scp -r [EMAIL PROTECTED]:photos myphotos/ - to copy from your machine to the target machine, the examples look like so... scp [EMAIL PROTECTED]:filename . scp [EMAIL PROTECTED]:photos/*.jpeg myphotos/ scp -r photos [EMAIL PROTECTED]:. scp -r myphotos [EMAIL PROTECTED]:photos/ -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list
[OT] Was: [gentoo-user] Finding packages which provide a file
Alexander Skwar wrote: [EMAIL PROTECTED] /var/db/pkg/gnome-base/gnome-2.14.1 $ cat USE x86 GAPING_SECURITY_HOLE X acpi alsa amd apache2 apm arts artswrappersuid async avi bash-completion bdf berkdb bitmap-fonts bluetooth bootsplash cairo caps cardbus ccache cdda cddb cdio cdparanoia cdr cdrom cle266 cli crypt css curlwrappers dbus devmap dillo divx4linux dlloader dri dvd dvdread emoticon esd exif fam fbcon fbdev firefox fping freetype gdbm gif gnokii gnome gstreamer gtk gtk2 hal hpn icc id3 idn imap imlib imlib2 insecure-drivers insecure-savers isdnlog javascript jikes jpeg kde kdeenablefinal libedit libwww linuxthreads-tls logrotate lynxkeymap mad madwifi maildir matroska mbox mmx mmxext mozilla moznoirc mozsvg mp3 mpeg mpeg2 mpeg4 mplayer multicall ncurses netboot network new-login nfs nis nls no-old-linux no-suexec noantlr nobcel nobeanutils nobsf nobsh nocd nocommonslogging nocommonsnet nodrm nogg nogulm nojsch nojython nolog4j nomac nooro nopri norhino noxalan noxerces nozaptel nptl nsplugin offensive ogg opengl openssh pam_console pam_timestamp passfile password patented pccts pcmcia pcre perl perlsuid pic player png pnp pppd qt quicktime rar readline real recode reflection reiserfs sdl sendfile sensord session sftp sms spell spf spl sse sse2 ssl startup-notification stream subp subtitles suid symlink sysfs syslog tiff transcode truetype truetype-fonts trusted type1-fonts udev underscores unichrome unicode unsafe usb utf8 uudeview vim vim-pager vlm vorbis wifi win32codecs wma123 x11vnc xinetd xml xmms xorg xpm xprint xscreensaver xv xvid xvmc zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_-synaptics kernel_linux linguas_de userland_GNU video_cards_fbdev video_cards_vesa video_cards_vga video_cards_via Nothing to do with the original topic, BUT... I'd be very interested to know how a flag called GAPING_SECURITY_HOLE gets into one's USE ;) I'm assuming you didn't put it there yourself! -- gentoo-user@gentoo.org mailing list
[gentoo-user] SSH/SSH2 hosed, partially fixed, some rubble remains
I've been using ssh and/or ssh2 daemons on this gentoo system for so long I've forgottenhow I had it set up. Now it's broken, and I have no idea how it got that way. At first, it was just taking a long time to connect to this system (home) from work and ask for a password. Now it is still slow, but it just does not respond at all after the password is entered. Also at first, I imagined that I was really having a problem relating to my domain registration being changed, but now that has pretty much settled down. To make things just a bit more difficult, I've been too busy surviving a car crash and dealing with associated medical issues to pay enough attention to this. Anyway, here is some of what I find in the rubble: I have both /etc/init.d/sshd and /etc/init.d/sshd2 I can start and stop sshd, but not sshd2, which complains it's not configured. File timestamps indicate that sshd2 stuff has not changed since some time in 2004. Moreover, equery belongs cannot locate any package that owns the sshd2 files. The sshd files belong to net-misc/openssh-4.3_p2-r1. AHAH! I've already solved part of the problem, because when I start sshd, I get this: treat init.d # ./sshd start ldap_simple_bind_s(): Can't contact LDAP server (-1) [LDAP] could not initialize ldap connection * Starting sshd ... ldap_simple_bind_s(): Can't contact LDAP server (-1) [LDAP] could not initialize ldap connection [ ok ] treat init.d # This baffled me a bit. I'm not aware of having or running or using any LDAP server. I never have. I notice that there are some LDAP-related things in sshd_config. SOLVED speed problems when I commented these out. There's still a mystery to me though. I'm quite sure I did not change them myself and the last emerge was 2 years ago according to /var/log/emerge/log. What I may have done is to adjust X11 forwarding. STILL TROUBLING: why did LDAP get turned on? Whodunnit? why do I have orphaned sshd2 things? STILL BROKEN: Although I can now ssh to my system, with no noticeable delays, I cannot scp because it still hangs after the password is entered. (I can just ssh and then do the scp backwards, however). Can anyone help me debug this? What else should I be looking at? --Kevin O'Gorman, PhD
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Saturday 06 January 2007 04:32, Boyd Stephen Smith Jr. wrote: On Friday 05 January 2007 15:44, Etaoin Shrdlu [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': On Friday 5 January 2007 21:25, Mick wrote: OK. I don't think I need to run a full VPN. I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If I understand correctly then, you need ssh (and a public IP address) running on the router. [snip: and then forward a ton of ports] Or you could forward X over the ssh tunnel, and run your web browser on your router. :) Thanks, I also thought of running FreeNX on the router, if only the router were capable of running apps. It seems that openwrt is not (yet?) covering the netgear DG834. The wireless version DG834G is shown as WIP on the openwrt website. I'll keep an eye on it, or one day upgrade my router. Finally, if your email program and browser are SOCKS aware, you could simply set them up to use your ssh connection as a SOCKS proxy. There's specific support for this in OpenSSH, so that you don't have to open ports individually, it can be done dynamically on-demand. Cool! I'll check it out. Never used it myself, but take a look at the openwrt project. From what I understand, it seems that it lets you put linux into the firmware of many popular routers, and manage it using a web interface. While there has been some work done on a web interface, it's not a priority for the core OpenWRT team. For me, manging my router from a command prompt worked better anyway. How do you set firewall rules using opewrt? Through a script? -- Regards, Mick pgpPj0zrohA4h.pgp Description: PGP signature
Re: [gentoo-user] Error on login: *** glibc detected *** double free or corruption...
Rennie deGraaf wrote: A few minutes ago, I discovered that I can't log into my firewall If I try SSH from inside, it gives me my login banner and immediately disconnects, without prompting for a password. This suggested to me that when trying to clean up the mess left by upgrading the shadow package yesterday (and first removing pam-login) as reccomended by a GLSA-200606-02, I left something incorrectly configured. If I try SSH from outside, the connection times out. I don't know why this happens - the iptables configuration should allow SSH connections from outside, and the timing suggests a problem before reaching the login or pam code. If I try to log in via a virtual TTY on a serial port, I get the message *** glibc detected *** double free or corruption (!prev): 0x142e1cc8 *** (the address varies) after entering a username, but before entering a password. This suggests a problem with either the login or pam software; I can't see how a configuration error could cause this. If I try to log in via the system console, I get the same error as with the serial line. My firewall is running a tightly locked-down minimal install of Gentoo 2005.1 with the hardened kernel and toolkit and all relavant security updates applied. I think that the kernel is 2.6.11-hardened-r15. Other than my inability to log in, it seems to be working - the DNS server is still responding, and it still seems to be forwarding packets correctly. The system has been up since some time in late august or early september 2005. I guess that the only way to get into the system and try to fix it is to reboot into single-user mode, but before I take it down for maintenance, I'd like to know if I'm dealing with a software problem or a configuration problem (since with my firewall down, I will have no way to look up more information from the Internet). Does anyone know what this error signifies in this context, or have any suggestions on how to recover? Thanks, Rennie deGraaf Hi, Just reboot and try again. IIRC the solution was to rebuild openssh after the new shadow package within the same ssh-session (assuming that's the way you do it). HTH.Rumen smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] How send mail when user login on ssh or local ?
2009/7/30 Vagner Rodrigues vag...@litrixlinux.org: Hi Folks ! Somebody know how I to so send mail with IP and Date/time when same user login on shell ( remote or local ) ? I work with another admin's and I never told me when they access and for what my server to do something, I try log but this can be erased and maybe mail can help me about access and with this I can Ask about this access. -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. Well, all questions regarding the reasons you'd be giving root privs to someone you don't entirely trust aside... the quick and dirty approach I can think of would be to modify the system wide /etc/profile to check uid and send an email if a given uid is logged in. In the end, there's little to no way I'm aware of to guarantee being alerted about use once someone's being handed root privileges. If you do go about setting it up that way... OpenSSH sets variables[1] regarding the session (IP and such) and those can be used to identify that. The `tty` command[2] can be used to tell you whether the access is direct physical access to the system's virtual consoles or not. You could even bypass dependency on the local system having working mail configuration and such if you have an smtp server off-host you can send through by using netcat. A Windows variation[3] I found of the same principle idea does just that. And, lastly, if you use sudo you can leverage its own auditing capabilities to know when it's being used[4]. [1] For example: SSH_CLIENT=127.0.0.1 44681 22 SSH_TTY=/dev/pts/1 SSH_CONNECTION=127.0.0.1 44681 127.0.0.1 22 Which are of the form: SSH_CLIENT=client ip client port server port SSH_TTY=local tty or pty SSH_CONNECTION=client ip client port server ip server port [2] http://swoolley.org/man.cgi/tty [3] http://community.spiceworks.com/how_to/show/225 [4] http://www.cyberciti.biz/faq/sudo-send-e-mail-sudo-log-file/ -- Poison [BLX] Joshua M. Murphy Real programmers can write assembly code in any language. - Larry Wall
Re: [gentoo-user] Re: mysql USE flag error
2009/10/19 Remy Blank remy.bl...@pobox.com: Mick wrote: I've added -mysql in /etc/portage/package.use for x11-libs/qt-sql but it makes no difference. You should add -mysql for the package app-office/akonadi-server instead. This looks more promising, thanks. Still pam seems to be getting confused (well pambase may not be, but I am because all sort of other packages are now being dragged in - please see below). Am I losing my touch with portage-foo or is my otherwise stable system in need of some fix? # emerge -upDv world These are the packages that would be merged, in order: Calculating dependencies... done! !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: sys-auth/pambase:0 ('ebuild', '/', 'sys-auth/pambase-20090620.1-r1', 'merge') pulled in by sys-auth/pambase required by world sys-auth/pambase[consolekit] required by ('ebuild', '/', 'net-wireless/bluez-4.39-r2', 'merge') ('installed', '/', 'sys-auth/pambase-20090620.1-r1', 'nomerge') pulled in by sys-auth/pambase required by world =sys-auth/pambase-20081028 required by ('installed', '/', 'net-misc/openssh-5.2_p1-r3', 'nomerge') =sys-auth/pambase-20080219.1 required by ('installed', '/', 'sys-apps/shadow-4.1.2.2', 'nomerge') (and 1 more) It may be possible to solve this problem by using package.mask to prevent one of those packages from being selected. However, it is also possible that conflicting dependencies exist such that they are impossible to satisfy simultaneously. If such a conflict exists in the dependencies of two different packages, then those packages can not be installed simultaneously. For more information, see MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. emerge: there are no ebuilds built with USE flags to satisfy =dev-python/PyQt4-4.5[dbus,sql,svg,webkit,X]. !!! One of the following packages is required to complete your request: - dev-python/PyQt4-4.5.4-r4 (Change USE: +sql +webkit) (dependency required by kde-base/pykde4-4.3.1 [ebuild]) (dependency required by kde-base/plasma-workspace-4.3.1 [ebuild]) (dependency required by kde-base/kdebase-meta-4.3.1 [ebuild]) (dependency required by world [argument]) -- Regards, Mick
Re: [gentoo-user] Re: mysql USE flag error
On Monday 19 October 2009, you wrote: 2009/10/19 Remy Blank remy.bl...@pobox.com: Mick wrote: I've added -mysql in /etc/portage/package.use for x11-libs/qt-sql but it makes no difference. You should add -mysql for the package app-office/akonadi-server instead. This looks more promising, thanks. Still pam seems to be getting confused I hope it is not bad form answering my own post ... I've now uninstalled anything with net-wireless/bluez* in it, but I am still getting this: == # emerge -upDv world These are the packages that would be merged, in order: Calculating dependencies... done! !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: sys-auth/pambase:0 ('ebuild', '/', 'sys-auth/pambase-20090620.1-r1', 'merge') pulled in by sys-auth/pambase required by world sys-auth/pambase[consolekit] required by ('ebuild', '/', 'net-wireless/bluez-4.39-r2', 'merge') ('installed', '/', 'sys-auth/pambase-20090620.1-r1', 'nomerge') pulled in by sys-auth/pambase required by world =sys-auth/pambase-20081028 required by ('installed', '/', 'net-misc/openssh-5.2_p1-r3', 'nomerge') =sys-auth/pambase-20080219.1 required by ('installed', '/', 'sys-apps/shadow-4.1.2.2', 'nomerge') (and 1 more) It may be possible to solve this problem by using package.mask to prevent one of those packages from being selected. However, it is also possible that conflicting dependencies exist such that they are impossible to satisfy simultaneously. If such a conflict exists in the dependencies of two different packages, then those packages can not be installed simultaneously. For more information, see MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. emerge: there are no ebuilds built with USE flags to satisfy =dev-python/PyQt4-4.5[dbus,sql,svg,webkit,X]. !!! One of the following packages is required to complete your request: - dev-python/PyQt4-4.5.4-r4 (Change USE: +sql +webkit) (dependency required by kde-base/pykde4-4.3.1 [ebuild]) (dependency required by kde-base/plasma-workspace-4.3.1 [ebuild]) (dependency required by kde-base/kdebase-meta-4.3.1 [ebuild]) (dependency required by world [argument]) == This all started this morning after an eix-sync crashed on me because the laptop run out of battery. I removed /usr/portage/metadata/timestamp.chk and resync'ed after that - so I don't believe that this is what caused this mess. I have also remerged portage and eix. What else is there to try to fix this problem? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ssh problem
On 02/26/2011 03:13 AM, Mick wrote: On Saturday 26 February 2011 07:49:44 Adam Carter wrote: The nc command does nothing when run from the same host I'm trying to ssh in to. Ok so you may not have an ssh problem (so ignore the ssh specific stuff for now) you have a network problem. It will be either routing or firewalling. If you can ping the box, then its a firewall problem. So, try pinging it first, and if that works then you know that routing is in place and its a firewall problem. If that doesn't work try traceroute to see how far you can get, and the last hop may provide clues as to why you can access it by sending an ICMP message. Post back what you find. Depending on configuration of routers and firewalls ICMP packets may be dropped, so if plain ping/traceroute fails use httping and tcptraceroute (or traceroute -T -p 22) I don't know why I would have a firewall or network problem, the set up I have has been here for 8+ years. The setup is like this. In the basement the cable internet comes in and into a cable modem. Then an RJ45 out of the cable modem into an 8-port NETGEAR Router/Switch. Upstairs is a hub with three computers connected and this hub is connected to the switch in the basement. The only problem I ever had was when the dhcp address changed, then it needed to be added to the PORT FORWARDING section of the switch with port 22. Remember I can still log in remotely from Redhat and Suse boxes that weren't updated with the new openssh. When ssh'ing in from a remote updated Gentoo box the Read from socket failed: Connection reset by peer message is displayed. This message is not displayed when trying to ssh in from inside the network. Alright, back to the task at hand. When I tell the switch to Respond to Ping on Internet WAN Port the ping statistics are good: 3 packets transmitted, 3 received, 0% packet loss, time 2007ms. I'm not sure where to go from here. Is there anything in the sshd_config or ssh_config files that I need? After the upgrade the new files were merged with the current. Thanks dhk
Re: [gentoo-user] internal-sftp and logs files
Good afternoon, http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ce30a1d9889dc2e2?pli=1 The tip above link to solve the problem. I had found this link, however I was creating the log file in the dev directory of the chroot user. With the command strace I noticed what was happening permission error file access. Effectively you need only create the dev directory, the Log Files syslog-ng will automatically create. The log file is actually a socket file that syslog-ng will create. Solution: My mistake was to manually create the log file in the dev directory of the chroot user. An example of directory is: User: naira Home directory: /var/www/naira.com.br -- File sshd_config Match Group customers ChrootDirectory %h ForceCommand internal-sftp-l VERBOSE f-AUTH -- File syslog-ng.conf source src { unix-stream(/dev/log); internal(); unix-stream(/var/www/naira.com.br/dev/log); }; # ls -lah /var/www/naira.com.br/ drwxrwxr-x 13 root root 3.8K Mar 1 14:58 dev Restart syslog-ng. Thanks. Naira Kaieski Nucleo de Internet/Redes - Faccat Linux Professional Institute - LPI000223834 Em 2/3/2011 14:05, Ivan Kharlamov escreveu: 2011/3/1 Naira Kaieskina...@faccat.br: Good afternoon, Staff set up openssh to direct users to a certain group members to a chroot environment and these users will have access only to the server using sftp protocol. Put in the sshd_config file: Match Group customers ChrootDirectory% h ForceCommand internal-sftp-l VERBOSE f-AUTH Thus each user is directed to the chroot environment indicated in the variable% h (home directory defined in / etc / passwd) An example of directory is: User: naira Home directory: /var/www/naira.com.br The problem is that I am not able to capture logs of the user group clients that are targeted to the chroot environment. Access via internal-sftp from other users who do not belong to the client I get the logs in auth.log files. I'm using syslog-ng. Has anyone ever made this kind of setup? Thanks, -- Naira Kaieski Nucleo de Internet/Redes - Faccat Linux Professional Institute - LPI000223834 Hi! Actually, I am incompetent at this area, but have you tried this? http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ce30a1d9889dc2e2 Best regards, Ivan
Re: [gentoo-user] emerge --update behavior
On Monday 02 Jan 2012 10:06:39 Alan McKinnon wrote: On Sun, 01 Jan 2012 19:24:35 -0500 Michael Orlitzky mich...@orlitzky.com wrote: On 01/01/2012 07:09 PM, Neil Bothwick wrote: On Sun, 01 Jan 2012 18:07:45 -0500, Michael Orlitzky wrote: Usually it's because a world update wants to do both trivial version bumps and replace major software at the same time. I can't take a server down for an hour in the middle of the day to update Apache, but I can bump timezone-data, sure. Why would you need to take it down? All you need to do is restart Apache after the update. I have to test, like, 200 websites to make sure they still work. Something /always/ breaks. Apache was just an example. PHP is the same way: functions get removed, renamed, or just subtly changed. I can't replace Dovecot with users logged in. I can't upgrade/restart postgresql while clients are hitting it. If I'm working remotely, I don't want to update openvpn, iptables, or even openssh. There's a long list of packages that I just ain't gonna mess with during the day. You have a production machine delivering valuable services to multiple users. Therefore you must only update *anything* on it during planned maintenance slots. If paying customers are involved then preferably with a second redundant parallel machine to take over the load during that slot. You don't have much of an option about this in the real world, think of it as a constraint that you must simply deal with. Or think about it another way, if the machine was running RHEL, you wouldn't just blindly run yum update in the middle of the working day and expect it to all be just fine. +1 Even on binary distros I would be apprehensive to update/upgrade a production machine, unless I have run the updates on the test box first. Even so, because I do not have the luxury of identical hardware some times the odd thing may break, but it is a very rare occurrence. With everything running on VMs these days (although not yet my case) this is becoming less of a problem I would think. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
RE: [gentoo-user] openpty() failing with UNIX98 ptys
From: Alan McKinnon [mailto:alan.mckin...@gmail.com] Sent: Sunday, January 27, 2013 1:49 PM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] openpty() failing with UNIX98 ptys On Sat, 26 Jan 2013 23:46:22 -0500 Mike Edenfield kut...@kutulu.org wrote: I have the latest udev installed, and udev-mount is running on boot. Both /dev and /dev/pts are mounted, and /dev/ptmx exists and is world-readable: basement package.use # mount | grep /dev /dev/root on / type ext3 (rw,seclabel,noatime,errors=continue,barrier=1,data=writeback) devpts on /dev/pts type devpts (rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) shm on /dev/shm type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,seclabel,nosuid,relatime,size=10240k,nr_inodes=248584,mode=755) basement package.use # ls -alF /dev/ptmx /dev/pts crw-rw-rw-. 1 root tty 5, 2 Jan 26 13:18 /dev/ptmx /dev/pts: total 0 drwxr-xr-x. 2 root root40 Jan 26 13:18 ./ drwxr-xr-x. 10 root root 13300 Jan 26 13:18 ../ When I trace sshd's attempt to open a new pty, I see it doing this: * open /dev/ptmx * stat /dev/pts * stat /dev * try (and fail) to open /dev/ptyp0 Since I know that last bit is openssh trying to open an old-style BSD pty, I can only assume that something is going wrong trying to allocate the pty the correct way. For the time being I've added BSD pty support into my kernel and everything seems to be working now, but I'm at a loss as to what I did to break things in the first place. I had something similar (details are different though): In my case it's kernel 3.7 - no version of gentoo-sources-3.7-* worked and 3.6.11 works fine. What kernel are you on? Have you tested this on 3.6? I first notice the problem on 3.4.2, upgraded to 3.6.4 and the problem persisted. I have not upgraded to 3.7 to see if it's still a problem. --Mike
Re: [gentoo-user] technical review of systemd
On Sat, Feb 22, 2014 at 6:16 PM, thegee...@thegeezer.net wrote: OK so because of how much time has been spent arguing about systemd with little technical content, i've spent some time on the freedesktop site reading Lennart's blog and also going through the source to find answers to my questions about the socket activator. i've also been going through the man pages of netctl too and am horrified at the lack of what i would call enterprise features. networkd (netctl is just the command-line front-end) is not intended for enterprise; it's for little servers where you only need static IPs or simple bridges. For desktops/laptops, you are supposed to keep using NetworkManager/connman/whatever you used before. For complex network setups, you need *a* network manager (not necessarily NetworkManager). this is by no means a definitive list. I just thought that i would share what i had found. please correct me if i am wrong in any of these. please add to the list for technical items only. I find it a very impartial and objective review; thank you very much! thanks! pros 1.very modular, everything can be disabled though not removed 2.socket based activator allows restart of services with no service interruption 3.if activator.c is used for this, then the code is actually pretty clean using supplied sd-daemon.c simplifies sockets for daemons and also adds extra watchdog features 4.can disable socket based activation according to Canek, but i can't find how. You use a .service unit file instead of a .socket unit file. That's it. For OpenSSH, for example, you can enable sshd.service[1], and then the SSH daemon works as it does in OpenRC. If you instead enable sshd.socket[2], then the daemon will start on demand. You don't have to *disable* anything; you choose how do you want to use your services (if the services provide both ways, like OpenSSH does). 5.fschecking mounts and logging output (though how for corrupt / notsure) Corrupt filesystems or logs? 6.auto-gettys allows for lower numbered X windows by default for e.g. multiseat and dynamic serial ttys 7.clever logging, including from nspawned containers' logs and distributed for enterprise 8.nspawning using filename namespaces 9.systemctl kill service -- killing service and all forks and spawn cgtop -- top with cgroups 10.much easier to define resource limitations per service cons 1.new tools to learn, new gotchas to learn. 2.yet to go through systemd source to find out how modular or not it is. While it tries to be modular where it can, systemd prefers simple code and integrated solutions. Modularity is not going to be one of its strong points. 3.not clear how the socket activator works, the code activator.c appears to be to _test_ activation only, with activator code being elsewhere. if it is used then you would have one process running for each port it is virtually listened to. It's been a while since I've read the source code, but it isn't in src/activate/activate.c[3]? 4./etc/machine-id because hostname and node id in the cluster of your choice are not enough. The idea is that machine-id is as unique as reasonable to ask. I'm not overly happy with it, too, but that's the justification. Imagine thousands of virtual machines running services, and you want to coalesce all their journal logs in a central server. With machine-id, you don't need to worry even to change the default localhost for your throwaway VMs, you can detect the different logs immediately (machine-id should be generated at OS install time; for rolling distros, I think they generate it if when installing systemd is not available.) 5./fsck.options gives more options than autoforceskip on reboot 6.requiring logging tools in rescue cds in order to view logs Yeah, that's a drag. However, you *can* run rsyslog (or syslog-ng) alongside the journal, and have the best of both worlds. Or you can automatically send the journal logs to a central server designed for that purpose only. 7.chroots no longer work. forcing use of nspawn to ensure environment set up correctly. I'm sorry, chroot doesn't work? First time I heard about it. While systemd-nspawn is a gazillion times better than a simple chroot, you *can* still use a chroot if you so desire. Where did you found that chroot doesn't works? 8.strange gotchas: that because of socket/dbus etc activation you have to disable a service first, then stop it in case it is then restarted in the background You only need to stop the socket too. You can do it at the same time: systemctl stop avahi-daemon.service avahi-daemon.socket 9.the new deal breaker for me is the networking. for anything remotely complex (i.e. two IP addresses on an interface woo), need to use netctl. a.which doesn't support vlan naming types i.e. padding zeroes b.doesn't appear to support gre keys c.doesn't appear to support multiple routing tables d.doesn't appear to support ip rule e.doesn't have lacp
Re: [gentoo-user] How does ssh know to use pinentry?
On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: ssh is asking me for my passphrase using a terrible program called pinentry. It's terrible for a bunch of reasons, and if you are interested you can just google pinentry sucks. Probably more a case of X11 sucks. Historically password entry into X11 windows has always been problematic, because in general any client connected to an X server can evesdrop on data entered into any other window on the server. That is especially problematic when you remember that X was supposed to work on a network. It isn't as bad on your typical desktop setup, but applications like pinentry are often designed with the network scenario in mind. Imagine that you're on an X terminal at work. You have clients connected to your terminal from 47 different servers that you administer. Maybe you have firefox open from a workstation you administer at customer A who is having firewall issues and you're trying to get a sense of what things look like from inside. Perhaps you have a mail client open on customer B's server. You punch in your password for customer B so that the mail client can retrieve your mail there, and now the trojaned firefox at customer A has your password credentials for customer B. So, you have things like the feature in xterm which captures all keyboard input so that you can enter a password securely, but it probably breaks things like copy/paste and you have to toggle it on/off since while it is on no other window on your server can listen to the keyboard. This wasn't really how X11 ended up being used, but back in the day it was how it was designed to work. Well, except for the part where X11 is crippled when you have more than a few milliseconds in latency, so nobody runs clients on remote servers. But, you still get all the baggage. I'm not familiar with the internals of pinentry, but this probably why you're frustrated with it. In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line pinentry-program /usr/bin/pinentry. If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich
Re: [gentoo-user] How does ssh know to use pinentry?
On Sat, Jul 5, 2014 at 11:42 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman ri...@gentoo.org wrote: In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line pinentry-program /usr/bin/pinentry. If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich, Thank you, I will give that a shot. FYI I discovered: declare -x GPG_AGENT_INFO=/tmp/gpg-2uVMfE/S.gpg-agent:26095:1 When I unset this env variable, ssh stopped trying to use pinentry to acquire my passphrase. However, I still do not understand how that variable got set or how/why ssh behaves differently when it is set. You might want to read up on ssh-agent/gpg-agent in general to understand what its for. The short version is that these programs are designed to cache the password for your ssh/gpg private keys so that if you repeatedly use gpg or ssh you don't have to type it every time. If an agent isn't running ssh/gpg will just prompt for a key each time, and forget it when the program terminates. If the agent is running then this environment variable is used to communicate that to ssh/gpg and then the program asks the agent for the key, and it prompts you to enter it if it isn't cached. They are designed to be secure (run in locked memory, etc). Typically they are launched from a bash profile, or an X11 startup script. KDE/Gnome look like they have it in their default scripts. Just grep -r gpg-agent /etc and you'll find where it is being loaded if you didn't add them to your own startup scripts in /home. Using gpg-agent is considered a best practice in general, so I wouldn't go getting rid of it unless it is really causing you problems. You haven't mentioned what issue you're actually having with it/pinentry/etc. Rich
Re: [gentoo-user] Re: [Extremely OT] Ansible/Puppet replacement
On 01/27/2015 10:34 AM, James wrote: Alec Ten Harmsel alec at alectenharmsel.com writes: I'm sorry to spam gentoo-user, but I'm not sure who else would be interested in something like this. Also, feel free to email me with bugs in the code or documentation, or open something in GitHub's issue tracker. One man's spam generates maps for another. So my map of todo on ansible is all about common gentoo installs. [1] Let's take the first and most easy example the clone. I have a gentoo workstation install that I want to replicated onto identical hardware (sort of like a disk to disk dd install). So how would I impress the bossman by actually saving admin time on how to use the bossman to create (install from scratch + pxe?) a clone. Assuming that disks are formatted, a stage3 has been freshly extracted, bossman is installed, and the role/config files are on a mounted filesystem, it should be similar to the role below: file /etc/portage/make.conf root:root 644 ! emerge-webrsync ! emerge --sync file /etc/locale.gen root:root 600 ! locale-gen pkg sys-kernel/gentoo-sources file /usr/src/linux/.config root:root 644 ! make -C /usr/src/linux all modules_install install pkg sys-boot/grub ! grub-install /dev/sda # I can't remember all the options needed here file /etc/default/grub ! grub-mkconfig -o /boot/grub/grub.cfg # Generating /etc/fstab using something similar to Arch's `genfstab` would be much better file /etc/fstab root:root 644 # Root password file /etc/shadow root:root 640 # Logger pkg app-admin/syslog-ng # Network pkg net-misc/dhcpcd enable dhcpcd # For remote access pkg net-misc/openssh file /etc/ssh/sshd_config root:root 600 file /etc/ssh/known_hosts root:root 600 # Other sshd files... enable sshd There are a ton of assumptions that make this work; if installing manually, the installer is responsible, and if installing from PXE, this stuff would have to be baked into the ISO. Gotta recipe for that using bossman? Or is that an invalid direction for bossman? curiously, James [1] http://blog.jameskyle.org/2014/08/automated-stage3-gentoo-install-using-ansible/ Automating the bootstrapping of a node is reasonably complicted, even harder on Gentoo than on RHEL. This is the type of thinking I want to do, and I'm working on doing this with my CentOS box that runs ssh, Jenkins, postgres, and Redmine. Alec
[gentoo-user] Re: workstation iptables
Mick gmail.com> writes: > > http://gentoo-en.vfose.ru > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics > Start iptables, run the script, stop iptables with '/etc/init.d/iptables > stop' which will save your rules to /var/lib/iptables/rules-save, after starting iptables, I ran /etc/firewall.sh (the previously published script) and the stop with the syntax above:: cat /var/lib/iptables/rules-save # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *mangle :PREROUTING ACCEPT [16022765:14170972269] :INPUT ACCEPT [16022479:14170935323] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19311825:1508198446] :POSTROUTING ACCEPT [19311825:1508198446] COMMIT # Completed on Wed Oct 7 09:13:59 2015 # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *filter :INPUT DROP [471:17192] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [722751:44404539] [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Oct 7 09:13:59 2015 was the ouput. > or > run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes > to /etc/sysctl.conf, so that they are permanent. Re-run the script if > you want to change things in it. sysctl is not set up. I did find this page on that:: https://wiki.gentoo.org/wiki/Procfs Any suggestions on setting up sysctl for iptables and other future usage? > > Any improvements in this basic workstation firewall > > everything out, nothing in? > Yes, but such improvements are suggested in subsequent scripts on the > same page, e.g. ICMP handling, selective logging, etc. If all you want > is "a basic firewall using iptables" for the IPv4 workspace, then what > you have will do the job. I'll test out these mods and give the scripts an added sequential character in the name so there can be different ones for easy deployment. The idea is to keep it as simple as possible, test out scripts and ideas and put something easy to set up on the gentoo wiki, for all to enjoy. > > Any good tools to quickly test this firewall from another local > > workstation? > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) Not bad for a quick workstation firewall(s). After I get sysctl setup, I'll test a few other verssions and post again. Then wikify these for community consumption. Thanks James
[gentoo-user] php (error?)
Hello, So lately I've been using elogv for a convenience way to ensure no issues with the most recent packages installed or upgraded. It's a neat little tool. Today I found this: dev-lang/php-5.6.10 - 07/10/2015{in purple} snipped:: This package has a configure.in file which has long been deprecated. Pleas │update it to use configure.ac instead as newer versions of autotools will die when it finds this file. See https://bugs.gentoo.org/426262 for details. OK, so I looked the bug. From what I read : If we start now, to rename configure.in to configure.ac before eautoreconf we will avoid lots of breakages due to the deprecation of .in in automake-1.13. Makes sense; but I cannot find the file. I get lots of hits for a configure.in in my code trees, but little on the rest of the system; here are the few: /usr/portage/dev-lang/lua/files/configure.in /usr/share/cppunit/examples/money/configure.in (and quit a few on firefox. # equery depends =sys-devel/autoconf-2.13 * These packages depend on sys-devel/autoconf-2.13: app-admin/tripwire-2.4.2.2-r3 (sys-devel/autoconf) app-editors/vim-7.4.273 (sys-devel/autoconf) app-editors/vim-core-7.4.273 (sys-devel/autoconf) mail-client/thunderbird-31.7.0 (=sys-devel/autoconf-2.1*) net-libs/libnet-1.1.6 (sys-devel/autoconf) net-misc/openssh-6.7_p1 (sys-devel/autoconf) sys-apps/attr-2.4.47-r1 (sys-devel/autoconf) www-client/firefox-31.7.0 (=sys-devel/autoconf-2.1*) www-client/seamonkey-2.33.1-r1 (=sys-devel/autoconf-2.1*) Huh? really? I have versions 2.13 and 2.69 of sys-devel/autoconf installed So, I'm kinda head scratching to decide what, if anything to fix? There much that I did not post, but they are all dead ends like: For more details on how minor version slotting works (PHP_TARGETS) please read the upgrade guide: http://www.gentoo.org/proj/en/php/php-upgrading.xml from the elogview of the latest php install. That link is dead. Any suggestions? Is elogv borked in this case? /var/tmp/portage/php-5.6.10/work/php-5.1.6/config.log does not even exist # eselect php list cli [1] php5.6 * Bottom line is I have not use php directly in some time, so it is quite easy that I missed some info from the devs on php changes. I did not see anything in the news system nor pgo. James
[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]
I have exactly the same problem mentioned in this thread. I think something changed and broke the authentication during an update. i found this message by Googling and just joined the mail list to ask for help. I have done everything mentioned in the thread, and here's where I'm at: (it worked fine before some regular update broke it) Thanks! [root@tiger ssh]# nxsetup --test > Testing your nxserver configuration ...Warning: Invalid value "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run a single application in non-rootless mode.Warning: Invalid value "COMMAND_START_CDE=cdwm" Users will not be able to request a CDE session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be able to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version 1.2. Users will not be able to enable printing. Ignore if you use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed for this version of FreeNX. Warnings occured during config check. To enable these features please correct the configuration file. < done > Testing your nxserver connection ...Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not connect to NX Server. Please check your ssh setup: The following are _examples_ of what you might need to check. - Make sure "nx" is one of the AllowUsers in sshd_config. (or that the line is outcommented/not there) - Make sure "nx" is one of the AllowGroups in sshd_config. (or that the line is outcommented/not there) - Make sure your sshd allows public key authentication. - Make sure your sshd is really running on port 22. - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys. (this should be a filename not a pathname+filename) - Make sure you allow ssh on localhost, this could come from some restriction of: -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost -the iptables. add to it: $ iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j ACCEPT[root@tiger ssh]#
Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]
I would need a magnifying glass to read this. Please don't use HTML on this list. On Wednesday 25 November 2015 18:50:14 Bill Damage wrote: > I have exactly the same problem mentioned in this thread. I think > something changed and broke the authentication during an update. i found > this message by Googling and just joined the mail list to ask for help. I > have done everything mentioned in the thread, and here's where I'm at: > (it worked fine before some regular update broke it) Thanks! > [root@tiger ssh]# nxsetup --test > > Testing your nxserver configuration ...Warning: Invalid value > "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libX > ext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/l > ib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found. > Users will not be able to run a single application in non-rootless > mode.Warning: Invalid value "COMMAND_START_CDE=cdwm" Users will > not be able to request a CDE session.Warning: Invalid value > "COMMAND_SMBMOUNT=smbmount". You'll not be able to use SAMBA.Warning: > Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use > SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version > 1.2. Users will not be able to enable printing. Ignore if you use > cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version > string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed > for this version of FreeNX. Warnings occured during config check. To > enable these features please correct the configuration file. < done > > Testing your nxserver connection ...Permission denied > (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not > connect to NX Server. Please check your ssh setup: > The following are _examples_ of what you might need to check. > - Make sure "nx" is one of the AllowUsers in sshd_config.(or > that the line is outcommented/not there)- Make sure "nx" is one > of the AllowGroups in sshd_config.(or that the line is > outcommented/not there)- Make sure your sshd allows public key > authentication.- Make sure your sshd is really running on port > 22.- Make sure your sshd_config AuthorizedKeysFile in sshd_config > is set to authorized_keys.(this should be a filename not a > pathname+filename) - Make sure you allow ssh on localhost, this could > come from somerestriction of: -the tcp wrapper. Then add in > /etc/hosts.allow: ALL:localhost -the iptables. add to it: $ > iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j > ACCEPT[root@tiger ssh]# -- Rgds Peter
Re: [gentoo-user] Removing unnecessary software.
On Mon, Jul 31, 2017 at 11:29 AM, Ста Деюс <sthu.d...@openmailbox.org> wrote: > > The problem i see is that admin. is not free to change the packages > set, that is dictated by a profile. -- Like i have pointed out, once i > tried to remove SSH (for the example, so that here can be another > package, and it was the first (base?) profile), on next system update, > it returned and got compiled installed. You can add them to package.provided to keep them from coming back. This problem with the @system set has been discussed a few times. Right now it is a combination of: 1. A minimal set of bootstrap packages needed to build the rest of the distro. 2. Some useful tools that is hard to live without. Openssh falls into #2, as does an editor (typically nano by default). The reality is that you can can run a system without either, and you can install either from the rest of @system if it isn't already there. A lot of it has to do with how our stage3s are created. I think it would make sense to shrink @system but also have some meta-package or set which comes pre-installed, but which can be more easily removed without all the screaming you get from removing packages that are in @system. Shrinking @system would also reduce the number of packages that cannot be built in parallel using portage. I don't think there would be much opposition to it. However, it would take a fair bit of work. > Another question is how do i change dependencies of one package > that i suppose will live happily w/o whole the set of the packages it > supposes it needs. -- Like, i want to play only media files, but not > to convert them, so, the ffmpeg package, for example, that i do not need > at all, gets compiled and installed -- i would trim from dependencies > lists of the other packages. For something like ffmpeg you'll really need to know what you're doing, as it is a bit of a beast. If it supplies an enable/disable configure switch then I'd add a USE flag to it and tie it to both the dependency and then use use_enable to toggle the setting. Depending on what you're doing there is a good chance Gentoo would accept the patch to add it to the package. For a personal ebuild you could just hard-code it as well - just remove the dep from the (*)DEPENDS string and add any necessary flags to not require it. ffmpeg already as the "encode" USE flag, however, which might just do what you want already. It has a laundry list of USE flags so you might want to check those before re-inventing the wheel. -- Rich
Re: [gentoo-user] conflict with same package, same USE
Sorry for the lack of courtesy !! I hope that someone can help me. Thank you very very much for your help !! Hogren On 02/06/2017 10:55, Hogren wrote: > Hello list, > > > It's me again about conflicts. > > > I don't understand this conflict, the two needed openssl are the same. > Actually, I don't see the difference. > > > gnugnu # emerge --verbose-conflict @preserved-rebuild > Calculating dependencies... done! > [ebuild R] dev-libs/openssl-1.0.2k USE="bindist*" > [ebuild R] sys-devel/binutils-2.25.1-r1 > [ebuild U ] sys-libs/talloc-2.1.9 [2.1.5] > [ebuild U ] sys-libs/tdb-1.3.13 [1.3.8] > [ebuild U ] sys-libs/tevent-0.9.31-r1 [0.9.28] > [ebuild N ] dev-python/subunit-1.2.0-r1 USE="-static-libs {-test}" > ABI_X86="(64) -32 (-x32)" PYTHON_TARGETS="python2_7 python3_4 (-pypy) > (-pypy3) (-python3_5) (-python3_6)" > [ebuild N ] dev-qt/qtnetwork-5.6.2 USE="bindist ssl -connman > -debug -libproxy -networkmanager {-test}" > [ebuild U ] sys-libs/ldb-1.1.29-r1 [1.1.26] USE="ldap%* python%*" > [ebuild R] dev-qt/qtxmlpatterns-5.6.2 > [ebuild R] dev-qt/qtwebkit-5.6.2 > [ebuild R ~] net-misc/teamviewer-9.0.32150 > [ebuild U ] net-fs/samba-4.5.10 [4.2.14] USE="-gpg% > (-system-heimdal) -zeroconf%" > [ebuild R] media-gfx/blender-2.72b-r4 > [ebuild R ~] media-gfx/wkhtmltopdf-0.12.4 > [ebuild U ~] www-client/firefox-53.0.3 [52.0.1-r1] > [ebuild U ] app-office/libreoffice-5.2.7.2 [5.2.3.3-r1] > PYTHON_SINGLE_TARGET="python3_4* -python2_7*" > [ebuild R] net-ftp/filezilla-3.12.0.2 > [ebuild R] media-gfx/gimp-2.8.14-r2 > [ebuild N ] x11-plugins/enigmail-1.9.6.1-r1 > [ebuild U ] mail-client/thunderbird-45.8.0 [45.7.0] > [blocks b ] x11-plugins/enigmail ("x11-plugins/enigmail" is > blocking mail-client/thunderbird-45.7.0) > > !!! Multiple package instances within a single package slot have been pulled > !!! into the dependency graph, resulting in a slot conflict: > > dev-libs/openssl:0 > > (dev-libs/openssl-1.0.2k:0/0::gentoo, ebuild scheduled for merge) > pulled in by > dev-libs/openssl:0[bindist=] required by > (dev-qt/qtnetwork-5.6.2:5/5.6::gentoo, ebuild scheduled for merge) > > > > > > (dev-libs/openssl-1.0.2k:0/0::gentoo, installed) pulled in by > >=dev-libs/openssl-0.9.8f:0[bindist=] required by > (net-misc/openssh-7.3_p1-r7:0/0::gentoo, installed) > > > > > > > Hogren > > >
[gentoo-user] conflict with same package, same USE
Hello list, It's me again about conflicts. I don't understand this conflict, the two needed openssl are the same. Actually, I don't see the difference. gnugnu # emerge --verbose-conflict @preserved-rebuild Calculating dependencies... done! [ebuild R] dev-libs/openssl-1.0.2k USE="bindist*" [ebuild R] sys-devel/binutils-2.25.1-r1 [ebuild U ] sys-libs/talloc-2.1.9 [2.1.5] [ebuild U ] sys-libs/tdb-1.3.13 [1.3.8] [ebuild U ] sys-libs/tevent-0.9.31-r1 [0.9.28] [ebuild N ] dev-python/subunit-1.2.0-r1 USE="-static-libs {-test}" ABI_X86="(64) -32 (-x32)" PYTHON_TARGETS="python2_7 python3_4 (-pypy) (-pypy3) (-python3_5) (-python3_6)" [ebuild N ] dev-qt/qtnetwork-5.6.2 USE="bindist ssl -connman -debug -libproxy -networkmanager {-test}" [ebuild U ] sys-libs/ldb-1.1.29-r1 [1.1.26] USE="ldap%* python%*" [ebuild R] dev-qt/qtxmlpatterns-5.6.2 [ebuild R] dev-qt/qtwebkit-5.6.2 [ebuild R ~] net-misc/teamviewer-9.0.32150 [ebuild U ] net-fs/samba-4.5.10 [4.2.14] USE="-gpg% (-system-heimdal) -zeroconf%" [ebuild R] media-gfx/blender-2.72b-r4 [ebuild R ~] media-gfx/wkhtmltopdf-0.12.4 [ebuild U ~] www-client/firefox-53.0.3 [52.0.1-r1] [ebuild U ] app-office/libreoffice-5.2.7.2 [5.2.3.3-r1] PYTHON_SINGLE_TARGET="python3_4* -python2_7*" [ebuild R] net-ftp/filezilla-3.12.0.2 [ebuild R] media-gfx/gimp-2.8.14-r2 [ebuild N ] x11-plugins/enigmail-1.9.6.1-r1 [ebuild U ] mail-client/thunderbird-45.8.0 [45.7.0] [blocks b ] x11-plugins/enigmail ("x11-plugins/enigmail" is blocking mail-client/thunderbird-45.7.0) !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: dev-libs/openssl:0 (dev-libs/openssl-1.0.2k:0/0::gentoo, ebuild scheduled for merge) pulled in by dev-libs/openssl:0[bindist=] required by (dev-qt/qtnetwork-5.6.2:5/5.6::gentoo, ebuild scheduled for merge) (dev-libs/openssl-1.0.2k:0/0::gentoo, installed) pulled in by >=dev-libs/openssl-0.9.8f:0[bindist=] required by (net-misc/openssh-7.3_p1-r7:0/0::gentoo, installed) Hogren
[gentoo-user] Cannot emerge gnome because openssl's bindist use flag
I cannot emerge gnome in a fresh build ~amd64 system. Basically, if I enable bindist use flag for openssl then emerge will ask me to disable it. However, if I disable bindist flag for openssl then it will ask me to enable it. How can I break this dependency loop? Thanks, Hung Below is the the output of emerge -pv --update --deep --newuse --backtrack=100 world * use gnome/systemd profile The following USE changes are necessary to proceed: (see "package.use" in the portage(5) man page for more details) # required by dev-python/m2crypto-0.27.0::gentoo[-libressl] # required by net-wireless/crda-3.18-r1::gentoo # required by net-wireless/wpa_supplicant-2.6-r4::gentoo # required by net-misc/networkmanager-1.10.2::gentoo[wifi] # required by gnome-base/gnome-control-center-3.24.3::gentoo[networkmanager] # required by net-libs/gnome-online-accounts-3.24.4::gentoo[gnome] # required by gnome-base/gvfs-1.32.1-r1::gentoo[google] # required by sci-geosciences/geocode-glib-3.24.0::gentoo # required by dev-libs/libgweather-3.24.1::gentoo # required by gnome-base/gnome-settings-daemon-3.24.3::gentoo # required by gnome-base/gnome-session-3.24.2::gentoo =dev-libs/openssl-1.0.2n -bindist * In order to avoid wasting time, backtracking has terminated early * due to the above autounmask change(s). The --autounmask-backtrack=y * option can be used to force further backtracking, but there is no * guarantee that it will produce a solution. * Use >=dev-libs/openssl-1.0.2n -bindist The following USE changes are necessary to proceed: (see "package.use" in the portage(5) man page for more details) # required by net-misc/openssh-7.6_p1-r1::gentoo[-libressl,ssl,-static] # required by gnome-base/gvfs-1.32.1-r1::gentoo # required by sci-geosciences/geocode-glib-3.24.0::gentoo # required by dev-libs/libgweather-3.24.1::gentoo # required by gnome-base/gnome-settings-daemon-3.24.3::gentoo # required by gnome-base/gnome-control-center-3.24.3::gentoo # required by net-libs/gnome-online-accounts-3.24.4::gentoo[gnome] # required by dev-libs/libgdata-0.17.9-r1::gentoo[gnome-online-accounts] =dev-libs/openssl-1.0.2n bindist
Re: [gentoo-user] old kernels are installed during the upgrade
> On 2 Jan 2018, at 20:20, Kai Krakow <hurikha...@gmail.com> wrote: > > >> Now `emerge -n =sys-kernel/gentoo-sources-4.14.8-r1` - "This option can >> be used to update the world file without rebuilding the packages." > > I don't think this is how it works. While technically correct, the > outcome is different to what you're trying to achieve. > > >> This pins your kernel version at 4.14.8-r1 and you can update when, in >> future, you decide it's time to update your kernel, without being nagged >> about it every time a new version is release or you emerge world. > > The equal sign doesn't pin versions, at least not that I remember. > Package are pinned by slot in the world file. Coincidence may be that the > version you selected happens to be exclusively the only slot, too. It installs exactly that version, and that exact version is recorded in the world file. $ grep -e source /var/lib/portage/world sys-kernel/gentoo-sources:4.9.34 $ > It's adequate to update your software when a security hole was fixed - on > the point. Not two or three months later... > > It gives a false impression of safety if you recommend such things. We could spend every day updating our systems - IDK about you, but I have better things to do. If the kernel devs cared to announce when they were patching exploits then we could take each one under consideration individually. But the kernel devs are secretive about kernel exploits, because they know there are literally millions of systems out there on the internet with kernels months and years old. You're right about the attack vectors, which is why I prioritise the apps and servers I run - an attacker has to get past those before it can exploit those. I updated OpenSSH and openssl the day I leaned of the HeartBleed attack for example. Meanwhile, I've seen security vulnerabilities go unfixed for literally weeks in the bug tracker, so I don't see the significance of a vulnerability an attacker is unlikely to be able to reach. The sites I visit do not make me fear my kernel being attacked via the browser. This thread is not for arguing about security, which is an old discussion and which has been done to death. Everyone has their own opinions, and I'm not going to add any more. This thread is about how to fix OP's problem, and that's what I addressed. If you install kernels by specific version, as I suggest, then you're free to update them manually as often as you wish. Stroller.
Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
On 04/06/2018 11:58 AM, Mick wrote: I think you mean IKEv2 + IPSec? I don't remember IKE involved the last time I had to manually set up an IPSec connection between two Windows systems (or Windows and a Netgear router). I think it was /completely/ manual and PSK. IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all be encrypted when sent through through the IPSec encrypted tunnel. I remember doing a little bit with IKE 10+ years ago back when it was OpenSWAN / FreeSWAN. This is using L2TP for encapsulating the frames + IKEv1 for secure key exchange + IPsec for encryption of the L2TP tunnel. ACK Well said: *chuckle* https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security It is an obsolete method with poor security. I would not use it under any circumstances, unless security is of no importance. Agreed. As I mentioned before, there is also IKEv2+IPSec, which allows the client to roam between networks without dropping the connection. Intriguing. I've never considered IPSec with a road warrior, much less an established connection with a changing IP address. I would have been much more likely to look at OpenVPN or Wireguard or OpenSSH. Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one would use this instead of OpenVPN, except that it comes as part of the MSWindows package, while OpenVPN has to be installed separately. SSTP is a new one on me. +1 They are also easier to set up initially, because both MSWindows peers will use the same combo of encryption suites, ciphers, etc. Half of the pain of getting MSWindows to work with a Linux VPN gateway is often finding how to configure the cipher, hash and X509v3 extensions of a TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1. Anything more onerous would not be accepted by the MSoft TLS key manager. Agreed. -- Grant. . . . unix || die
Re: [gentoo-user] Recent changes to install procedure
Mick wrote: > On Saturday, 3 August 2019 16:45:07 BST Dale wrote: >> Walter Dnes wrote: >>> On Sat, Aug 03, 2019 at 12:24:51AM -0400, Walter Dnes wrote >>> >>>> I'll insert CHOST and MAKEOPTS to play safe. Any other gotchas in >>>> recent installs? >>>> >>> So far so good. The basic system is installed and booting. One >>> >>> question... can I just set the "bindist" USE flag globally. On a basic >>> text install (Xorg not installed yet) in package.use I've already set... >>> >>> dev-libs/openssl bindist >>> net-misc/openssh bindist >>> net-wireless/iw bindist >>> net-wireless/wpa_supplicant bindist >> Just out of curiosity I did a euse -i bindist. It seems what that flag >> does sort of depends on the package it is set for. You may want to >> investigate what it will do on those packages before setting it >> globally. Of course, if the majority of the time you want that enabled, >> you could disable it for those packages where it does something you >> don't want but have the default set to on. Whichever is easier. >> >> Hope that helps. >> >> BTW, I moved my tree and such to /var/cache/portage/ a few years ago. >> At the time, that was the location most supported but I guess time >> changed things and they picked another location. Other than knowing >> what location for emerge and friends to put and look for the related >> items, it doesn't matter where one puts it really, as long as >> permissions are correct. >> >> Dale >> >> :-) :-) > Unless you're building binaries to redistribute it doesn't make sense to set > it globally. I vaguely recall something going sideways with openssl when I > had this flag set in the past, so I've left it unset since. > It's been a long time since I did a install but I was thinking the same as you. For us users, it doesn't need to be set at all from what I recall. When I saw the flag, it rang a bell, just lightly, and that was what made me curious about it. The default seems to be off and it is off here. Dale :-) :-)
Re: [gentoo-user] emerge stuck after dovecot upgrade
On Thu, 21 May 2020 11:20:18 +0100, Neil Bothwick wrote: > On Thu, 21 May 2020 06:44:35 +0200, Andreas Fink wrote: > > > recently emerge started to get stuck after an upgrade of dovecot, and > > it is somehow related to my /etc/portage/bashrc, which has the > > following content: function post_pkg_postinst() { > > if test "$CATEGORY/$PN" = "dev-db/mariadb"; then > > /etc/init.d/mysql status && /etc/init.d/mysql restart > > elif test "$CATEGORY/$PN" = "www-servers/apache"; then > > /etc/init.d/apache2 status && /etc/init.d/apache2 restart > > elif test "$CATEGORY/$PN" = "net-mail/dovecot"; then > > /etc/init.d/dovecot status && /etc/init.d/dovecot restart > > echo 'going to sleep' > > sleep 5 > > echo 'finished sleeping' > > elif test "$CATEGORY/$PN" = "mail-mta/postfix"; then > > /etc/init.d/postfix status && /etc/init.d/postfix restart > > elif test "$CATEGORY/$PN" = "net-misc/openssh"; then > > /etc/init.d/sshd status && /etc/init.d/sshd restart > > fi > > } > > > > > > I restart dovecot after an upgrade, in the same way as I restart e.g. > > postfix. However for dovecot emerge gets stuck and does not continue > > and is sitting there quietly (killable only via `pkill -9 emerge`). > > I can confirm this. I tried your bashrc (nice idea by the way, I > normally manually run needrestart after an update) and the dovecot > install completed but then hung. The next step is to add set +x to > bashrc to see where the hang occurs. It seems the final echo is executed, but then the function doesn't exit for some reason. I tried rewriting it using case, which looks cleaner to me but fails in the same way. function post_pkg_postinst() { set +x case "$CATEGORY/$PN" in "net-mail/dovecot") /etc/init.d/dovecot status && /etc/init.d/dovecot restart echo 'going to sleep' sleep 5 echo 'finished sleeping' ;; "mail-mta/postfix") /etc/init.d/postfix status && /etc/init.d/postfix restart ;; esac } -- Neil Bothwick Vuja De: the feeling that you've never been here before. pgpFKANg_kzi0.pgp Description: OpenPGP digital signature
Re: [gentoo-user] ssh Connection reset by port 22
On 12/15/2020 10:41 PM, cal wrote: > On 12/15/20 9:36 PM, the...@sys-concept.com wrote: >> On 12/15/2020 07:53 PM, the...@sys-concept.com wrote: >>> During compiling -uavDN @world one of the package refuse to compile >>> >>> sys-auth/polkit-0.118::gentoo failed (configure phase): >>> econf failed >> [snip] >>> >>> Now, I can no longer ssh to to it, I get: >>> Connection reset by 10.0.0.100 port 22 >> >> perl-cleaner --reallyall -- -av solved the problem with: >> sys-auth/polkit-0.118 >> but I still get the error when trying to ssh: >> >> Connection reset by 10.0.0.100 port 22 >> > > Is there anything interesting if you run ssh -vvv (you can vary the > amount of 'v's) to increase the verbosity of the ssh client and see what > it's doing prior to the connection reset? > > Have you tried restarting sshd on the server? > Nothing that would indicate any error. OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug2: resolving "10.0.0.100" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 10.0.0.100 [10.0.0.100] port 22. debug1: Connection established. debug1: identity file /home/joseph/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/joseph/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.5p1-hpn14v12lpk debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1 debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x0400 debug1: Remote is NON-HPN aware debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 10.0.0.100:22 as 'joseph' debug3: hostkeys_foreach: reading file "/home/joseph/.ssh/known_hosts" debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent Connection reset by 10.0.0.100 port 22
Re: [gentoo-user] long compiles
Hi Alan, just quick and dirty, I am too tired for formalities. :) The following list contains packages, that may be too big for tmpfs and are most probably very time consuming to compile: $ < /etc/portage/package.env/no_tmpfs.conf # custom - 20181121 - rfischer: list packages, which are too big for tmpfs #app-editors/neovim no_tmpfs.conf #app-emulation/qemu-kv no_tmpfs.conf #app-office/libreoffice no_tmpfs.conf #dev-db/mysql no_tmpfs.conf #dev-java/icedtea no_tmpfs.conf #dev-lang/ghc no_tmpfs.conf #dev-lang/ghc no_tmpfs.conf #dev-lang/mono no_tmpfs.conf #dev-lang/rust no_tmpfs.conf #dev-lang/spidermonkey no_tmpfs.conf #dev-libs/libpcre no_tmpfs.conf #dev-qt/qtwebengine no_tmpfs.conf #throttle_make_emerge.conf #mail-client/thunderbird no_tmpfs.conf #media-libs/opencv no_tmpfs.conf #media-libs/opencv no_tmpfs.conf #net-libs/nodejs no_tmpfs.conf #net-misc/openssh no_tmpfs.conf #sci-libs/tensorflow no_tmpfs.conf #sys-apps/iproute2 no_tmpfs.conf #sys-devel/clang no_tmpfs.conf #sys-devel/gcc no_tmpfs.conf #www-client/chromium no_tmpfs.conf #throttle_make_emerge.conf #www-client/firefox no_tmpfs.conf #www-client/ungoogled-chromium no_tmpfs.conf #throttle_make_emerge.conf See also: * https://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs#Considering_tmpfs.27_size * https://wiki.gentoo.org/wiki/Q_applets#Extracting_information_from_emerge_logs_.28qlop.29 Sleeps away. -Ramon On 11/09/2023 21:19, Alan McKinnon wrote: After my long time away from Gentoo, I thought perhaps some packages that always took ages to compile would have improved. I needed to change to ~amd64 anyway (dumb n00b mistake leaving it at amd64). So that's what I did and let emerge do it's thing. chromium has been building since 10:14, it's now 21:16 and still going so 9 hours at least on this machine to build a browser - almost as bad as openoffice at it's worst (regularly took 12 hours). Nodejs also took a while, but I didn't record time. What other packages have huge build times? -- Alan McKinnon alan dot mckinnon at gmail dot com -- GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF OpenPGP_0x155BE26413E699BF.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-user] ssh from linux to Windows
On 1/8/24 07:48, Andreas Fink wrote: On Sat, 6 Jan 2024 20:09:37 -0700 the...@sys-concept.com wrote: I installed openssh server on Windows 11 and tried to ssh to it using the id_rsa.pub key but I didn't have luck. I copied the key to .ssh\authorized_keys file. On linux the last line ending with "\" on Windows Notepad replaces it with the "+" sign. ssh with password is working but windows doesn't recognize the public key or maybe it is wrong directory C:\Users\Garry Server\.ssh\authorized_keys If ssh with password is working, did you try letting ssh decide for the correct location for your ssh key via ssh-copy-id: ssh-copy-id -i ~/.ssh/my_key usern...@example.com First time it will of course log in via password, but any further login should use the ssh key. If the key is still not accepted, have you tried a different ssh key type (e.g. ed25519). Maybe the server rejects RSA keys? Nice command, thank for the input; but it didn't work with Windows 11 I run: ssh-copy-id -i ~/.ssh/id_rsa.pub "Glen Server"@10.0.0.130 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/joseph/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Glen Server@10.0.0.130's password: 'exec' is not recognized as an internal or external command, operable program or batch file. Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'Glen Server@10.0.0.130'" and check to make sure that only the key(s) you wanted were added. Trying to login again still asked me for password. On Windows 11 public key should be copied to C:\ProgramData\ssh\administrators_authorized_keys
Re: [gentoo-user] Re: ssh from linux to Windows
On Monday, 8 January 2024 13:45:16 GMT the...@sys-concept.com wrote: > On 1/8/24 01:41, Nuno Silva wrote: > > On 2024-01-08, the...@sys-concept.com wrote: > >> On 1/6/24 20:09, the...@sys-concept.com wrote: > >>> I installed openssh server on Windows 11 and tried to ssh to it > >>> using the id_rsa.pub key > >>> but I didn't have luck. I copied the key to .ssh\authorized_keys file. > >>> On linux the last line ending with "\" on Windows Notepad replaces > >>> it with the "+" sign. > >>> > >>> ssh with password is working but windows doesn't recognize the > >>> public key or maybe it is wrong directory C:\Users\Garry > >>> Server\.ssh\authorized_keys > >> > >> Trying to run: "ssh -vv" I get: > >> > >> debug1: Authenticating to 10.0.0.130:22 as 'Glen Server' > >> debug1: load_hostkeys: fopen /home/joseph/.ssh/known_hosts2: No such > >> file or directory > >> > >> Where is it taking the : "known_hosts2" in home directory .ssh/ I only > >> have file "known_hosts" > >> In /etc/ssh/sshd_config (computer ssh is initiated from) I can not > >> find any reference to "known_hosts2" > >> > >> Nor, windows \ProgramData\ssh\sshd_config contain any reference to > >> "known_hosts2" > > > > I think the file to check would be ssh_config on the client side, not > > sshd_config. But it's possible it's not mentioned there either, as it > > seems to be part of the default at least in some systems, see for > > example > > The ssh_config on the client side id default, never changed anything in it. > > > https://serverfault.com/questions/1091575/why-does-ssh-think-i-still-have-> > > > a-known-hosts2-file > > > > This is just the usual approach of a user-specific file not existing > > unless it is created. I'd say you can just ignore this message and focus > > on the verbose messages about the authentication mechanisms. > > In the link above the suggest fix for "...fix $HOME/.ssh/known_hosts2: No > such file or directory" to add "UserKnownHostsFile ~/.ssh/known_hosts" > I tried to add it to sshd_config but ssh wouldn't even start. > > The above error message it just might be the noise, linux to linux all > connections work, it is just linux to windows it is not working. The known_hosts and known_hosts2 messages you saw in your client are NOT the cause of your problem. If you must set your own default known_hosts file, then launch your ssh client like this: ssh -o GlobalKnownHostsFile=~/.ssh/My_own_known_hosts @ signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: ssh from linux to Windows
On 2024-01-08, the...@sys-concept.com wrote: > On 1/8/24 01:41, Nuno Silva wrote: >> On 2024-01-08, the...@sys-concept.com wrote: >> >>> On 1/6/24 20:09, the...@sys-concept.com wrote: >>>> I installed openssh server on Windows 11 and tried to ssh to it >>>> using the id_rsa.pub key >>>> but I didn't have luck. I copied the key to .ssh\authorized_keys file. >>>> On linux the last line ending with "\" on Windows Notepad replaces >>>> it with the "+" sign. >>>> >>>> ssh with password is working but windows doesn't recognize the >>>> public key or maybe it is wrong directory C:\Users\Garry >>>> Server\.ssh\authorized_keys >>> >>> Trying to run: "ssh -vv" I get: >>> >>> debug1: Authenticating to 10.0.0.130:22 as 'Glen Server' >>> debug1: load_hostkeys: fopen /home/joseph/.ssh/known_hosts2: No such >>> file or directory >>> >>> Where is it taking the : "known_hosts2" in home directory .ssh/ I only >>> have file "known_hosts" >>> In /etc/ssh/sshd_config (computer ssh is initiated from) I can not >>> find any reference to "known_hosts2" >>> >>> Nor, windows \ProgramData\ssh\sshd_config contain any reference to >>> "known_hosts2" >> >> I think the file to check would be ssh_config on the client side, not >> sshd_config. But it's possible it's not mentioned there either, as it >> seems to be part of the default at least in some systems, see for >> example > > The ssh_config on the client side id default, never changed anything in it. > >> https://serverfault.com/questions/1091575/why-does-ssh-think-i-still-have-a-known-hosts2-file >> >> This is just the usual approach of a user-specific file not existing >> unless it is created. I'd say you can just ignore this message and focus >> on the verbose messages about the authentication mechanisms. > > In the link above the suggest fix for "...fix $HOME/.ssh/known_hosts2: > No such file or directory" > to add "UserKnownHostsFile ~/.ssh/known_hosts" > I tried to add it to sshd_config but ssh wouldn't even start. No, this is not something to fix. This is the ssh utility looking for that file in one of the default locations and not finding it. That's just the result of the call which tried to access the file. The same would happen in known_hosts didn't exist yet. I mean, you can change the setting if you want (in ssh_config, and not sshd_config, it probably is not starting because it's not a valid setting for sshd_config), but you don't have to. > The above error message it just might be the noise, linux to linux all > connections work, it is just linux to windows it is not working. -- Nuno Silva
Re: [gentoo-user] Re: go to a no-x console from failed X + lxde install
Harry Putnam wrote: > Andrej Rode <m...@andrejro.de> writes: > >> Hi Harry, >> >> On 09/12/16 18:23, Harry Putnam wrote: >>> # required by x11-libs/gtk+-2.24.31-r1::gentoo >>> # required by x11-libs/gtksourceview-2.10.5-r3::gentoo >>> # required by dev-python/pygtksourceview-2.10.1-r1::gentoo >>> # required by dev-vcs/git-2.11.0::gentoo[python,gtk] >> This tells me that you may have the gtk use flag for git set. Try to >> unset it and rerun emerge. > Yup, there was and must still be for some other things because the > changes after both the moves you suggested, running > emerge -vuDNp world was a few lines less output... but otherwise > pretty much the same. (posted at the end) > > cat /etc/portage/package.use/git > dev-vcs/git -gtk -webdav > >> Also set your profile `eselect profile {set,list}` to a non-desktop >> version. This should configure your base system not to use X. >> Keep track if anything else in your package.use contains gtk. > I did look at doing that very thing before posting OP but I had a hard > time figuring out what to pick. > > I went ahead and set [...]/defauilt/linux/x86/13.0/developer > > Even though I am a very far cry from that lofty status. Am I creating > more problems with that? Does that setting also hark of X > > There aren't that many that aren't desktop related or selenix or > hardened or something else like uclibc or musl.. that I don't know > anything about. > > Maybe the very first choice would be better: > [1] default/linux/x86/13.0 > For a server setup with no GUI, that would be my pick. I think that is about as minimal as you can get. The developer profile may not be what you think. > Seems like that might expect X as well > I expected to find a choice of `server' but don't see that. > > > Even with the leg up you gave me, I'm still not real sure what the output > is telling me: > > Like where it says something is required by an x11- pkg .. well those > are all unmerged. > > Or the chunk at the bottom listing quite a few non-X pkgs but saying: > > (dependency required by "net-misc/openssh-7.3_p1-r8::gentoo[pam]" [ebuild]) > >What dependancy.. use use flag of X? > > Also, I thought it might help to stick a use flag of `-gtk' in > make.conf. But when I did that just now as an experiment instead of > the output below I got a huge list of x11- pkgs to be installed. > Now changed back I get the output below. > > --- --- ---=--- --- --- > emerge -vuNDp > > These are the packages that would be merged, in order: > > Calculating dependencies... done! > > The following USE changes are necessary to proceed: > (see "package.use" in the portage(5) man page for more details) > # required by x11-libs/gtk+-2.24.31-r1::gentoo > # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >> =x11-libs/cairo-1.14.6 X > # required by x11-libs/gtk+-2.24.31-r1::gentoo > # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >> =x11-libs/gdk-pixbuf-2.36.0 X > !!! The ebuild selected to satisfy "x11-libs/gtk+:3" has unmet requirements. > - x11-libs/gtk+-3.22.4::gentoo USE="introspection -X (-aqua) -broadway > -cloudprint -colord -cups -examples -test -vim-syntax -wayland -xinerama" > > The following REQUIRED_USE flag constraints are unsatisfied: > any-of ( aqua wayland X ) > > The above constraints are a subset of the following complete expression: > any-of ( aqua wayland X ) xinerama? ( X ) > > (dependency required by "gnome-extra/polkit-gnome-0.105-r1::gentoo" > [installed]) > (dependency required by "sys-auth/polkit-0.113-r1::gentoo[gtk]" [installed]) > (dependency required by "sys-auth/consolekit-1.1.0-r1::gentoo[policykit]" > [installed]) > (dependency required by "sys-auth/pambase-20150213::gentoo[consolekit]" > [installed]) > (dependency required by "net-misc/openssh-7.3_p1-r8::gentoo[pam]" [ebuild]) > (dependency required by "virtual/ssh-0::gentoo[-minimal]" [installed]) > (dependency required by "@system" [set]) > (dependency required by "@world" [argument]) > These are the packages that would be merged, in order: > > Calculating dependencies... done! > > The following USE changes are necessary to proceed: > (see "package.use" in the portage(5) man page for more details) > # required by x11-libs/gtk+-2.24.31-r1::gentoo > # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >> =x11-libs/cairo-1.14.6 X > # required by x11-libs/gtk+-2.24.31-r1::gentoo > # required by x11-themes/gtk-engines-
[gentoo-user] Re: go to a no-x console from failed X + lxde install
Andrej Rode <m...@andrejro.de> writes: > Hi Harry, > > On 09/12/16 18:23, Harry Putnam wrote: >> # required by x11-libs/gtk+-2.24.31-r1::gentoo >> # required by x11-libs/gtksourceview-2.10.5-r3::gentoo >> # required by dev-python/pygtksourceview-2.10.1-r1::gentoo >> # required by dev-vcs/git-2.11.0::gentoo[python,gtk] > > This tells me that you may have the gtk use flag for git set. Try to > unset it and rerun emerge. Yup, there was and must still be for some other things because the changes after both the moves you suggested, running emerge -vuDNp world was a few lines less output... but otherwise pretty much the same. (posted at the end) cat /etc/portage/package.use/git dev-vcs/git -gtk -webdav > Also set your profile `eselect profile {set,list}` to a non-desktop > version. This should configure your base system not to use X. > Keep track if anything else in your package.use contains gtk. I did look at doing that very thing before posting OP but I had a hard time figuring out what to pick. I went ahead and set [...]/defauilt/linux/x86/13.0/developer Even though I am a very far cry from that lofty status. Am I creating more problems with that? Does that setting also hark of X There aren't that many that aren't desktop related or selenix or hardened or something else like uclibc or musl.. that I don't know anything about. Maybe the very first choice would be better: [1] default/linux/x86/13.0 Seems like that might expect X as well I expected to find a choice of `server' but don't see that. Even with the leg up you gave me, I'm still not real sure what the output is telling me: Like where it says something is required by an x11- pkg .. well those are all unmerged. Or the chunk at the bottom listing quite a few non-X pkgs but saying: (dependency required by "net-misc/openssh-7.3_p1-r8::gentoo[pam]" [ebuild]) What dependancy.. use use flag of X? Also, I thought it might help to stick a use flag of `-gtk' in make.conf. But when I did that just now as an experiment instead of the output below I got a huge list of x11- pkgs to be installed. Now changed back I get the output below. --- --- ---=--- --- --- emerge -vuNDp These are the packages that would be merged, in order: Calculating dependencies... done! The following USE changes are necessary to proceed: (see "package.use" in the portage(5) man page for more details) # required by x11-libs/gtk+-2.24.31-r1::gentoo # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >=x11-libs/cairo-1.14.6 X # required by x11-libs/gtk+-2.24.31-r1::gentoo # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >=x11-libs/gdk-pixbuf-2.36.0 X !!! The ebuild selected to satisfy "x11-libs/gtk+:3" has unmet requirements. - x11-libs/gtk+-3.22.4::gentoo USE="introspection -X (-aqua) -broadway -cloudprint -colord -cups -examples -test -vim-syntax -wayland -xinerama" The following REQUIRED_USE flag constraints are unsatisfied: any-of ( aqua wayland X ) The above constraints are a subset of the following complete expression: any-of ( aqua wayland X ) xinerama? ( X ) (dependency required by "gnome-extra/polkit-gnome-0.105-r1::gentoo" [installed]) (dependency required by "sys-auth/polkit-0.113-r1::gentoo[gtk]" [installed]) (dependency required by "sys-auth/consolekit-1.1.0-r1::gentoo[policykit]" [installed]) (dependency required by "sys-auth/pambase-20150213::gentoo[consolekit]" [installed]) (dependency required by "net-misc/openssh-7.3_p1-r8::gentoo[pam]" [ebuild]) (dependency required by "virtual/ssh-0::gentoo[-minimal]" [installed]) (dependency required by "@system" [set]) (dependency required by "@world" [argument]) These are the packages that would be merged, in order: Calculating dependencies... done! The following USE changes are necessary to proceed: (see "package.use" in the portage(5) man page for more details) # required by x11-libs/gtk+-2.24.31-r1::gentoo # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >=x11-libs/cairo-1.14.6 X # required by x11-libs/gtk+-2.24.31-r1::gentoo # required by x11-themes/gtk-engines-adwaita-3.20.2::gentoo >=x11-libs/gdk-pixbuf-2.36.0 X !!! The ebuild selected to satisfy "x11-libs/gtk+:3" has unmet requirements. - x11-libs/gtk+-3.22.4::gentoo USE="introspection -X (-aqua) -broadway -cloudprint -colord -cups -examples -test -vim-syntax -wayland -xinerama" The following REQUIRED_USE flag constraints are unsatisfied: any-of ( aqua wayland X ) The above constraints are a subset of the following complete expression: any-of ( aqua wayland X ) xinerama? ( X ) (dependency required by "gnome-extra/polkit-gnome-0.105-r1::gentoo" [installed]) (dependency required by "sys-auth/polkit-0.113-r1:
Re: [gentoo-user] Exim, Outlook 2007, and Thunderbird
On Mon, 2008-09-08 at 18:24 -0700, kashani wrote: Michael Sullivan wrote: My public IP address is 70.234.122.254 [EMAIL PROTECTED] ~ $ telnet 127.0.0.1 143 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. * OK Dovecot ready. ^] telnet quit Connection closed. [EMAIL PROTECTED] ~ $ telnet 70.254.122.254 143 Trying 70.254.122.254... telnet: connect to address 70.254.122.254: Connection refused Are you port forwarding port 143 through your NAT if you're using NAT? Are you allowing imap in your firewall rules? I'd also try the suggesting of changing to listen = * suggested here. http://gentoo-wiki.com/Dovecot#Configure kashani From nmap: camille dovecot # nmap -T Aggressive -A -v 70.234.122.254 Starting Nmap 4.68 ( http://nmap.org ) at 2008-09-08 20:33 CDT Initiating Ping Scan at 20:33 Scanning 70.234.122.254 [2 ports] Completed Ping Scan at 20:33, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:33 Completed Parallel DNS resolution of 1 host. at 20:33, 0.25s elapsed Initiating SYN Stealth Scan at 20:33 Scanning adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) [1715 ports] Discovered open port 22/tcp on 70.234.122.254 Discovered open port 25/tcp on 70.234.122.254 Discovered open port 80/tcp on 70.234.122.254 Completed SYN Stealth Scan at 20:33, 3.02s elapsed (1715 total ports) Initiating Service scan at 20:33 Scanning 3 services on adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) Completed Service scan at 20:33, 6.17s elapsed (3 services on 1 host) Initiating OS detection (try #1) against adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) Retrying OS detection (try #2) against adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) Initiating Traceroute at 20:33 70.234.122.254: guessing hop distance at 1 Completed Traceroute at 20:33, 0.01s elapsed Host adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) appears to be up ... good. Interesting ports on adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254): Not shown: 1708 closed ports PORTSTATESERVICE VERSION 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp open ssh OpenSSH 4.7 (protocol 2.0) 25/tcp open smtp Exim smtpd 4.69 80/tcp open http Apache httpd 143/tcp filtered imap 443/tcp filtered https No OS matches for host TCP Sequence Prediction: Difficulty=199 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: camille.espersunited.com TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 2.47 adsl-70-234-122-254.dsl.tul2ok.sbcglobal.net (70.234.122.254) Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.126 seconds Raw packets sent: 1794 (82.336KB) | Rcvd: 1767 (81.820KB) Also, my dovecot.conf has changed somewhat over the course of the evening. Here's the current version: camille dovecot # cat dovecot.conf | sed /#/d protocols = imap imaps listen = [::] disable_plaintext_auth = no ssl_disable = yes mail_location = maildir:~/.maildir protocol imap { listen = * } protocol pop3 { } protocol lda { postmaster_address = [EMAIL PROTECTED] } auth default { mechanisms = plain passdb pam { args = * } userdb passwd { } user = root } dict { } plugin { }
[gentoo-user] Cannot login with publickey on sshd
Hi All, For some reason my Gentoo rsa public key is not liked by 3.9p1-11.el4_7 sshd, which is running on a CentOS server. On the Gentoo machine I am running net-misc/openssh-5.1_p1-r1. This is what it shows: === debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug3: timeout: 14835 ms remain after connect debug3: Not a RSA1 key file /home/michael/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-END' debug3: key_read: missing keytype debug1: identity file /home/michael/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* debug1: Remote is NON-HPN aware debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1-hpn13v5 debug3: check_host_in_hostfile: filename /home/michael/.ssh/known_hosts debug3: check_host_in_hostfile: match line 17 debug1: Host '[XX]:22' is known and matches the RSA host key. debug1: Found key in /home/michael/.ssh/known_hosts:17 debug2: bits set: 496/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/michael/.ssh/id_rsa () debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive). === The above response and bail out without authenticating happens when I pass the option: -o PreferredAuthentications=publickey Otherwise, it goes through the above responses and then asks for the user's passwd. I have had no problems to date using pubkey on other Gentoo, Ubuntu and FreeBSD machines. Can you see anything that makes sense in the above CentOS response? Is there a fix? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Cannot login with publickey on sshd
Mick wrote: On Monday 01 December 2008, Mick wrote: On Monday 01 December 2008, Eric Martin wrote: What did you use to generate the key? Also, what does the client / server say for the key fail? I used something like: ssh-keygen -v -t rsa -b 2048. I have even generated a second key pair and tried that too, with no success. The client messages are in the first message I sent to the list - basically showing this: debug1: Connection established. debug3: timeout: 14828 ms remain after connect debug3: Not a RSA1 key file /home/michael/.ssh/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace . . . debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-END' debug3: key_read: missing keytype The server messages are shown here: http://pastebin.centos.org/22705 I have now also tried to generate a key pair on the server, move the private key over to the client and then try to login - still no result! :-( It has to be some sort of incompatibility between the two versions of OpenSSH. Don't know what else to assume with this problem. It definitely looks like the server doesn't like your private key. Did you remember to update(read: add) the public key on the server? Also, I generated an ssh key using the exact same syntax that you used and my key looks different that what I can glean about your key. The ---BEGIN, Proc-Type and DEK-Info lines are in an old dsa key I created, while the rsa key just says BEGIN RSA PRIVATE KEY- followed by key data. The DSA key says the same, except DSA as opposed to RSA. From the logs it looks like w formatting issue, given the whitespace errors. have you tried loading your key into an agent? try: ssh-agent /bin/bash ssh-add ~/.ssh/id_rsa This will unlock your key and let that session authenticate for you. It also has the nice side effect of checking if your private key is a real private key. The only time I have a problem w/pub/private keys is when I create them on a windows box and try to export it to ssh. The other way around always works for me. HTH -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Finding packages which provide a file
Neil Bothwick wrote: AFAIK there's no database of Gentoo packages such as you ask for. Such a database would be inaccurate, because package contents are USE flag dependent, so anyone charitable enough to set one up would probably spend most of their time fielding questions about incorrect data :( Nah, not necessarily. For every listed file, it would be required to show to which package(s) it belongs and also, how those packages were built (ie. with which USE flags). So, not only the listing of all the CONTENT files would be of interest, but also the keyword (ie. x86, amd64, ...) and the associated USE flags. BTW: How can I find out, with which *relevant* USE flags a package has been built? Eg. gnome-base/gnome. In /var/db/pkg/gnome-base/gnome-2.14.1, I find a USE file. But it contains *WAY* too many flags: [EMAIL PROTECTED] /var/db/pkg/gnome-base/gnome-2.14.1 $ cat USE x86 GAPING_SECURITY_HOLE X acpi alsa amd apache2 apm arts artswrappersuid async avi bash-completion bdf berkdb bitmap-fonts bluetooth bootsplash cairo caps cardbus ccache cdda cddb cdio cdparanoia cdr cdrom cle266 cli crypt css curlwrappers dbus devmap dillo divx4linux dlloader dri dvd dvdread emoticon esd exif fam fbcon fbdev firefox fping freetype gdbm gif gnokii gnome gstreamer gtk gtk2 hal hpn icc id3 idn imap imlib imlib2 insecure-drivers insecure-savers isdnlog javascript jikes jpeg kde kdeenablefinal libedit libwww linuxthreads-tls logrotate lynxkeymap mad madwifi maildir matroska mbox mmx mmxext mozilla moznoirc mozsvg mp3 mpeg mpeg2 mpeg4 mplayer multicall ncurses netboot network new-login nfs nis nls no-old-linux no-suexec noantlr nobcel nobeanutils nobsf nobsh nocd nocommonslogging nocommonsnet nodrm nogg nogulm nojsch nojython nolog4j nomac nooro nopri norhino noxalan noxerces nozaptel nptl nsplugin offensive ogg opengl openssh pam_console pam_timestamp passfile password patented pccts pcmcia pcre perl perlsuid pic player png pnp pppd qt quicktime rar readline real recode reflection reiserfs sdl sendfile sensord session sftp sms spell spf spl sse sse2 ssl startup-notification stream subp subtitles suid symlink sysfs syslog tiff transcode truetype truetype-fonts trusted type1-fonts udev underscores unichrome unicode unsafe usb utf8 uudeview vim vim-pager vlm vorbis wifi win32codecs wma123 x11vnc xinetd xml xmms xorg xpm xprint xscreensaver xv xvid xvmc zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_-synaptics kernel_linux linguas_de userland_GNU video_cards_fbdev video_cards_vesa video_cards_vga video_cards_via I'd rather only see the relevant flags; ie. those flags, which are shown when I do a emerge -v, like so: [EMAIL PROTECTED] /var/db/pkg/gnome-base/gnome-2.14.1 $ emerge -vpt gnome These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild R ] gnome-base/gnome-2.14.1 USE=-accessibility cdr -dvdr hal 0 kB Total size of downloads: 0 kB So, I would like to see -accessibility cdr -dvdr hal How to do that? Thanks, Alexander Skwar -- panic(Fod fight!); linux-2.2.16/drivers/scsi/aha1542.c -- gentoo-user@gentoo.org mailing list
[gentoo-user] Portage 2.1 weirdness
Hmm... after having updated to portage 2.1 which has become stable, I get this weird output from emerge and revdep-rebuild: OUTPUT from emerge --pretend --update --deep --newuse world These are the packages that would be merged, in order: Calculating world dependencies... done! [ebuild R ] net-fs/samba-3.0.22 USE=-ldap* [ebuild R ] dev-java/blackdown-jdk-1.4.2.03 USE=-mozilla* [ebuild R ] media-gfx/autotrace-0.31.1-r1 USE=-imagemagick* [ebuild R ] net-ftp/proftpd-1.2.10-r7 USE=-ldap* [ebuild R ] app-crypt/gnupg-1.4.2.2 USE=-curl* -ldap* [ebuild R ] app-crypt/gnupg-1.9.20-r3 USE=-ldap* [ebuild R ] www-client/mozilla-1.7.13 USE=-ldap* [ebuild R ] mail-filter/spamassassin-3.1.3 USE=-ldap* -sqlite* [ebuild R ] gnome-extra/evolution-data-server-1.4.2.1 USE=-ldap* [ebuild R ] mail-client/evolution-2.4.2.1 USE=-ldap* [ebuild R ] media-libs/libsdl-1.2.8-r1 USE=-nas* [ebuild R ] media-libs/libao-0.8.5 USE=-nas* [ebuild R ] net-im/gaim-1.5.0 USE=-nas* [ebuild R ] mail-client/mozilla-thunderbird-1.5.0.4 USE=-ldap* [ebuild R ] net-libs/gecko-sdk-1.7.13 USE=-ldap* [ebuild R ] gnome-extra/nautilus-cd-burner-2.12.3 USE=-cdr* [ebuild R ] app-editors/xemacs-21.4.15-r3 USE=-ldap* -nas* [ebuild R ] dev-libs/apr-util-0.9.7 USE=-ldap* [ebuild R ] dev-python/gnome-python-2.12.1 USE=-gtkhtml* [ebuild R ] dev-python/gnome-python-extras-2.12.0 USE=-mozilla* [ebuild R ] media-video/gpac-0.4.1_pre20060122 USE=-mozilla* [ebuild R ] net-misc/openssh-4.3_p2-r1 USE=-ldap* [ebuild R ] media-sound/timidity++-2.13.2 USE=-nas* [ebuild R ] net-www/apache-2.0.55-r1 USE=-ldap* [ebuild R ] net-misc/curl-7.15.1-r1 USE=-idn* -ldap* [ebuild R ] x11-libs/qt-3.3.6-r1 USE=-nas* -sqlite* [ebuild R ] dev-java/swt-3.2_rc2 USE=-mozilla* [ebuild R ] dev-libs/cyrus-sasl-2.1.21-r2 USE=-ldap* [ebuild R ] app-office/openoffice-2.0.2-r1 USE=-ldap* -mozilla* [ebuild R ] dev-lang/php-5.1.4 USE=-curl* -ldap* -mhash* -sqlite* [ebuild R ] gnome-extra/gnome-games-2.12.3 USE=-guile* [ebuild R ] dev-util/eclipse-sdk-3.0.1-r2 USE=-mozilla* [ebuild R ] dev-lang/swig-1.3.21 USE=-guile* [ebuild R ] media-gfx/gimp-2.2.8-r1 USE=-gtkhtml* [ebuild R ] gnome-base/gnome-2.12.3 USE=-cdr* [ebuild R ] app-emulation/wine-0.9.8-r1 USE=-ldap* -nas* [ebuild R ] www-client/elinks-0.10.6 USE=-guile* -idn* -lua* - OUTPUT from revdep-rebuild --pretend All prepared. Starting rebuild... emerge --oneshot --pretend =sys-devel/gcc-3.4.6-r1 =sys-devel/gcc-4.1.1 These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-devel/gcc-3.4.6-r1 USE=-ip32r10k% [ebuild R ] sys-devel/gcc-4.1.1 - Recompiling that much (especially OpenOffice) just because of an update to Portage seems quite excessive to me. - Kristian Poul Herkild -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: systemd? [ Was: The End Is Near ... ]
On Wed, Mar 21, 2012 at 6:55 PM, Walter Dnes waltd...@waltdnes.org wrote: On Wed, Mar 21, 2012 at 12:02:32PM -0400, Michael Mol wrote I said this before, but it sounds useful to try to reiterate: * It's probable that service-specific files should not be included in the init system package. * Service-specific init files should probably be part of the distro-localized version of a service-providing package. This doesn't mean modifying binaries, this is part of bootstrapping a service's environment. Call it deferred installation stages, if you like; things which need to be done for the service to be configured and properly operate. My point is that the startup, sanity-checking, and initialization code has to go *SOMEWHERE*. Where do you propose moving it to? Sure. But there's a difference between moving, e.g. sshd's first-time code into the net-misc/openssh package and moving it into the sshd binary itself. I don't want to sound condescending, but I really don't know how much of this is going to be generally known on this list, and I get the impression that it's unclear... (Also, I'm not an expert on this...) The distribution of software, as I understand it, generally has three groups of people who hold it: 1) Upstream. Generally, upstream will keep their software portable and agnostic, so it can be installed in a variety of places. That's not a requirement, but it's considered polite in the open-source world, and fairly necessary if they want the software to be broadly used. Upstream is expected to know their software well enough to keep it in active development, or at least in current maintenance. 2) Packager. A packager adapts upstream's software so that it fits in and plays nicely with the rest of the software in the system. The packager is expected to have the required understanding of both the software and the target distribution in order to accomplish this. 3) End user. The end user isn't typically expected to have a full understanding of the software or the distribution. He'll run the distribution's package manager to install the software, follow any instructions given for configuration, and apply any domain expertise he has to configure things to conform to site-local needs. What we're talking about with systemd vs openrc, and things like ssh'd first-time initialization is all within the realm of responsibility of the packager. It's a shift in the way the distribution itself works. We're not talking about a scenario where you shunt things upstream, so the whole your position would have rejected Linux angle is a red herring. Now, let's look at what an init system does. For each service, it spawns some process, checks a return code, declares either success or failure, and may take some further action based on that success or failure. Why does that spawned process have to be sshd? Why can't it be some shell script which does the one-time checks, and then launches sshd itself? Why does that shell script need to be distributed as part of the init system's package, and not part of the package associated with the service? Having the shell script be part of the package associated with the service keeps bugs related to that script associated with that package. As far as compatibility between init systems is concerned, you can symlink the init system's launch file (e.g. /etc/init.d/some_file) to wherever this shell script is, or you can configure the init system such that it knows where the shell script is. At least, that's the way I see it. Any issue of compatibility between the two can be addressed by the service's package manager, either by adaption via that script, or by expressing an explicit dependency on one init architecture or another. -- :wq
Re: [gentoo-user] Re: OT: Linus ranting about Gnome3
On Sat, Jun 16, 2012 at 6:42 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:30 PM, Michael Mol mike...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:10 PM, Matthew Finkel matthew.fin...@gmail.com wrote: On Sat, Jun 16, 2012 at 5:00 PM, Nikos Chantziaras rea...@gmail.com wrote: On 16/06/12 21:27, walt wrote: I guess they figure the desktop will be extinct relatively soon and their customer base will vanish unless they capture the smartphone market. Ah yes, the death of the desktop PC, which is happening for 15 years now. Are we dead yet? I'm not holding my breath. There will always be a divide for the power users. A single, under-powered interface isn't going to cut it for a lot of us. X provides us with the flexibility that isn't available with the mobile interface. Even in the Microsoft world, I can't easily imagine them ditching the old UI paradigm for their Windows Server products. They've come a long way in making Windows CLI-friendly (see PowerShell), but they haven't yet (AFAIK) provided a good mechanism for remote CLI access. True, and they've been working hard to get it to the state it is in now. In many cases, sys admins have had to unlearn relying on their mouse for complete power. The CLI provides options that are, obviously, very difficult to express in a simple GUI (I know I'm preaching to the choir). Powershell has made huge progress in this respect, but it still has a long way to go in order to compete with what we have. And I doubt the server environment would ever become stripped down to the state we're talking about. Actually, they're there as of Windows Server 2008. It's called Windows Server 2008 Core. According to Windows Server 2008: The Definitive Guide, you log into one of these systems and all you get (by default) is a terminal window with an instance of cmd.exe. It goes on to list seven server roles this configuration supports: * Active Directory and Active Directory Lightweight Domain Services (LDS) * DHCP Server * DNS Server * File Services (including DFSR and NFS) * Print Services * Streaming Media Services * Windows Server Virtualization (Curiously, one of the things you _can't_ do is run Managed Code.) Not that they won't be able to bolt one in easily enough; CSRSS means they should be able to provide, e.g. an SSH daemon, give the connecting user a PowerShell login session[1], and give it equal privileges and security controls as they have for any other login session. How many years have they had? I'd given up on this years ago. SFU is available in the Server Core configuration. I imagine you could run OpenSSH under there. Or some commercial entity could come along and provide an SSH+screen(ish) component to snap into the CSRSS framework. -- :wq
[gentoo-user] Re: scripted iptables-restore
Michael Orlitzky mich...@orlitzky.com wrote: On 10/14/2013 07:49 AM, Martin Vaeth wrote: Using yet another service with possible holes to protect a sshd? In this case, I would like port knocking at least for this OpenVPN. The sensitive parts of OpenVPN are audited regularly, and it uses SSL -- public key auth to exchange a symmetric key, both of which use tried-and-true algorithms/code. So its completely as well-audited and secure as openssh was when the Debian disaster happened. Also IIRC there are currently some timing attacks against certain SSL modes, and who knows when some clever hacker finds another possibility nobody thought of up to now. Port knocking on the other hand is just security through obscurity As is every password. and is visible over the wire This is why you have to change it regularly. Actually, if you change it whenever you used it, you have a rather strong method, essentially only vulnerable if the man-in-the-middle is able to cut your connection, and even then he has only very limited time to attack the actual service which is protected by it. problem is solved if it's easy to exponentially increase the amount of work an attacker has to do. And exactly for this reason the solution is always only a theory - for very particularly specified problems. For practical machines, it is good to have this *in addition* to other safety measurements: Experience shows that rather often there are some new ideas or bugs which can be used to avoid the exponential amount by something not covered by the original theory. Obscurity does provide some benefit, but it gets dismissed because we tend to ignore the constant factor when talking about these things. This is reasonable for theory, but in practice the constant factor can be more important. Even more if it needs human intervention. Hiding the salt would just be security through obscurity. And yet it is stupid if you do not do it and give away a huge constant factor for no advantage. Similarly, putting port knocking in front of OpenVPN is like putting a padlock on the bank vault. If someone is going to break OpenVPN, port knocking ain't gonna stop them. No. Port knocking is more like putting your bank vault into a wooden box. If some new attack against SSL or the OpenVPN implementation is found, it is like somebody has a key to your vault. If you are a highly important target, this will not save you, but if human resources are needed to break whatever you did for obscurity, it makes in practice the crucial difference. It's not laziness I'm advocating, just simplicity. Simple, understandable code is more likely to be correct than clever code. And in this case, incorrect iptables code is more of a threat than the tiny race condition. You have a strange mentality: One the one hand you are afraid that a rather primitive translation of one syntax into another leads to unexpected effects, and on the other hand you trust much more complex things like SSL and OpenVPN which could much easier allow unexpected things with even the slightest attempt to secure them further if you can.
Re: [gentoo-user] technical review of systemd
On Sat, Feb 22, 2014 at 6:16 PM, thegee...@thegeezer.net wrote: OK so because of how much time has been spent arguing about systemd with little technical content, i've spent some time on the freedesktop site reading Lennart's blog and also going through the source to find answers to my questions about the socket activator. i've also been going through the man pages of netctl too and am horrified at the lack of what i would call enterprise features. networkd (netctl is just the command-line front-end) is not intended for enterprise; it's for little servers where you only need static IPs or simple bridges. For desktops/laptops, you are supposed to keep using NetworkManager/connman/whatever you used before. For complex network setups, you need *a* network manager (not necessarily NetworkManager). this is by no means a definitive list. I just thought that i would share what i had found. please correct me if i am wrong in any of these. please add to the list for technical items only. I find it a very impartial and objective review; thank you very much! thanks! pros 1.very modular, everything can be disabled though not removed 2.socket based activator allows restart of services with no service interruption 3.if activator.c is used for this, then the code is actually pretty clean using supplied sd-daemon.c simplifies sockets for daemons and also adds extra watchdog features 4.can disable socket based activation according to Canek, but i can't find how. You use a .service unit file instead of a .socket unit file. That's it. thanks good to know that is all you need For OpenSSH, for example, you can enable sshd.service[1], and then the SSH daemon works as it does in OpenRC. If you instead enable sshd.socket[2], then the daemon will start on demand. You don't have to *disable* anything; you choose how do you want to use your services (if the services provide both ways, like OpenSSH does). 5.fschecking mounts and logging output (though how for corrupt / notsure) Corrupt filesystems or logs? logs. currently if fsck runs anywhere on boot i get zero log about what was done, so i prefer to do this on a running system. / is obviously special, so this is a pro that fsck is logged, but of course if / has issue i'm not sure what systemd would do other than drop you to emergency 6.auto-gettys allows for lower numbered X windows by default for e.g. multiseat and dynamic serial ttys 7.clever logging, including from nspawned containers' logs and distributed for enterprise 8.nspawning using filename namespaces 9.systemctl kill service -- killing service and all forks and spawn cgtop -- top with cgroups 10.much easier to define resource limitations per service cons 1.new tools to learn, new gotchas to learn. 2.yet to go through systemd source to find out how modular or not it is. While it tries to be modular where it can, systemd prefers simple code and integrated solutions. Modularity is not going to be one of its strong points. 3.not clear how the socket activator works, the code activator.c appears to be to _test_ activation only, with activator code being elsewhere. if it is used then you would have one process running for each port it is virtually listened to. It's been a while since I've read the source code, but it isn't in src/activate/activate.c[3]? ok so it does look like it would have a systemd-activate process for each socket being activated on behalf of a service. that makes me feel better than one process doing all of them. perhaps someone using service activation can do a 'ps aux' to confirm? 4./etc/machine-id because hostname and node id in the cluster of your choice are not enough. The idea is that machine-id is as unique as reasonable to ask. I'm not overly happy with it, too, but that's the justification. Imagine thousands of virtual machines running services, and you want to coalesce all their journal logs in a central server. With machine-id, you don't need to worry even to change the default localhost for your throwaway VMs, you can detect the different logs immediately (machine-id should be generated at OS install time; for rolling distros, I think they generate it if when installing systemd is not available.) 5./fsck.options gives more options than autoforceskip on reboot 6.requiring logging tools in rescue cds in order to view logs Yeah, that's a drag. However, you *can* run rsyslog (or syslog-ng) alongside the journal, and have the best of both worlds. Or you can automatically send the journal logs to a central server designed for that purpose only. 7.chroots no longer work. forcing use of nspawn to ensure environment set up correctly. I'm sorry, chroot doesn't work? First time I heard about it. While systemd-nspawn is a gazillion times better than a simple chroot, you *can* still use a chroot if you so desire. Where did you found that chroot doesn't works? agreed nspawn is better due
Re: [gentoo-user] php (error?)
On Sunday 12 Jul 2015 20:40:35 James wrote: Hello, So lately I've been using elogv for a convenience way to ensure no issues with the most recent packages installed or upgraded. It's a neat little tool. Today I found this: dev-lang/php-5.6.10 - 07/10/2015{in purple} snipped:: This package has a configure.in file which has long been deprecated. Pleas │update it to use configure.ac instead as newer versions of autotools will die when it finds this file. See https://bugs.gentoo.org/426262 for details. OK, so I looked the bug. From what I read : If we start now, to rename configure.in to configure.ac before eautoreconf we will avoid lots of breakages due to the deprecation of .in in automake-1.13. Makes sense; but I cannot find the file. I get lots of hits for a configure.in in my code trees, but little on the rest of the system; here are the few: /usr/portage/dev-lang/lua/files/configure.in /usr/share/cppunit/examples/money/configure.in (and quit a few on firefox. # equery depends =sys-devel/autoconf-2.13 * These packages depend on sys-devel/autoconf-2.13: app-admin/tripwire-2.4.2.2-r3 (sys-devel/autoconf) app-editors/vim-7.4.273 (sys-devel/autoconf) app-editors/vim-core-7.4.273 (sys-devel/autoconf) mail-client/thunderbird-31.7.0 (=sys-devel/autoconf-2.1*) net-libs/libnet-1.1.6 (sys-devel/autoconf) net-misc/openssh-6.7_p1 (sys-devel/autoconf) sys-apps/attr-2.4.47-r1 (sys-devel/autoconf) www-client/firefox-31.7.0 (=sys-devel/autoconf-2.1*) www-client/seamonkey-2.33.1-r1 (=sys-devel/autoconf-2.1*) Huh? really? I have versions 2.13 and 2.69 of sys-devel/autoconf installed So, I'm kinda head scratching to decide what, if anything to fix? There much that I did not post, but they are all dead ends like: For more details on how minor version slotting works (PHP_TARGETS) please read the upgrade guide: http://www.gentoo.org/proj/en/php/php-upgrading.xml from the elogview of the latest php install. That link is dead. Any suggestions? Is elogv borked in this case? /var/tmp/portage/php-5.6.10/work/php-5.1.6/config.log does not even exist # eselect php list cli [1] php5.6 * Bottom line is I have not use php directly in some time, so it is quite easy that I missed some info from the devs on php changes. I did not see anything in the news system nor pgo. Did you start an emerge of php and then looked in your /var/tmp/portage to find it? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]
I meant the log for the SSH server, on the machine you are trying to connect to, not the nx log. On the SSH server, run grep sshd /var/log/messages Here it is: Nov 29 11:07:18 tiger kernel: audit: type=1109 audit(1448795238.479:95): pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.62.40 addr=192.168.62.40 terminal=ssh res=failed' Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c8:65:0c:ad:44:4d:7e:a3:b7:1b:2a:34:5f:a6:a9:61:16:26:21:8d:20:de:80:27:ce:50:dc:6c:ed:8d:c9:f8 direction=? spid=12140 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:59:9f:43:66:77:9e:77:a7:66:77:71:0c:8c:0c:aa:28:61:b4:69:be:ec:77:ed:46:7f:eb:3f:eb:e7:b0:de:7e direction=? spid=12140 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b9:48:9f:4f:b7:bd:63:39:b5:49:e9:41:89:0b:64:b2:6a:6a:6d:03:2e:b1:ae:49:9d:9f:89:18:02:28:b3:8c direction=? spid=12140 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:3a:ae:49:b7:b1:94:f6:b3:a4:88:62:45:b3:36:5d:1f:46:9d:c9:9d:e2:a7:1b:23:94:c2:f9:1b:a4:0e:46:99 direction=? spid=12140 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' Nov 29 11:07:18 tiger audit: USER_LOGIN pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nx" exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=ssh res=failed' [root@tiger ~]# -- Neil Bothwick Why is the word abbreviation so long?
Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]
I also read the link you sent which prompted me to run the query: ~]# ssh -G nx user root hostname nx port 22 addressfamily any batchmode no canonicalizefallbacklocal yes canonicalizehostname false challengeresponseauthentication yes checkhostip yes compression no controlmaster false enablesshkeysign no exitonforwardfailure no forwardagent no forwardx11 no forwardx11trusted yes gatewayports no gssapiauthentication yes gssapidelegatecredentials no hashknownhosts no hostbasedauthentication no identitiesonly no kbdinteractiveauthentication yes nohostauthenticationforlocalhost no passwordauthentication yes permitlocalcommand no protocol 2 proxyusefdpass no pubkeyauthentication yes requesttty auto rhostsrsaauthentication no rsaauthentication yes streamlocalbindunlink no stricthostkeychecking ask tcpkeepalive yes tunnel false useprivilegedport no verifyhostkeydns false visualhostkey no updatehostkeys false canonicalizemaxdots 1 compressionlevel 6 connectionattempts 1 forwardx11timeout 1200 numberofpasswordprompts 3 serveralivecountmax 3 serveraliveinterval 0 ciphers chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se hostkeyalgorithms ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa hostbasedkeytypes ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa kexalgorithms curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 loglevel INFO macs umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 xauthlocation /usr/bin/xauth identityfile ~/.ssh/id_rsa identityfile ~/.ssh/id_dsa identityfile ~/.ssh/id_ecdsa identityfile ~/.ssh/id_ed25519 canonicaldomains globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 sendenv LANG sendenv LC_CTYPE sendenv LC_NUMERIC sendenv LC_TIME sendenv LC_COLLATE sendenv LC_MONETARY sendenv LC_MESSAGES sendenv LC_PAPER sendenv LC_NAME sendenv LC_ADDRESS sendenv LC_TELEPHONE sendenv LC_MEASUREMENT sendenv LC_IDENTIFICATION sendenv LC_ALL sendenv LANGUAGE sendenv XMODIFIERS fingerprinthash SHA256 MD5 connecttimeout none tunneldevice any:any controlpersist no escapechar ~ ipqos lowdelay throughput rekeylimit 0 0 streamlocalbindmask 0177
[gentoo-user] Re: go to a no-x console from failed X + lxde install
Andrej Rode <m...@andrejro.de> writes: > Hi, > >> (dependency required by "gnome-extra/polkit-gnome-0.105-r1::gentoo" >> [installed]) >> (dependency required by "sys-auth/polkit-0.113-r1::gentoo[gtk]" [installed]) >> (dependency required by "sys-auth/consolekit-1.1.0-r1::gentoo[policykit]" >> [installed]) >> (dependency required by "sys-auth/pambase-20150213::gentoo[consolekit]" >> [installed]) >> (dependency required by "net-misc/openssh-7.3_p1-r8::gentoo[pam]" [ebuild]) >> (dependency required by "virtual/ssh-0::gentoo[-minimal]" [installed]) >> (dependency required by "@system" [set]) >> (dependency required by "@world" [argument]) >> These are the packages that would be merged, in order: > > This output now shows us that `> (dependency required by > "sys-auth/polkit-0.113-r1::gentoo[gtk]" [installed])` polkit has the gtk > useflag and therefore it tries to build `polkit-gnome` which in fact > requires gtk. > > Instead of setting USE=-gtk in your `/etc/portage/make.conf` try setting > `sys-auth/consolekit-1.1.0-r1 -gtk` in `/etc/portage/package.use/polkit` I guessed you meant to say polkit so: root # cat /etc/portage/package.use/polkit sys-auth/polkit-0.113-r -gtk And boy did those changes you've been posting really make a difference I have a nice hefty list of nearly all non-x stuff ... One item puzzles me a bit: [ebuild N ] x11-misc/shared-mime-info-1.7::gentoo USE="{-test}" 0 KiB Using Dales suggestion of --tree I see a whole list of stuff pulling that in. The closest culprit seems to be: dev-libs/glib-2.50.2:[...] USE+"mime [...]" But maybe `shared-mime-info' is something one might use reading mail or such? I guess the `nomerge' part means its already installed? Its a bit confusing seeing what is actually doing the pulling: Is it `virtual/ssh-0' [ebuild R] virtual/ssh-0::gentoo USE="minimal*" 0 KiB [nomerge ] sys-apps/pciutils-3.5.2::gentoo USE="kmod [...] [nomerge ] virtual/libudev-232:0/1::gentoo USE="-static-libs[...] [ebuild R] sys-fs/eudev-3.2::gentoo USE="hwdb kmod [...] [nomerge ] sys-fs/udev-init-scripts-32::gentoo [nomerge ] virtual/udev-217::gentoo USE="-systemd" [nomerge ] sys-fs/eudev-3.2::gentoo USE="hwdb kmod [...] [nomerge ]virtual/pkgconfig-0-r1::gentoo [nomerge ] dev-util/pkgconfig-0.29.1::gentoo USE="-hardened [...] [nomerge ] dev-libs/glib-2.50.2:2::gentoo USE="mime xattr [...] [ebuild N ] x11-misc/shared-mime-info-1.7::gentoo USE="{-test}"[...] Thanks for the help and the url pointers I snipped.
Re: [gentoo-user] conflict with same package, same USE
On Fri, 2 Jun 2017 10:59:51 +0200, Hogren wrote: > Sorry for the lack of courtesy !! > > I hope that someone can help me. You've already been given a useful pointer, disable bindist globally. Unless you are building a distro for redistribution, there is no need for this flag to be on globally. > Thank you very very much for your help !! > > > Hogren > > > On 02/06/2017 10:55, Hogren wrote: > > Hello list, > > > > > > It's me again about conflicts. > > > > > > I don't understand this conflict, the two needed openssl are the same. > > Actually, I don't see the difference. > > > > > > gnugnu # emerge --verbose-conflict @preserved-rebuild > > Calculating dependencies... done! > > [ebuild R] dev-libs/openssl-1.0.2k USE="bindist*" > > [ebuild R] sys-devel/binutils-2.25.1-r1 > > [ebuild U ] sys-libs/talloc-2.1.9 [2.1.5] > > [ebuild U ] sys-libs/tdb-1.3.13 [1.3.8] > > [ebuild U ] sys-libs/tevent-0.9.31-r1 [0.9.28] > > [ebuild N ] dev-python/subunit-1.2.0-r1 USE="-static-libs > > {-test}" ABI_X86="(64) -32 (-x32)" PYTHON_TARGETS="python2_7 > > python3_4 (-pypy) (-pypy3) (-python3_5) (-python3_6)" > > [ebuild N ] dev-qt/qtnetwork-5.6.2 USE="bindist ssl -connman > > -debug -libproxy -networkmanager {-test}" > > [ebuild U ] sys-libs/ldb-1.1.29-r1 [1.1.26] USE="ldap%* python%*" > > [ebuild R] dev-qt/qtxmlpatterns-5.6.2 > > [ebuild R] dev-qt/qtwebkit-5.6.2 > > [ebuild R ~] net-misc/teamviewer-9.0.32150 > > [ebuild U ] net-fs/samba-4.5.10 [4.2.14] USE="-gpg% > > (-system-heimdal) -zeroconf%" > > [ebuild R] media-gfx/blender-2.72b-r4 > > [ebuild R ~] media-gfx/wkhtmltopdf-0.12.4 > > [ebuild U ~] www-client/firefox-53.0.3 [52.0.1-r1] > > [ebuild U ] app-office/libreoffice-5.2.7.2 [5.2.3.3-r1] > > PYTHON_SINGLE_TARGET="python3_4* -python2_7*" > > [ebuild R] net-ftp/filezilla-3.12.0.2 > > [ebuild R] media-gfx/gimp-2.8.14-r2 > > [ebuild N ] x11-plugins/enigmail-1.9.6.1-r1 > > [ebuild U ] mail-client/thunderbird-45.8.0 [45.7.0] > > [blocks b ] x11-plugins/enigmail ("x11-plugins/enigmail" is > > blocking mail-client/thunderbird-45.7.0) > > > > !!! Multiple package instances within a single package slot have been > > pulled !!! into the dependency graph, resulting in a slot conflict: > > > > dev-libs/openssl:0 > > > > (dev-libs/openssl-1.0.2k:0/0::gentoo, ebuild scheduled for merge) > > pulled in by > > dev-libs/openssl:0[bindist=] required by > > (dev-qt/qtnetwork-5.6.2:5/5.6::gentoo, ebuild scheduled for merge) > > > > > > > > > > > > (dev-libs/openssl-1.0.2k:0/0::gentoo, installed) pulled in by > > >=dev-libs/openssl-0.9.8f:0[bindist=] required by > > (net-misc/openssh-7.3_p1-r7:0/0::gentoo, installed) > > > > > > > > > > > > > > Hogren > > > > > > > > -- Neil Bothwick Suicidal twin kills sister by mistake! pgpeyfMUEwPRJ.pgp Description: OpenPGP digital signature
[gentoo-user] Why I'm unable to run Vagrant as non-root user?
I've installed Vagrant in Gentoo from repository. I'm using Ruby 2.2.8. I've got following error when I was tried run Vagrant as non-root user: pecan@tux ~ $ vagrant /usr/lib64/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- checkpoint (LoadError) from /usr/lib64/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib64/ruby/gems/2.2.0/gems/vagrant-1.9.8/lib/vagrant/environment.rb:7:in `' from /usr/lib64/ruby/gems/2.2.0/gems/vagrant-1.9.8/bin/vagrant:118:in `' The result of `ruby /usr/lib64/ruby/gems/2.2.0/gems/vagrant-2.0.0/bin/vagrant`: pecan@tux ~ $ ruby /usr/lib64/ruby/gems/2.2.0/gems/vagrant-2.0.0/bin/vagrant /usr/lib64/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- log4r (LoadError) from /usr/lib64/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib64/ruby/gems/2.2.0/gems/vagrant-2.0.0/bin/vagrant:61:in `' The result of `sudo vagrant`: pecan@tux ~ $ sudo vagrant Usage: vagrant [options] [] -v, --version Print the version and exit. -h, --help Print this help. Common commands: box manages boxes: installation, removal, etc. destroy stops and deletes all traces of the vagrant machine global-status outputs status Vagrant environments for this user halt stops the vagrant machine help shows the help for a subcommand init initializes a new Vagrant environment by creating a Vagrantfile login log in to HashiCorp's Vagrant Cloud package packages a running vagrant environment into a box plugin manages plugins: install, uninstall, update, etc. port displays information about guest port mappings powershell connects to machine via powershell remoting provision provisions the vagrant machine push deploys code in this environment to a configured destination rdp connects to machine via RDP reload restarts vagrant machine, loads new Vagrantfile configuration resume resume a suspended vagrant machine snapshot manages snapshots: saving, restoring, etc. ssh connects to machine via SSH ssh-config outputs OpenSSH valid configuration to connect to the machine status outputs status of the vagrant machine suspend suspends the machine up starts and provisions the vagrant environment validate validates the Vagrantfile version prints current and latest Vagrant version For help on any individual command run `vagrant COMMAND -h` Additional subcommands are available, but are either more advanced or not commonly used. To see all subcommands, run the command `vagrant list-commands`. I'm using the system Ruby. As you can see Vagrant with sudo works but I've question why I'm unable to run Vagrant as non-root user? What should I do to be able run Vagrant as non-root user? I'm counting for help.
Re: [gentoo-user] Ssh problem : half-solved
Hi Philip, On Tuesday, 12 March 2019 10:02:07 GMT Philip Webb wrote: > 190311 Neil Bothwick wrote: > > Do you have any other Host stanzas in the config? > > No : /etc/ssh/ssh_config has the following uncommented lines : > > # Send locale environment variables. #367017 > SendEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC > LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME > LC_PAPER LC_TELEPHONE # Send COLORTERM to match TERM. #658540 > SendEnv COLORTERM > # PP 190312 > Host 128.100.160.1 > KexAlgorithms +diffie-hellman-group1-sha1 > # Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr > > I tried adding the 'Ciphers' line, which is mentioned in the I/net page, > but Ssh chokes, so I commented it again : The ciphers do not come into play until the key exchange algos have been agreed upon. In your case the handshake does not reach this far and therefore you do not need (yet) to specify any additional ciphers. The server problem is still with the KexAlgorithms. > ~/.ssh/config has : > > Host 128.100.160.1 > KexAlgorithms +diffie-hellman-group1-sha1 > > The latest output ('538' above) shows that it reads ~/.ssh/config , > but apparently doesn't find what it wants there > & therefore goes on to /etc/ssh/ssh_config , on which it chokes. > Without the 'Cipher' line in the latter, it carries on with the handshake, > but eventually can't do the key exchange. > > I've just looked at the USE flags : > > root:528 ssh> eix net-misc/openssh > Available versions: 7.5_p1-r4 7.7_p1-r9^t 7.9_p1-r4^t {X X509 audit > bindist debug (+)hpn kerberos ldap ldns libedit libressl livecd pam +pie > sctp selinux skey ssh1 +ssl static test ABI_MIPS="n32" KERNEL="linux"} > Installed versions: 7.9_p1-r4^t([2019-03-09 22:25:11])(X ssl -X509 -audit > -bindist -debug -hpn -kerberos -ldns -libedit -libressl -livecd -pam -pie > -sctp -selinux -static -test ABI_MIPS="-n32" KERNEL="linux") > > NB Eix shows a Use flag 'ssh1', which Euses describes as : > > net-misc/openssh:ssh1 - Support the legacy/weak SSH1 protocol If you watch The Matrix, a 20 year old film, you will see why ssh version 1 should be disabled by default, or the machine on which it is enabled isolated from the Internet. > Can anyone offer further advice ? -- Thanks so far. I suggest you remove all settings for Host 128.100.160.1 from the /etc/ssh/ ssh_config file and place them in your ~/.ssh/config file only. Then run ssh: ssh -v 128.100.160.1 and check for a line like this: debug1: Reading configuration data /home/purslow/.ssh/config debug1: /home/purslow/.ssh/config line xx: Applying options for 128.100.160.1 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to 128.100.160.1 ... blah-blah This will show you if ~/.ssh/config is being sourced, if the lines you have specified for Host 128.100.160.1 therein are being parsed by ssh and if the connection is attempted. The line which should come next is: debug1: Connection established. which will be followed with algos and ciphers exchange. HTH. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] a day of PAIN.
Ouch. Yesterday I made the dubious decision to go ahead and mobo swap my aging 1800x to [nondisclosed]. Ok... The new mobo is EFI only... Back in the good old days, the BIOS would just load the first sector off your floppy drive, check for a basic sanity check pattern to make sure the floppy cable was connected, working, and not cross-circuited, and then it would work. DOS provided a single command for making a bootable floppy and it **NEVER FAILED**. This thing does not boot off the motorized cupholder, and setting it up is like the twelve labors of Herculese and you have to get them all exactly correct or it doesn't work at all and it doesn't tell you why it doesn't work. =| I don't even know how it's working. I had intended it to be a UEFI drive from the start but my old mobo was very forgiving and I think the thing was actually booting in BIOS mode. Turns out the missing ingredient was "efibootmgr"... =\ The designers of the UEFI standard cared about nothing but their own job security. So I got to see my GRUB menu. YAY (lasted about 5 seconds...) Machine appeared to stall at kernel loading. >>> YOU KNOW SOMETHING WAS DESIGNED BY PENGUINS WHEN IT MAKES THE WORST POSSIBLE DESIGN DECISIONS AND THEN BLAMES THE USER FOR NOT MAKING IT WORK... <<< Case in point, EFI framebuffer. I could end the post there Why is this not a forced-on setting for any machine with UEFI enabled? I can't imagine that this would be unacceptable for more than 0.001% of the install base. So therefore it is disabled by default and you have to enable it in at least three different deeply burried settings otherwise the kernel appears to hang. In the good old days the BIOS did the following: Is there something resembling a CPU in the socket? Good! Where's the goddamn video card so I can post error messages? Does this machine even have RAM? So obviously linux is doing this profoundly wrong Ok, so it's time to emptytree world my system: I don't feel comfortable manually yanking any of these packages... What is the cannonical solution to this CF? Total: 1701 packages (628 upgrades, 16 new, 2 in new slots, 1055 reinstalls, 1 uninstall), Size of downloads: 10,521 KiB Conflict: 4 blocks (2 unsatisfied) * Error: The above package list contains packages which cannot be * installed at the same time on the same system. (sys-apps/shadow-4.8.1-r2:0/0::gentoo, ebuild scheduled for merge) pulled in by sys-apps/shadow required by @system sys-apps/shadow required by (net-misc/openssh-8.2_p1-r6:0/0::gentoo, ebuild scheduled for merge) USE="X pam pie ssl -X509 -audit -bindist -debug -hpn -kerberos -ldns -libedit -libressl -livecd -sctp -security-key (-selinux) -static -test -xmss" ABI_X86="(64)" (sys-apps/util-linux-2.35.1-r2:0/0::gentoo, ebuild scheduled for merge) pulled in by sys-apps/util-linux required by (app-text/build-docbook-catalog-1.21:0/0::gentoo, ebuild scheduled for merge) USE="" ABI_X86="(64)" -- The vaccine is a LIE. Powers are not rights.
Re: [gentoo-user] emerge stuck after dovecot upgrade
On Thu, 21 May 2020 12:54:49 +0100 Neil Bothwick wrote: > On Thu, 21 May 2020 11:20:18 +0100, Neil Bothwick wrote: > > > On Thu, 21 May 2020 06:44:35 +0200, Andreas Fink wrote: > > > > > recently emerge started to get stuck after an upgrade of dovecot, and > > > it is somehow related to my /etc/portage/bashrc, which has the > > > following content: function post_pkg_postinst() { > > > if test "$CATEGORY/$PN" = "dev-db/mariadb"; then > > > /etc/init.d/mysql status && /etc/init.d/mysql restart > > > elif test "$CATEGORY/$PN" = "www-servers/apache"; then > > > /etc/init.d/apache2 status && /etc/init.d/apache2 restart > > > elif test "$CATEGORY/$PN" = "net-mail/dovecot"; then > > > /etc/init.d/dovecot status && /etc/init.d/dovecot restart > > > echo 'going to sleep' > > > sleep 5 > > > echo 'finished sleeping' > > > elif test "$CATEGORY/$PN" = "mail-mta/postfix"; then > > > /etc/init.d/postfix status && /etc/init.d/postfix restart > > > elif test "$CATEGORY/$PN" = "net-misc/openssh"; then > > > /etc/init.d/sshd status && /etc/init.d/sshd restart > > > fi > > > } > > > > > > > > > I restart dovecot after an upgrade, in the same way as I restart e.g. > > > postfix. However for dovecot emerge gets stuck and does not continue > > > and is sitting there quietly (killable only via `pkill -9 emerge`). > > > > I can confirm this. I tried your bashrc (nice idea by the way, I > > normally manually run needrestart after an update) and the dovecot > > install completed but then hung. The next step is to add set +x to > > bashrc to see where the hang occurs. > > It seems the final echo is executed, but then the function doesn't exit > for some reason. I tried rewriting it using case, which looks cleaner to > me but fails in the same way. > > > function post_pkg_postinst() { > set +x > case "$CATEGORY/$PN" in > "net-mail/dovecot") > /etc/init.d/dovecot status && /etc/init.d/dovecot > restart > echo 'going to sleep' > sleep 5 > echo 'finished sleeping' > ;; > > "mail-mta/postfix") > /etc/init.d/postfix status && /etc/init.d/postfix > restart > ;; > esac > } > > I do not think that it is stuck in the bashrc itself, but something that happens in the bashrc makes the emerge python process not realizing that everything finished. These are the interesting running processes after the command `ebuild /usr/portage/net-mail/dovecot/dovecot-2.3.10.1.ebuild qmerge` gets stuck (I cannot see any bash still running, that's why I assume that the bashrc itself finishes): root 5281 2.0 0.7 71060 63412 pts/0SN+ 16:19 0:01 /usr/bin/python3.7 -b /usr/lib/python-exec/python3.7/ebuild /usr/portage/net-mail/dovecot/dovecot-2.3.10.1.ebuild qmerge root 5286 8.5 0.0 0 0 pts/0ZN+ 16:19 0:06 [ebuild] root 5869 0.0 0.0 4284 2388 ?SNs 16:19 0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf root 5876 0.0 0.0 4152 2620 ?SN 16:19 0:00 dovecot/log root 5879 0.0 0.0 6236 4568 ?SN 16:19 0:00 dovecot/config root 5883 0.0 0.0 19632 8048 ?SN 16:19 0:00 dovecot/auth Cheers Andreas
Re: [gentoo-user] long compiles
In addition to the reference to "qlop": $ qlop ungoogled-chromium | tail 2022-08-04T19:58:22 >>> www-client/ungoogled-chromium: 9:06:54 2022-08-05T14:27:44 >>> www-client/ungoogled-chromium: 16:19:06 2022-08-25T11:45:37 >>> www-client/ungoogled-chromium: 8:01:54 2022-09-01T10:03:19 >>> www-client/ungoogled-chromium: 15:27:22 2022-09-06T16:29:49 >>> www-client/ungoogled-chromium: 9:46:16 2022-09-14T17:48:16 >>> www-client/ungoogled-chromium: 9:30:29 2022-10-08T03:40:44 >>> www-client/ungoogled-chromium: 1:52:16 2022-10-21T17:58:43 >>> www-client/ungoogled-chromium: 9:24:55 2022-12-16T17:47:27 >>> www-client/ungoogled-chromium: 20:56:08 2023-03-20T14:12:02 <<< www-client/ungoogled-chromium: 2s Since I am using "ccache", the compilation time is sometimes doubled. ZzZzZzzz -Ramon On 11/09/2023 21:42, Ramon Fischer wrote: Hi Alan, just quick and dirty, I am too tired for formalities. :) The following list contains packages, that may be too big for tmpfs and are most probably very time consuming to compile: $ < /etc/portage/package.env/no_tmpfs.conf # custom - 20181121 - rfischer: list packages, which are too big for tmpfs #app-editors/neovim no_tmpfs.conf #app-emulation/qemu-kv no_tmpfs.conf #app-office/libreoffice no_tmpfs.conf #dev-db/mysql no_tmpfs.conf #dev-java/icedtea no_tmpfs.conf #dev-lang/ghc no_tmpfs.conf #dev-lang/ghc no_tmpfs.conf #dev-lang/mono no_tmpfs.conf #dev-lang/rust no_tmpfs.conf #dev-lang/spidermonkey no_tmpfs.conf #dev-libs/libpcre no_tmpfs.conf #dev-qt/qtwebengine no_tmpfs.conf #throttle_make_emerge.conf #mail-client/thunderbird no_tmpfs.conf #media-libs/opencv no_tmpfs.conf #media-libs/opencv no_tmpfs.conf #net-libs/nodejs no_tmpfs.conf #net-misc/openssh no_tmpfs.conf #sci-libs/tensorflow no_tmpfs.conf #sys-apps/iproute2 no_tmpfs.conf #sys-devel/clang no_tmpfs.conf #sys-devel/gcc no_tmpfs.conf #www-client/chromium no_tmpfs.conf #throttle_make_emerge.conf #www-client/firefox no_tmpfs.conf #www-client/ungoogled-chromium no_tmpfs.conf #throttle_make_emerge.conf See also: * https://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs#Considering_tmpfs.27_size * https://wiki.gentoo.org/wiki/Q_applets#Extracting_information_from_emerge_logs_.28qlop.29 Sleeps away. -Ramon On 11/09/2023 21:19, Alan McKinnon wrote: After my long time away from Gentoo, I thought perhaps some packages that always took ages to compile would have improved. I needed to change to ~amd64 anyway (dumb n00b mistake leaving it at amd64). So that's what I did and let emerge do it's thing. chromium has been building since 10:14, it's now 21:16 and still going so 9 hours at least on this machine to build a browser - almost as bad as openoffice at it's worst (regularly took 12 hours). Nodejs also took a while, but I didn't record time. What other packages have huge build times? -- Alan McKinnon alan dot mckinnon at gmail dot com -- GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF OpenPGP_0x155BE26413E699BF.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
[gentoo-user] hostapd stopped working after reboot
hostapd (0.4.9) stopped working today on my Gentoo server... daevid ~ # /etc/init.d/hostapd restart * Starting hostapd ... Configuration file: /etc/hostapd/hostapd.conf ioctl(SIOCGIFINDEX): No such device hostap driver initialization failed. rmdir[ctrl_interface]: No such file or directory This was all working fine yesterday. I had to reboot my server today, so no doubt that is related as something must have been updated. I see this bug, but I don't think that's exactly my issue, while the error is the same, I don't have the problem he describes. http://bugs.gentoo.org/show_bug.cgi?id=159646 # ifconfig wifi0 Link encap:UNSPEC HWaddr 00-02-6F-09-B2-B4-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1599 errors:0 dropped:0 overruns:0 frame:0 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:48264 (47.1 Kb) TX bytes:4090 (3.9 Kb) Interrupt:16 Base address:0xc100 wlan0 Link encap:Ethernet HWaddr 00:02:6F:09:B2:B4 inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:10 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:342 (342.0 b) TX bytes:3882 (3.7 Kb) Interrupt:16 Base address:0xc100 Note, I don't have a wlan0ap, but that would come from hostapd I suspect, if it were starting. But the modules are loading... # lsmod | grep host hostap_cs 59156 3 hostap08 1 hostap_cs I don't use WEP or WPA. Just a standard wide open public WAP. Engenius Senao 2511 card. Here's the most recent stuff that could have had an effect, I don't know the last time I rebooted the server, but I guess it was within this timeframe: daevid log # genlop -l --date 5 weeks ago | grep -v kde | grep -v gnome | grep -v x11 Sun Aug 19 17:29:40 2007 dev-libs/expat-2.0.1 Sun Aug 19 17:30:09 2007 sys-fs/udev-114 Sun Aug 19 17:30:19 2007 sys-apps/debianutils-2.22.1 Sun Aug 19 17:32:12 2007 sys-apps/busybox-1.6.1 Sun Aug 19 17:36:47 2007 sys-devel/gettext-0.16.1-r1 Sun Aug 19 17:37:04 2007 sys-process/psmisc-22.5-r1 Sun Aug 19 18:02:34 2007 sys-fs/device-mapper-1.02.19-r1 Sun Aug 19 18:04:42 2007 app-text/sablotron-1.0.1 Sun Aug 19 18:19:21 2007 net-libs/opal-2.2.6 Sun Aug 19 18:20:36 2007 sys-apps/dbus-1.0.2-r2 Sun Aug 19 18:21:19 2007 dev-libs/dbus-glib-0.73 Sun Aug 19 18:25:21 2007 sys-devel/gdb-6.6-r2 Sun Aug 19 18:26:02 2007 dev-libs/apr-util-1.2.8 Sun Aug 19 18:28:54 2007 app-text/openjade-1.3.2-r1 Sun Aug 19 20:30:38 2007 dev-libs/pwlib-1.10.5 Sun Aug 19 20:39:10 2007 sys-fs/cryptsetup-luks-1.0.4-r3 Sun Aug 19 20:46:12 2007 x11-apps/sessreg-1.0.2 Sun Aug 19 20:47:25 2007 net-misc/openssh-4.6_p1-r3 Sun Aug 19 20:55:39 2007 net-dns/libidn-0.6.9-r1 Sun Aug 19 21:04:32 2007 net-misc/curl-7.16.4 Sun Aug 19 21:04:37 2007 net-misc/netkit-talk-0.17-r4 Sun Aug 19 23:50:57 2007 dev-libs/apr-util-1.2.8 Mon Aug 20 00:03:20 2007 sys-apps/hal-0.5.9-r1 Mon Aug 20 01:36:07 2007 dev-libs/apr-util-1.2.8 Mon Aug 20 12:55:06 2007 dev-libs/apr-util-0.9.12-r1 Thu Sep 6 18:23:04 2007 sys-apps/portage-2.1.2.12 Thu Sep 6 18:23:23 2007 sys-devel/autoconf-2.61-r1 Thu Sep 6 18:24:03 2007 net-misc/rsync-2.6.9-r3 Thu Sep 6 19:34:54 2007 sys-auth/consolekit-0.2.1 Thu Sep 6 19:36:24 2007 dev-libs/libIDL-0.8.8 Thu Sep 6 19:50:08 2007 net-misc/vino-2.18.1 Thu Sep 6 20:06:20 2007 dev-python/pygtkglext-1.1.0 Thu Sep 6 22:29:46 2007 dev-libs/openssl-0.9.8e-r2 Thu Sep 6 22:31:12 2007 dev-libs/glib-2.12.13 Thu Sep 6 22:39:13 2007 sys-libs/db-4.5.20_p2 Thu Sep 6 22:39:33 2007 net-libs/libpcap-0.9.7 Thu Sep 6 23:26:55 2007 sys-devel/libtool-1.5.24 Thu Sep 6 23:28:55 2007 media-libs/alsa-lib-1.0.14a-r1 Fri Sep 7 11:24:37 2007 dev-python/setuptools-0.6_rc6 Fri Sep 7 11:28:40 2007 dev-python/pyorbit-2.14.3 Fri Sep 7 11:30:11 2007 net-misc/dhcp-3.1.0 Fri Sep 7 11:32:15 2007 net-wireless/wireless-tools-29_pre22 Fri Sep 7 11:32:21 2007 net-misc/whois-4.7.22 Fri Sep 7 12:29:13 2007 net-misc/openssh-4.7_p1 Fri Sep 7 12:30:48 2007 net-mail/dovecot-1.0.3 Fri Sep 7 12:37:21 2007 net-firewall/iptables-1.3.8-r1 Tue Sep 11 22:46:28 2007 dev-perl/XML-Parser-2.34-r1 Tue Sep 11 22:49:34 2007 dev-libs/apr-util-0.9.12-r1 Rebooted server today. Tue Sep 18 21:16:25 2007 net-wireless/hostap-utils-0.4.7 Tue Sep 18 21:16:41 2007 net-wireless/hostapd-0.4.9 The last two entries are where I noticed wifi wasn't working tonight, so I tried to re-emerge it, but that didn't
Re: [gentoo-user] How to freeze my Gentoo system
On Fri, 3 Apr 2009 10:45:46 +0800 Mark David Dumlao madum...@gmail.com wrote: On Thu, Mar 12, 2009 at 4:13 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Thursday 12 March 2009 10:07:03 Dale wrote: I do understand that getting something stable and working then wanting to keep it that way. I'm just wondering what his mileage may be in the long run. Here's the first significant result with a sync today: These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] app-text/xpdf-3.02-r2 [3.02-r1] USE=-nodrm LINGUAS=-ar -el -he -ja -ko -la -ru -th -tr -zh_CN -zh_TW 0 kB Total: 1 package (1 upgrade), Size of downloads: 0 kB Ahh. ;-) I guess what's important, unless I see some particular reason to upgrade something, would be this: glsa-check -tv affected This system is affected by the following GLSAs: 200808-09 ( OpenLDAP: Denial of Service vulnerability ) 200903-11 ( PyCrypto: Execution of arbitrary code ) for glsa in `glsa-check -t affected` ; do glsa-check -p $glsa ; done This system is affected by the following GLSAs: Checking GLSA 200808-09 The following updates will be performed for this GLSA: net-nds/openldap-2.4.11-r1 (2.3.41) Checking GLSA 200903-11 The following updates will be performed for this GLSA: dev-python/pycrypto-2.0.1-r8 (2.0.1-r6) In the interest of writing really ugly bash scripts: # for glsa in `glsa-check -t affected` ; do equery d $( glsa-check -p $glsa |grep -P '^\s+\w+-\w+/' | perl -pe 's/^\s+(\w+-\w+\/.+)-\d[\d.].+/$1/' ) ; done This system is affected by the following GLSAs: [ Searching for packages depending on net-nds/openldap... ] app-admin/sudo-1.7.0 (ldap? =net-nds/openldap-2.1.30-r1) app-crypt/gnupg-2.0.10 (!static ldap? net-nds/openldap) (ldap? net-nds/openldap) app-emulation/wine-1.1.12 (ldap? net-nds/openldap) dev-db/postgresql-base-8.3.5 (ldap? net-nds/openldap) dev-libs/apr-util-1.3.4 (ldap? =net-nds/openldap-2*) gnome-base/gconf-2.24.0 (ldap? net-nds/openldap) gnome-extra/evolution-data-server-2.24.5-r2 (ldap? =net-nds/openldap-2.0) mail-client/claws-mail-3.7.1 (ldap? =net-nds/openldap-2.0.7) net-firewall/ipsec-tools-0.7.1 (ldap? net-nds/openldap) net-fs/samba-3.0.33 (ldap? net-nds/openldap) net-misc/curl-7.19.4 (ldap? net-nds/openldap) net-misc/openssh-5.1_p1-r2 (ldap? net-nds/openldap) net-misc/openswan-2.4.13-r2 (ldap? net-nds/openldap) net-print/cups-1.3.9-r1 (ldap? net-nds/openldap) www-servers/apache-2.2.10 (ldap? =net-nds/openldap-2*) [ Searching for packages depending on dev-python/pycrypto... ] sys-apps/portage-2.1.6.7 (!build? =dev-python/pycrypto-2.0.1-r6) Looks like I can fix the use flag and clean out ldap if I want to do so, but I'm stuck with pycrypto (or the build use flag): euse -i build global use flags (searching: build) [-] build - !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1] ... that's pretty clear. '-) I can only imagine what will happen if he forgets that package.mask and then removes it six months later:-) I too, have spent a couple of days wondering what was masking a package before remembering that it was me. And just to see if there's any upside evident: mv /etc/portage/package.mask /etc/portage/package.mask.bak emerge -puDNtv system mv /etc/portage/package.mask.bak /etc/portage/package.mask These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] net-misc/openssh-5.2_p1-r1 [5.1_p1-r2] USE=X pam tcpd -X509 -hpn -kerberos -ldap -libedit -pkcs11% (-selinux) -skey -smartcard -static 993 kB [ebuild U ] sys-devel/gcc-4.3.3-r2 [4.3.2-r3] USE=fortran gtk mudflap nls openmp (-altivec) -bootstrap -build -doc (-fixed-point) -gcj (-hardened) -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -nopie -objc -objc++ -objc-gc -test -vanilla 58,063 kB Total: 2 packages (2 upgrades), Size of downloads: 59,055 kB Hmm. # mv /etc/portage/package.mask /etc/portage/package.mask.bak emerge -puDNtv world mv /etc/portage/package.mask.bak /etc/portage/package.mask These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] dev-java/sun-jre-bin-1.6.0.13 [1.6.0.12] USE=X alsa nsplugin odbc 78,284 kB [0] (... and some perl modules). So, that's ssh, gcc and java I can pass on today... figure I can unmask in a month and update any of these packages, if I feel like it. But, http://bugs.gentoo.org/buglist.cgi?quicksearch=xpdf (search on the one update I took), it looks like there was a good gentoo reason and maybe a good gentoo response. As I understand it, if the maintainer thinks the recent changes/patches are significant, I'll get a -rN for a new ebuild. OTOH, If there's a new version of something I care about tracking new
[gentoo-user] Wacky ssh X11 question...
I've three independent hosts - imaginatively called A, B and C. Firewall rules dictate that A can be directly accessed from B, but not from C... A and B run the openssh sshd, and C is a terminal with a working X-Windows display. C has a ssh session opened with B which tunnels port 22 on C to 22 on A. Thereafter, it is possible to ssh to localhost on C and get a ssh connection to A, which in turn I successfully use to tunnel IMAP, SMTP, Squid - etc. I'd have expected to be able to tunnel X11 over this link from C to A - but it fails... I'm unclear if the reason for the failure is the additional tunnelling... Is this technique incompatible with X11 tunnelling? Is there a way to make it work with a reverse-tunnel or something like that? Am I barking up the wrong tree entirely? -- HostC# echo $DISPLAY :0.0 HostC# cat .ssh/config ForwardX11 yes HostC# ssh localhost -X HostA# echo $DISPLAY HostA# exit HostC# ssh localhost -Y HostA# echo $DISPLAY HostA# exit HostC# -- If I use -v -v I get this output... Curiously I have /usr/X11R6/bin/xauth on HostC, but xauth in in /usr/bin on host A. -- HostC# ssh localhost -Y OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /home/user/.ssh/config debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug2: key_type_from_name: unknown key type '-BEGIN' debug2: key_type_from_name: unknown key type '-END' debug1: identity file /home/user/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 121/256 debug2: bits set: 483/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:4 debug2: bits set: 540/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1
Re: [gentoo-user] emerge --oneshot portage
On 03/13/2018 12:11 PM, Neil Bothwick wrote: > On Tue, 13 Mar 2018 11:36:12 -0600, the...@sys-concept.com wrote: > >> sys-apps/portage:0 >> >> (sys-apps/portage-2.3.16:0/0::gentoo, ebuild scheduled for merge) >> pulled in by sys-apps/portage (Argument) >> >> (sys-apps/portage-2.3.6:0/0::gentoo, installed) pulled in by >> >> sys-apps/portage[python_targets_pypy(-)?,python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_pypy(-),-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)] >> required by (app-portage/gentoolkit-0.3.3:0/0::gentoo, installed) > > Your old version of gentoolkit (and other packages mentioned in the full > output) is causing this. Trying to upgrade an out of date system > piecemeal can cause this. Just do an emerge -u @system and let portage > resolve these issues rather than trying to do it yourself. After unmerging some old packages, "emerge -u @system" seems to be working, THANKS Though, I think I'm not out of the "woods" yet. It was nice not to worry about upgrades for a while, but after, upgrading an old system takes double amount of work. The "emerge -u @system" finished without any problems. But: emerge --oneshot -avq portage [ebuild rR ] app-arch/bzip2-1.0.6-r8 [1.0.6-r8] USE="-static -static-libs" ABI_X86="32 (64) (-x32)" [ebuild U ] sys-devel/automake-1.15.1-r2 [1.15-r2] USE="{-test%}" [ebuild r U ] sys-libs/zlib-1.2.11-r1 [1.2.11] USE="minizip -static-libs" ABI_X86="32 (64) (-x32)" [ebuild NS ] dev-lang/python-3.5.4-r1 [2.7.12, 3.4.5] USE="gdbm ipv6 ncurses readline ssl (threads) xml -build -examples -hardened -libressl -sqlite {-test} -tk -wininst" [ebuild N] dev-python/pyblake2-1.1.0 PYTHON_TARGETS="python2_7 python3_5 (-pypy) -python3_4 -python3_6" [ebuild U ] sys-apps/portage-2.3.24-r1 [2.3.6] USE="(ipc) native-extensions xattr -build -doc -epydoc -gentoo-dev% (-rsync-verify) (-selinux) (-linguas_ru%)" PYTHON_TARGETS="python2_7 python3_5* (-pypy) -python3_4* -python3_6" !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: sys-libs/zlib:0 (sys-libs/zlib-1.2.11-r1:0/1::gentoo, ebuild scheduled for merge) pulled in by (no parents that aren't satisfied by other packages in this slot) (sys-libs/zlib-1.2.11:0/0::gentoo, installed) pulled in by sys-libs/zlib:0/0= required by (media-gfx/imagemagick-6.9.8.6:0/6.9.8.6::gentoo, installed) ^ >=sys-libs/zlib-1.2.8-r1:0/0=[abi_x86_32(-),abi_x86_64(-)] required by (dev-libs/libxml2-2.9.4-r1:2/2::gentoo, installed) ^ >=sys-libs/zlib-1.1.3:0/0= required by (dev-lang/python-3.4.5:3.4/3.4m::gentoo, installed) ^ sys-libs/zlib:0/0= required by (app-text/evince-3.22.1:0/evd3.4-evv3.3::gentoo, installed) ^ >=sys-libs/zlib-1.2.3:0/0=[abi_x86_32(-),abi_x86_64(-)] required by (dev-db/mysql-5.6.35:0/18::gentoo, installed) ^ >=sys-libs/zlib-1.2.8-r1:0/0=[abi_x86_32(-),abi_x86_64(-)] required by (media-libs/tiff-4.0.6:0/0::gentoo, installed) ^ >=sys-libs/zlib-1.1.3:0/0= required by (dev-lang/python-2.7.12:2.7/2.7::gentoo, installed) ^ >=sys-libs/zlib-1.2.3:0/0= required by (net-misc/openssh-7.5_p1-r1:0/0::gentoo, installed) ^ (and 12 more with the same problems) sys-apps/portage:0 (sys-apps/portage-2.3.24-r1:0/0::gentoo, ebuild scheduled for merge) pulled in by sys-apps/portage (Argument) (sys-apps/portage-2.3.6:0/0::gentoo, installed) pulled in by sys-apps/portage[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_t
Re: [gentoo-user] slot conflict for the same package: how to add a USE flag?
>=sys-libs/zlib-1.2.8-r1[abi_x86_64(-)] required by (sys-apps/file-5.33-r4:0/0::gentoo, installed) >=sys-libs/zlib-1.2.8-r1:0/1=[abi_x86_64(-)] required by (x11-libs/libpciaccess-0.14:0/0::gentoo, installed) >=sys-libs/zlib-1.2.8-r1[abi_x86_64(-)] required by (dev-libs/elfutils-0.170-r1:0/0::gentoo, installed) >=sys-libs/zlib-1.2.8-r1[abi_x86_64(-)] required by (sys-libs/cracklib-2.9.6-r1:0/0::gentoo, installed) >=sys-libs/zlib-1.2.8-r1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] required by (media-libs/freetype-2.9.1-r3:2/2::gentoo, installed) (sys-libs/zlib-1.2.11-r2:0/1::gentoo, ebuild scheduled for merge) pulled in by >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] required by (dev-libs/openssl-1.1.1g:0/1.1::gentoo, ebuild scheduled for merge) dev-libs/openssl:0 (dev-libs/openssl-1.1.1g:0/1.1::gentoo, ebuild scheduled for merge) pulled in by dev-libs/openssl:0=[bindist=] required by (dev-qt/qtnetwork-5.14.1:5/5.14::gentoo, ebuild scheduled for merge) (dev-libs/openssl-1.0.2p:0/0::gentoo, installed) pulled in by dev-libs/openssl:0/0= required by (net-misc/wget-1.19.5:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (dev-lang/ruby-2.2.9:2.2/2.2::gentoo, installed) ^ dev-libs/openssl:0/0= required by (app-text/mupdf-1.13.0:0/1.13.0::gentoo, installed) ^ >=dev-libs/openssl-1.0.1h-r2:0/0=[abi_x86_64(-)] required by (dev-libs/cyrus-sasl-2.1.26-r9:2/2::gentoo, installed) ^ dev-libs/openssl:0/0= required by (dev-util/cargo-0.30.0:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (net-misc/openssh-7.7_p1-r9:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (net-analyzer/nmap-7.70:0/0::gentoo, installed) ^ dev-libs/openssl:0/0=[abi_x86_64(-)] required by (app-arch/libarchive-3.3.1:0/13::gentoo, installed) ^ >=dev-libs/openssl-0.9.6m:0/0= required by (net-analyzer/tcpdump-4.9.2:0/0::gentoo, installed) ^ dev-libs/openssl:0/0=[abi_x86_64(-)] required by (net-misc/curl-7.61.1:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (dev-lang/python-2.7.15:2.7/2.7::gentoo, installed) ^ >=dev-libs/openssl-0.9.6:0/0= required by (mail-client/mutt-1.7.2:0/0::gentoo, installed) ^ >=dev-libs/openssl-1.0.1:0/0=[bindist] required by (net-misc/openssh-7.7_p1-r9:0/0::gentoo, installed) ^ >=dev-libs/openssl-1.0.1h-r2:0/0=[abi_x86_64(-)] required by (net-libs/libssh2-1.8.0-r1:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (dev-lang/python-3.6.5:3.6/3.6m::gentoo, installed) ^ dev-libs/openssl:0/0= required by (dev-perl/Net-SSLeay-1.820.0:0/0::gentoo, installed) ^ dev-libs/openssl:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] required by (app-crypt/rhash-1.3.6-r1:0/0::gentoo, installed) dev-libs/openssl:0/0= required by (dev-lang/ruby-2.3.6:2.3/2.3::gentoo, installed) ^ dev-libs/openssl:0/0= required by (x11-base/xorg-server-1.19.5-r2:0/1.19.5::gentoo, installed) ^ dev-libs/openssl:0/0= required by (net-misc/iputils-20171016_pre:0/0::gentoo, installed) ^ >=dev-libs/openssl-1.0.1h-r2:0/0=[abi_x86_64(-)] required by (net-nds/openldap-2.4.44:0/0::gentoo, installed) ^ dev-libs/openssl:0/0= required by (app-emulation/virtualbox-5.2.14-r1:0/0::gentoo, installed) ^ (and 4 more with the same problems) NOTE: Use the '--verbose-conflicts' option to display parents omitted above !!! The slot conflict(s) shown above involve package(s) which may need to !!! be rebuilt in order to solve the conflict(s). However, the following !!! package(s) cannot be rebuilt for the reason(s) shown: (app-emulation/virtualbox-5.2.14-r1:0/0::gentoo, installed): ebuild is masked or unavailable (dev-lang/ruby-2.2.9:2.2/2.2::gentoo, installed): ebuild is masked or unavailable (net-misc/openssh-7.7_p1-r9:0/0::gentoo, installed): ebuild is masked or unavailable (net-misc/wget-1.19.5:0/0::gentoo, installed): ebuild is masked o
[gentoo-user] SSHd: Permission denied (publickey,keyboard-interactive).
I hooked up my old server box today so that I could update the software, only to find that I could not ssh over to it: [EMAIL PROTECTED] ~ $ ssh bullet Permission denied (publickey,keyboard-interactive). There were no 'official' logs, but a website I found on google suggested running /usr/sbin/sshd -ddd -p 2202 and then trying to shell over with ssh -p 2202 boxname Here's the output. I piped it to a file: [EMAIL PROTECTED] ~ $ cat sshd.log debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 237 debug2: parse_server_config: config /etc/ssh/sshd_config len 237 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:60 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:87 setting UsePAM yes debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:127 setting Subsystem sftp/usr/lib/misc/sftp-server debug1: sshd version OpenSSH_4.7p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='2202' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 2202 on 0.0.0.0. Server listening on 0.0.0.0 port 2202. socket: Address family not supported by protocol debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 237 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.1.2 port 57643 debug1: Client protocol version 2.0; client software version OpenSSH_4.7 debug1: match: OpenSSH_4.7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.7 debug2: fd 3 setting O_NONBLOCK debug3: privsep user:group 22:22 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [EMAIL PROTECTED],zlib,none debug2: kex_parse_kexinit: [EMAIL PROTECTED],zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 [EMAIL PROTECTED] debug2: mac_setup: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 [EMAIL PROTECTED] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug2: Network child is on pid 8390 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got
[gentoo-user] emerge starts slowly
I have a system with a 1.33Ghz Athlon-XP with a decently fast IDE hard drive I have a system with a 1.80Ghz AMD64 with a decently fast IDE hard drive When I run emerge -s whatever or emerge sync or any emerge command apparently, it usually takes about 1 second to start the command on the AMD64 system whereas on the Athlon-XP system it usually takes about 10-30 seconds fore the command to start. What I mean by that is for example 1. # emerge -s tcpdump (press enter) 2. Searching... spinner 3. output of search the time it takes to get to #2 is 1 or less seconds on the AMD64 and 10-30 seconds on the Athlon-XP. As I said, this seems to be the case for any emerge command on the Athlon-XP system. I seem to recall it not being so slow in the past. Both are on 2.6 kernels and both have pleanty of RAM. Gentoo was was installed on the Athlon-XP about 2 or 3 years ago but it is up to date. Anyone have any ideas? Athlon-XP emerge info: Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r3 i686) = System uname: 2.6.13-gentoo-r3 i686 AMD Athlon(tm) XP 1500+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.2.3-r5, 2.3.5-r2, 2.4.2 sys-apps/sandbox:1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS=x86 AUTOCLEAN=yes CBUILD=i686-pc-linux-gnu CFLAGS=-march=athlon-xp -O2 -pipe -funroll-loops -ftracer CHOST=i686-pc-linux-gnu CONFIG_PROTECT=/etc /usr/kde/2/share/config /usr/kde/3.4/env\ /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config\ /usr/lib/X11/xkb /usr/share/config /var/qmail/control CONFIG_PROTECT_MASK=/etc/gconf /etc/terminfo /etc/env.d CXXFLAGS=-march=athlon-xp -O2 -pipe -funroll-loops -ftracer DISTDIR=/usr/portage/distfiles FEATURES=autoconfig buildpkg ccache distlocks sandbox sfperms strict GENTOO_MIRRORS=http://128.213.5.34/gentoo/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.mirrors.pair.com/; MAKEOPTS=-j2 PKGDIR=/usr/portage/packages PORTAGE_TMPDIR=/var/tmp PORTDIR=/usr/portage PORTDIR_OVERLAY=/usr/local/portage SYNC=rsync://rsync.gentoo.org/gentoo-portage USE=x86 3dnow X X509 acl adns alsa apm arts audiofile avi berkdb bitmap-fonts bonobo bzip2 cddb cdr chroot crypt cups curl dedicated directfb divx4linux dts dvb dvd dvdr dvdread edl eds emboss encode esd ethereal exif expat fam ffmpeg flac foomaticdb fortran freetds gd gdbm gif gimp glut gphoto2 gpm gstreamer gtk gtk2 gtkhtml hpn idn imagemagick imap imlib ipv6 jabber java jpeg junit kde kdeenablefinal kdexdeltas lcms ldap libcaca libg++ libwww mad matroska mhash mikmod mmx mng motif mp3 mpeg mppe-mppc mssql mysql nas ncurses network nls nowin nvidia ogg oggvorbis openal opengl openntpd openssh oss pam pcre pdflib perl png python qt quicktime rdesktop readline real samba scanner sdl sftplogging slang snmp speex spell sse ssl svg svga tcltk tcpd tiff truetype truetype-fonts type1-fonts udev usb videos vorbis wmf xine xinerama xml xml2 xmms xv xvid zlib userland_GNU kernel_linux elibc_glibc Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS -- gentoo-user@gentoo.org mailing list
[gentoo-user] ssh and tar combined?
Hi All, One day I hope to learn how to use ssh and the associated commands. So far I have been struggling just to copy a file from one box (192.168.0.3) to another (192.168.0.2). This is what I get, but and since I can't find the 'copied' file . . . I suspect it fails. I don't understand why: == # ssh [EMAIL PROTECTED] Password: [EMAIL PROTECTED] scp -pv [EMAIL PROTECTED]:/mnt/sda14/sda10_home.tar . Executing: program /usr/bin/ssh host 192.168.0.3, user root, command scp -v -p - f /mnt/sda14/sda10_home.tar OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: /etc/ssh/ssh_config line 33: Deprecated option RhostsAuthentication debug1: /etc/ssh/ssh_config line 37: Deprecated option FallBackToRsh debug1: /etc/ssh/ssh_config line 38: Deprecated option UseRsh debug1: Connecting to 192.168.0.3 [192.168.0.3] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 De bian-8.sarge.4 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.0.3' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interacti ve debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: debug1: Authentication succeeded (keyboard-interactive). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending command: scp -v -p -f /mnt/sda14/sda10_home.tar Sending file modes: C0644 536002560 sda10_home.tar sda10_home.tar100% 511MB 24.3MB/s 00:21 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 21.5 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 [EMAIL PROTECTED] exit logout Connection to 192.168.0.3 closed. = Ideally I would like to connect and tar | scp the directories/files from one box to another in a single motion. Any advice to help me understand how to make this work, or why the above attempt fails would be much appreciated. -- Regards, Mick -- gentoo-user@gentoo.org mailing list
[gentoo-user] problem emerging kde-meta
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi everyone, after a fresh installation of gentoo (using the minimal cd) i try to emerge kde-meta kde-i18n kdm but an error was occured, 41 package blocks the emerge there is the output of the emerge --pretend and package.keyword .use and .unmask. ps I have emerged XGL and BERYL (only emerged, without config anything) best regards Donato -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5wgmpidk8BrvGZARArf5AJ9EDjhjqGGmZ2060Ll6fmmbv9sMYQCgoFAT G77PnanroXRltQPbfSUao7E= =NW2Q -END PGP SIGNATURE- app-shells/bash bashlogger net-wireless/madwifi-ng injection sys-devel/gcc gcj objc objc++ objc-gc net-misc/openssh X509 chroot hpn libedit # -- XGL -- dev-util/subversion -nowebdav x11-libs/cairo glitz pdf png X x11-libs/cairo newspr x11-libs/libXft newspr net-wireless/wpa_supplicant gsm net-analyzer/wireshark adns kerberos portaudio net-analyzer/net-snmp diskio elf mfd-rewrites sendmail smux media-sound/alsa-tools fltk www-client/mozilla-firefox java xforms mozdevelop media-video/vlc bidi cdda cddb corba daap directfb flac httpd libcaca libnotify matroska mod musepack ogg optimisememory rtsp sdl-image seamonkey shout skins speex stream theora upnp vlm vorbis xosd xv media-video/vlc aalib asd live media-video/mplayer aalib amr bidi bl cdparanoia cpudetection directfb enca esd jack libcaca live lzo matrox mmx mmxext musepack nas openal real rtc speex tga theora vorbis xanim xv xvmc kdemerge.error Description: Binary data net-wireless/madwifi-ng-tools net-wireless/madwifi-ng # INIZIO XGL E BERYL # XGL Dependencies dev-util/git media-libs/glitz media-libs/mesa x11-apps/mesa-progs sys-apps/man x11-libs/cairo dev-python/pycairo x11-libs/qt x11-misc/util-macros x11-proto/glproto x11-apps/xvinfo x11-apps/xlsclients x11-libs/libwnck x11-misc/xwinwrap virtual/xft gnome-base/gconf gnome-base/libgnomeui x11-libs/gtk+ dev-libs/glib x11-libs/libdrm # XGL Package x11-base/xgl #Required for Beryl x11-apps/xlsclients # Beryl Core x11-wm/beryl ** x11-wm/beryl-core ** x11-plugins/beryl-plugins ** x11-misc/beryl-manager ** x11-misc/beryl-settings ** x11-misc/beryl-settings-bindings ** # Additional Plugins x11-plugins/beryl-plugins-unsupported ** x11-plugins/beryl-plugins-vidcap ** # Window Decorators x11-wm/emerald ** x11-themes/emerald-themes ** x11-wm/aquamarine ** x11-wm/heliodor ** # FINE XGL e BERYL media-libs/freetype x11-libs/libXft x11-drivers/ati-drivers x11-apps/ati-drivers-extra net-wireless/kismet dev-java/sun-jdk dev-java/sun-jre virtual/jre virtual/jdk dev-java/sun-jre-bin media-libs/win32codecs # Dependencies dev-util/git media-libs/glitz media-libs/mesa x11-apps/mesa-progs sys-apps/man x11-libs/cairo dev-python/pycairo x11-libs/qt x11-misc/util-macros x11-proto/glproto x11-apps/xvinfo x11-apps/xlsclients x11-libs/libwnck x11-misc/xwinwrap virtual/xft gnome-base/gconf gnome-base/libgnomeui x11-libs/gtk+ dev-libs/glib x11-libs/libdrm #XGL Package x11-base/xgl
Re: [gentoo-user] after an update i can't boot my kernel anymore
you continued the emerge after glibc failed right? emerge --resume --skipfirst On 3/20/06, Keats [EMAIL PROTECTED] wrote: hi, if i do an update of my system like this : emerge -pDN system --newuse implies --update... adding --update to options. These are the packages that would be merged, in order: Calculating system dependencies... done! [blocks B ] sys-apps/pam-login (is blocking sys-apps/shadow-4.0.14-r2) [ebuild U ] sys-devel/patch-2.5.9-r1 [2.5.9] [ebuild U ] app-shells/bash-3.1_p11 [3.0-r12] [ebuild U ] sys-libs/readline-5.1_p2 [5.0-r2] [ebuild U ] sys-devel/gnuconfig-20060227 [20051223] [ebuild U ] sys-devel/binutils-2.16.1-r2 [2.16.1] [ebuild U ] sys-devel/gcc-config-1.3.13-r1 [1.3.12-r6] [ebuild U ] sys-devel/m4-1.4.4 [1.4.3] [ebuild U ] sys-devel/bison-2.1 [1.875d] [ebuild U ] sys-apps/sed-4.1.4-r1 [4.1.4] [ebuild U ] sys-apps/texinfo-4.8-r3 [4.8-r2] [ebuild U ] sys-devel/gcc-3.4.5 [3.4.4-r1] [ebuild U ] sys-kernel/linux-headers-2.6.11-r3 [2.6.11-r2] [ebuild N] sys-libs/timezone-data-2006b [ebuild U ] sys-libs/glibc-2.3.6-r3 [2.3.5-r2] [ebuild U ] sys-devel/gettext-0.14.5 [0.14.4] USE=-nocxx% [ebuild U ] sys-apps/groff-1.19.2-r1 [1.19.1-r2] [ebuild U ] sys-apps/man-1.6c [1.6-r1] [ebuild U ] sys-libs/db-4.2.52_p4 [4.2.52_p2-r1] [ebuild U ] dev-libs/openssl-0.9.7i [0.9.7e-r2] [ebuild U ] dev-lang/python-2.4.2-r1 [2.4.2] USE=ipv6* [ebuild U ] sys-apps/sandbox-1.2.17 [1.2.12] [ebuild U ] sys-apps/debianutils-2.15 [2.14.1-r1] [ebuild U ] sys-apps/sysvinit-2.86-r5 [2.86-r3] [ebuild U ] sys-devel/autoconf-wrapper-3.2 [3-r1] [ebuild U ] sys-devel/autoconf-2.59-r7 [2.59-r6] [ebuild N] virtual/perl-Test-Simple-0.62 [ebuild U ] dev-perl/Locale-gettext-1.05 [1.03] USE=minimal% [ebuild U ] sys-apps/help2man-1.35.1 [1.33.1] [ebuild U ] sys-apps/coreutils-5.94-r1 [5.2.1-r6] [ebuild U ] sys-apps/baselayout-1.11.14-r6 [1.11.14-r3] USE=unicode* [ebuild U ] sys-fs/udev-086 [079-r1] [ebuild U ] sys-devel/flex-2.5.33-r1 [2.5.4a-r6] USE=nls% [ebuild U ] sys-apps/findutils-4.3.0 [4.1.20-r2] [ebuild U ] sys-devel/make-3.80-r4 [3.80-r2] [ebuild U ] app-crypt/hashalot-0.3-r2 [0.3-r1] [ebuild U ] sys-fs/e2fsprogs-1.38-r1 [1.38] [ebuild U ] sys-apps/util-linux-2.12r-r3 [2.12r-r1] [ebuild U ] app-arch/bzip2-1.0.3-r6 [1.0.3-r5] [ebuild U ] app-arch/tar-1.15.1-r1 [1.15.1] [ebuild U ] sys-process/psmisc-22.2 [21.9] USE=ipv6* -X% [ebuild U ] sys-apps/grep-2.5.1a [2.5.1-r8] [ebuild U ] net-misc/rsync-2.6.7 [2.6.0-r6] USE=ipv6% [ebuild U ] sys-apps/less-394 [385_p4-r2] USE=unicode* [ebuild U ] sys-libs/cracklib-2.8.9 [2.8.5] [ebuild U ] sys-libs/pam-0.78-r5 [0.78-r3] [ebuild R ] sys-apps/tcp-wrappers-7.6-r8 USE=ipv6* [ebuild U ] net-misc/openssh-4.3_p2-r1 [4.2_p1-r1] USE=ipv6* [ebuild U ] sys-apps/shadow-4.0.14-r2 [4.0.7-r4] [ebuild U ] sys-process/procps-3.2.6 [3.2.5-r1] [ebuild U ] sys-apps/module-init-tools-3.2.2 [3.0-r2] [ebuild U ] sys-apps/gawk-3.1.5 [3.1.4-r4] [ebuild U ] sys-apps/kbd-1.12-r6 [1.12-r5] [ebuild R ] net-misc/wget-1.10.2 USE=ipv6* [ebuild U ] sys-apps/file-4.17-r1 [4.13] [ebuild U ] sys-apps/net-tools-1.60-r12 [1.60-r11] [ebuild U ] app-editors/nano-1.3.10-r1 [1.3.9] USE=minimal* unicode* [ebuild R ] net-misc/iputils-021109-r3 USE=ipv6* so i do : emerge --unmerge pam-login emerge -DN system and all is going ok only glibc-2.3.6-r3 failed but nevermind... when i reboot, i got an error : warning: unable to open kernel what am i doing wrong ? thanx for help. -- gentoo-user@gentoo.org mailing list -- Cheers, Ghaith -- gentoo-user@gentoo.org mailing list
[gentoo-user] emerge tinyca fails...
After getting into a real pickle with a kernel upgrade (causing me to corrupt my /dev) I opted to re-install from the latest minimal install CD rather than try to unpick the mess. My gentoo box is used almost exclusively used remotely as a mail/web server - however I find tinyca a very useful tool which I use occasionally (remotely over SSH/X11) - tinyca is the only GUI application I need to install. In the past I've run emerge tinyca and all the dependencies were sorted out for me... However, with the latest portage, and only apache/zope/postfix/dovecot/openssh installed from it, when I emerge tinyca, gnome-base/gnome-libs-1.4.2 is identified as a dependency - and this does not compile (error messages below.) As far as I am aware, I've set no USE flags that should affect this package... Any ideas? -- gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./.. -I/usr/include -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 -I/usr/lib/glib/include -DWITH_GTK -DDEBUG -DGNOME_LIB -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 -I/usr/lib/glib/include -O2 -march=pentium2 -pipe -I/usr/include/db1 -Wall -Wunused -c readXPM.c -fPIC -DPIC -o .libs/readXPM.lo readXPM.c:138:21: error: X11/xpm.h: No such file or directory readXPM.c:148: error: expected declaration specifiers or '...' before 'XpmImage' readXPM.c:164: error: expected declaration specifiers or '...' before 'XpmImage' readXPM.c: In function 'doXpm': readXPM.c:189: error: 'xpm_image' undeclared (first use in this function) readXPM.c:189: error: (Each undeclared identifier is reported only once readXPM.c:189: error: for each function it appears in.) readXPM.c:240: warning: implicit declaration of function 'my_x_query_colors' readXPM.c:282: warning: implicit declaration of function 'XpmFreeXpmImage' readXPM.c: In function '_XmHTMLReadXPM': readXPM.c:299: error: 'XpmImage' undeclared (first use in this function) readXPM.c:299: error: expected ';' before 'xpm_image' readXPM.c:300: error: 'XpmInfo' undeclared (first use in this function) readXPM.c:300: error: expected ';' before 'foo' readXPM.c:303: error: 'xpm_image' undeclared (first use in this function) readXPM.c:304: error: 'foo' undeclared (first use in this function) readXPM.c:306: warning: implicit declaration of function 'XpmCreateXpmImageFromBuffer' readXPM.c:307: error: 'XpmSuccess' undeclared (first use in this function) readXPM.c:311: warning: implicit declaration of function 'XpmGetErrorString' readXPM.c:314: warning: implicit declaration of function 'XpmFreeXpmInfo' readXPM.c:322: error: too many arguments to function 'doXpm' readXPM.c: In function '_XmHTMLCreateXpmFromData': readXPM.c:338: error: 'XpmImage' undeclared (first use in this function) readXPM.c:338: error: expected ';' before 'xpm_image' readXPM.c:339: error: 'XpmInfo' undeclared (first use in this function) readXPM.c:339: error: expected ';' before 'foo' readXPM.c:342: error: 'xpm_image' undeclared (first use in this function) readXPM.c:343: error: 'foo' undeclared (first use in this function) readXPM.c:345: warning: implicit declaration of function 'XpmCreateXpmImageFromData' readXPM.c:345: error: 'XpmSuccess' undeclared (first use in this function) readXPM.c:360: error: too many arguments to function 'doXpm' make[2]: *** [readXPM.lo] Error 1 make[2]: Leaving directory `/var/tmp/portage/gnome-libs-1.4.2/work/gnome-libs-1.4.2/gtk-xmhtml' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/gnome-libs-1.4.2/work/gnome-libs-1.4.2' make: *** [all-recursive-am] Error 2 !!! ERROR: gnome-base/gnome-libs-1.4.2 failed. Call stack: ebuild.sh, line 1546: Called dyn_compile ebuild.sh, line 937: Called src_compile gnome-libs-1.4.2.ebuild, line 64: Called die !!! (no error message) !!! If you need support, post the topmost build error, and the call stack if relevant. -- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Testing how secure a server is...
On Wed, Aug 03, 2005 at 02:25:29AM +, Raphael Melo de Oliveira Bastos Sales wrote: Which IDS system do you recommend? I also need to worry about HTTP auth brute force. Know any way to stop it from happening? I've read about HoneyPots, which I can only assume is a decoy for an attacker. Anyone knows how to set one up? I have a feeling that there isn't much I can do if a pro actually tries to break the system. All I can do is avoid the dummies from doing it as well. Beats me there? Guys? Thoughts? I don't run an enterprise server. I am just a student q=. All I care about is not having my own server rooted by script kiddies to serve warez. With that said, since I found most IDS too powerful for my needs and difficult to configure (too steep a learning curve for my limited needs), I just code my own IDS in perl q=. I just have scripts that parse the server logs and look for trigger conditions, at which time it blocks off the offending site or the entire service for a set amount of time necessary. Pretty standard way to deal with things I believe. But then, since you are really into security, perhaps you need better systems. Finally, if you are just working with the SSH portion of the brute forcing problem, /. had an article about it a few weeks back. There were MANY IDS systems posted in the comments that specifically works with openssh. HTH, W 2005/8/3, Willie Wong [EMAIL PROTECTED]: On Tue, Aug 02, 2005 at 09:43:17PM -0400, Colin wrote: Neither is what I was thinking of, but they're quite similar. LoginGraceTime means if nobody logged in within 10 minutes of the connection being opened, then it will be closed. I don't know exactly what MaxAuthTries does, but I imagine after the sixth invalid login, the connection would be closed. Yes, and if the failure reaches half the number, all further failures will be logged. In the case of MaxAuthTries 6 It means that the first three failures will go unnoticed, the fourth through sixth logged, and the connection closes after that. There is, unfortunately, not an option in sshd_config to allow for the behaviour you specified, where after a password failure, the next prompt comes up delayed by five seconds. Perhaps if should be put as a feature request (=. Your best bet against brute forcing sshd is 1) Not allowing password login at all or 2) Use some sort of IDS coupled with a firewall rule to block the particular host after multiple login failures. But even that won't stop a distributed brute force. But then again, if you are guarding a system that really demands that much security against a determined cracker, you really should consider NOT putting the system on the internet. or 3) Maybe port-knocking? Note that just by running ssh on a non-standard port, you probably are avoiding most of the 5||21p7 kiddie attacks... again, only someone who really wants in on your system will take the effort to locate where sshd is listening. I found this site, check it out. It's for Red Hat (Gentoo is better!), but it's the same SSHd: http://www.faqs.org/docs/securing/chap15sec122.html -- It's easy to come up with new ideas; the hard part is letting go of what worked for you two years ago, but will soon be out of date. -- Roger Von Oech Sortir en Pantoufles: up 2 days, 9:25 -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list -- A nice box of chocolates can provide your total daily intake of calories in one place. Now, isn't that handy? Sortir en Pantoufles: up 2 days, 12:06 -- gentoo-user@gentoo.org mailing list
[gentoo-user] emerge --sync fails
Hi, I have and emerge --sync problem, (emerge-webrsync still works): emerge --sync Starting rsync with rsync://140.211.166.165/gentoo-portage... Checking server timestamp ... building file list ... rsync: link_stat /root/300 failed: No such file or directory (2) rsync: link_stat /root/rsync://140.211.166.165/gentoo-portage/metadata/timestamp.chk failed: No such file or directory (2) done Number of files: 0 Number of files transferred: 0 Total file size: 0 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 5 File list generation time: 0.001 seconds File list transfer time: 0.000 seconds Total bytes sent: 21 Total bytes received: 20 sent 21 bytes received 20 bytes 82.00 bytes/sec total size is 0 speedup is 0.00 rsync error: some files could not be transferred (code 23) at main.c(892) [sender=2.6.8] Retrying... I did a touch /root/300 I did a emerge --metadata but emerge --sync still fail. Here is th emerge --info Portage 2.1 (default-linux/x86/2006.0, gcc-3.3.6, glibc-2.3.6-r4, 2.6.17-rc4 i686) = System uname: 2.6.17-rc4 i686 Intel(R) Pentium(R) 4 CPU 1.70GHz Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox:1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS=x86 AUTOCLEAN=yes CBUILD=i686-pc-linux-gnu CFLAGS=-O2 -march=pentium4 CHOST=i686-pc-linux-gnu CONFIG_PROTECT=/etc /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc CONFIG_PROTECT_MASK=/etc/env.d /etc/gconf /etc/terminfo CXXFLAGS=-O2 -march=pentium4 DISTDIR=/usr/portage/distfiles FEATURES=autoconfig distlocks metadata-transfer sandbox sfperms strict GENTOO_MIRRORS=http://gentoo.chem.wisc.edu/gentoo/ MAKEOPTS=-j2 PKGDIR=/usr/portage/packages PORTAGE_RSYNC_EXTRA_OPTS=300 PORTAGE_RSYNC_OPTS=--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages' PORTAGE_TMPDIR=/var/tmp PORTDIR=/usr/portage SYNC=rsync://rsync.gentoo.org/gentoo-portage USE=x86 X alsa apache2 apm arts avi berkdb bgpclassless bitmap-fonts chroot cli crypt cups dri dvd eds emacs emboss encode esd fastcgi fbsplash firefox fix-connected-rt flash foomaticdb fortran gdbm gencertdaily gif gmail gmailtimestamps gnome gpgme gpm gstreamer gtalk gtk gtk2 gvim imap imlib ipalias iproute2 ipv6 isdnlog j2ee javascript jboss jpeg kde kdepim kdexdeltas kerberos kexi key-screen kig-scripting ldapsam ldirectord libg++ libwww lighttpd live logmail ltsp mad mailwrapper mikmod modperl motif mp3 mpeg multipath nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh nautilus ncurses net netbeans netboot network nfs nls noauthcram notlsbeforeauth nptl nptlonly ntfs ogg opengl openssh openssl oracle ospfapi oss pam pcre pdf pdflib perl png postfix pppd python qmail qt quicktime readline realms reflection rrdcgi rrdtool sasl sdl sendmail session spamassassin spell spl ssl stream tcp-zebra tcpd tcpmd5 truetype truetype-fonts type1-fonts udev unicode userlocales verbose vfat virus-scan vnc voice vorbis wxgtk1 wxwindows xml xmlrpc xmms xorg xv yahoo zip zlib elibc_glibc kernel_linux userland_GNU Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY Please help me, I do not know what happen. Thanks in advance. -- Rafael Alfaro. Omnilife Independent Distributor. People taking care of people. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] mysql USE flag error
2009/10/19 Renat Golubchyk ragerm...@gmx.net: On Mon, 19 Oct 2009 06:56:57 +0100 Mick michaelkintz...@gmail.com wrote: I am not sure I understand this message about the mysql USE flag: = # emerge -upDv world These are the packages that would be merged, in order: Calculating dependencies... done! emerge: there are no ebuilds built with USE flags to satisfy =x11-libs/qt-sql-4.5.0:4[mysql]. !!! One of the following packages is required to complete your request: - x11-libs/qt-sql-4.5.2 (Change USE: +mysql) (dependency required by app-office/akonadi-server-1.2.1 [ebuild]) (dependency required by kde-base/kdepimlibs-4.3.1 [ebuild]) (dependency required by kde-base/krfb-4.3.1 [ebuild]) (dependency required by world [argument]) kde-base/krfb-4.3.1 requires kde-base/kdepimlibs-4.3.1 which requires app-office/akonadi-server-1.2.1 which requires =x11-libs/qt-sql-4.5.0:4[mysql] Actually app-office/akonadi-server-1.2.1 requires =x11-libs/qt-sql-4.5.0:4[mysql?,sqlite?] which means mysql or sqlite, default to mysql. Thanks Renat, I am still struggling to understand why mysql is being dragged in. It seems that x11-libs/qt-sql-4.5.2 is already installed with the sqlite flag: = Installed versions: 4.5.2(4)(12:30:57 10/10/09)(iconv qt3support sqlite -debug -firebird -mysql -odbc -pch -postgres) = I've added -mysql in /etc/portage/package.use for x11-libs/qt-sql but it makes no difference. Then I added mysql and all this mess comes up: = # emerge -upDv world These are the packages that would be merged, in order: Calculating dependencies... done! !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: x11-libs/qt-sql:4 ('ebuild', '/', 'x11-libs/qt-sql-4.5.2', 'merge') pulled in by =x11-libs/qt-sql-4.5.0:4[mysql] required by ('ebuild', '/', 'app-office/akonadi-server-1.2.1', 'merge') ('installed', '/', 'x11-libs/qt-sql-4.5.2', 'nomerge') pulled in by =x11-libs/qt-sql-4.5.1:4[qt3support] required by ('ebuild', '/', 'kde-base/kmix-4.3.1', 'merge') =x11-libs/qt-sql-4.5.1:4[qt3support] required by ('ebuild', '/', 'kde-base/kontactinterfaces-4.3.1', 'merge') =x11-libs/qt-sql-4.5.1:4[qt3support] required by ('ebuild', '/', 'kde-base/ kimagemapeditor-4.3.1', 'merge') (and 117 more) sys-auth/pambase:0 ('ebuild', '/', 'sys-auth/pambase-20090620.1-r1', 'merge') pulled in by sys-auth/pambase required by world sys-auth/pambase[consolekit] required by ('ebuild', '/', 'net-wireless/bluez-4.39-r2', 'merge') ('installed', '/', 'sys-auth/pambase-20090620.1-r1', 'nomerge') pulled in by sys-auth/pambase required by world =sys-auth/pambase-20081028 required by ('installed', '/', 'net-misc/openssh-5.2_p1-r3', 'nomerge') =sys-auth/pambase-20080219.1 required by ('installed', '/', 'sys-apps/shadow-4.1.2.2', 'nomerge') (and 1 more) It may be possible to solve this problem by using package.mask to prevent one of those packages from being selected. However, it is also possible that conflicting dependencies exist such that they are impossible to satisfy simultaneously. If such a conflict exists in the dependencies of two different packages, then those packages can not be installed simultaneously. For more information, see MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. emerge: there are no ebuilds built with USE flags to satisfy =dev-python/PyQt4-4.5[dbus,sql,svg,webkit,X]. !!! One of the following packages is required to complete your request: - dev-python/PyQt4-4.5.4-r4 (Change USE: +sql +webkit) (dependency required by kde-base/pykde4-4.3.1 [ebuild]) (dependency required by kde-base/plasma-workspace-4.3.1 [ebuild]) (dependency required by kde-base/kdebase-meta-4.3.1 [ebuild]) (dependency required by world [argument]) = It seems to me that it may be easier to just unmerge krfb and forget about it, but there must be a more elegant solution to this? -- Regards, Mick
Re: [gentoo-user] NEW idea: Kernel panics and more info
I think I typed in something wrong and sort of made a mess of it. I had to copy a backup file for group and passwd to get things working again. Here is what I have right now: root@fireball / # cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/bin/false news:x:9:13:news:/usr/lib/news:/bin/false uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false operator:x:11:0:operator:/root:/bin/bash man:x:13:15:man:/usr/share/man:/bin/false postmaster:x:14:12:postmaster:/var/spool/mail:/bin/false portage:x:250:250:portage:/var/tmp/portage:/bin/false nobody:x:65534:65534:nobody:/:/bin/false sshd:x:22:22:added by portage for openssh:/var/empty:/sbin/nologin messagebus:x:101:199:added by portage for dbus:/dev/null:/sbin/nologin avahi:x:102:197:added by portage for avahi:/dev/null:/sbin/nologin mysql:x:60:60:added by portage for mysql:/dev/null:/sbin/nologin ldap:x:439:439:added by portage for openldap:/usr/lib64/openldap:/sbin/nologin cron:x:16:16:added by portage for cronbase:/var/spool/cron:/sbin/nologin uptimed:x:103:102:added by portage for uptimed:/dev/null:/sbin/nologin ntp:x:123:123:added by portage for ntp:/var/empty:/sbin/nologin games:x:36:35:added by portage for gnugo:/usr/games:/bin/bash haldaemon:x:104:101:added by portage for hal:/dev/null:/sbin/nologin dale:x:1000:1000::/home/dale:/bin/bash gkrellmd:x:105:997:added by portage for gkrellm:/dev/null:/sbin/nologin hsqldb:x:106:996:added by portage for hsqldb:/dev/null:/bin/sh kdm:x:107:995:added by portage for kdm:/var/lib/kdm-4.5:/sbin/nologin nut:x:84:84:added by portage for nut:/var/lib/nut:/sbin/nologin polkituser:x:108:994:added by portage for polkit:/dev/null:/sbin/nologin dale2:x:1001:500::/home/dale2:/bin/bash root@fireball / # cat /etc/groupNEW INFO ALERT root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon tty::5:dale,dale2 disk::6:root,adm lp::7:lp,dale,dale2 mem::8: kmem::9: wheel::10:root,dale,dale2 floppy::11:root,dale mail::12:mail news::13:news uucp::14:uucp,nut,dale,dale2 man::15:man console::17: audio::18:dale,dale2 cdrom::19:dale,dale2 dialout::20:root,dale,dale2 tape::26:root video::27:root,dale,dale2 cdrw::80:dale,dale2 usb::85:dale,dale2 users::100:games,dale,dale2 nofiles:x:200: smmsp:x:209:smmsp portage::250:portage utmp:x:406:dale,dale2 nogroup::65533: nobody::65534: sshd:x:22: messagebus:x:199: netdev:x:198: avahi:x:197: lpadmin:x:106:dale mysql:x:60: ldap:x:439: cron:x:16: locate:x:105: ssmtp:x:104: crontab:x:103: uptimed:x:102: ntp:x:123: games:x:35:dale,dale2 plugdev:x:999:dale,dale2 scanner:x:998:dale2 dale:x:1100: gkrellmd:x:997: hsqldb:x:996: kdm:x:995:dale2 nut:x:84:nut,dale,uucp polkituser:x:994:dale,dale2 wireshark:x:993:dale,dale2 dale2:x:1000: root@fireball / # What I would like to do is get rid of things that shouldn't be there. It appears I have a group or two that shouldn't exist. I guess anyway. I know about groupdel but want to make sure before I actually do anything AGAIN. When I did this a few minutes ago, kdm would let me login until I restored group and passwd. Should I have a group called dale and dale2? Those are my users. dale is my main account and dale2 is for when I need to test a clean account. Does anyone see anything else that needs fixin here? Thanks much. Dale :-) :-)
RE: [gentoo-user] Re: systemd? [ Was: The End Is Near ... ]
From: Walter Dnes [mailto:waltd...@waltdnes.org] Sent: Thursday, March 22, 2012 5:14 PM On Wed, Mar 21, 2012 at 09:35:55PM -0400, Michael Mol wrote What we're talking about with systemd vs openrc, and things like ssh'd first-time initialization is all within the realm of responsibility of the packager. It's a shift in the way the distribution itself works. We're not talking about a scenario where you shunt things upstream, so the whole your position would have rejected Linux angle is a red herring. This is a frustrating game of whack-a-mole. Person A comes up with a position, I rebut it, and then person B comes up with a different position, and I have to rebut it.. There have been people in this thread who have said that the program best knows what it needs, and should handle its own initialization. That was what I was replying to. I'll reply to your position now. You know the old adage, if you ask 5 geeks a question you get 6 different answers. This whole discussion is somewhat surreal to me, when taken in conjunction with the other heated debate we just finished having: * udev is evil and horrible because it's trying to do too much and is too complex. * system is evil and horrible because it isn't doing enough and is too simple. And I'm pretty I've seen at least one person making both arguments simultaneously. Why does that spawned process have to be sshd? Why can't it be some shell script which does the one-time checks, and then launches sshd itself? So instead of the initscript doing the checking+setup and launching the service, it launches a a second script... which does the checking+setup and launches the service FACEPALM. See my post with the joke of digging a second hole to dump the dirt from the first hole into. Instead of one script, we now have two scripts. This is *NOT* simplification. It works fine for mysql, or postfix, or apache, or any of the dozens of other programs that have helper scripts whose sole purposes is to act as an entry point to starting up the actual service. It's a common and well-accepted way of performing required initialization on startup. I don't see why sshd has to be special here. Why does that shell script need to be distributed as part of the init system's package, and not part of the package associated with the service? I don't understand what you're arguing here. *THE INITSCRIPT IS OWNED BY THE SERVICE PACKAGE*, not by the init package. E.g. net-misc/openssh, not sys-apps/openrc. You are absolutely correct; the discussion of who owns the init script is completely tangential to the system vs openrc argument; in both cases, the required startup files will be provided by the package maintainer and installed by the ebuild, not by the rc system. I think the confusion may have started way back when Canek tried to compare the simplicity of sshd.service to the complexity of /etc/init.d/sshd. That's the unfair, apples-to-oranges comparison that triggered this entire debate. The part that's been lost here is that system doesn't run init scripts(*); it launches configured services. These are *not* shell scripts; they are ini-file-like things that define parameters, much like xinetd's configuration files. Of course, I don't see why this is a problem: configure system to launch sshd's init script, which keeps doing the same thing it always has been doing. This is why the comparison between systemd's service config and openrc's script is unfair. You /cannot/ get rid of the complexity of /etc/init.d/sshd, you can only make it so that openrc and systemd can *both* take advantage of that complexity when starting sshd. That may, of course, require the package maintainer to provide 3 items instead of one: an openrc init script, a systemd service description, and an rc-agnostic helper script, in order to be fully systemd-compatible. In the meantime, the systemd package maintainer will likely be forced to provide some kind of compatibility shims to run existing openrc scripts that have not yet been refactored, but that's the cost of choice. It may already do this, I don't know. I have not yet installed systemd anywhere but I am curious enough to try it on my laptop. So I will be that much more informed in the near future :) (*) As I understand it, systemd *can* run SysV-style init scripts, but Gentoo's startup scripts are too dependent on openrc-supplied logic to be reusable in any meaningful sense. --Mike
[gentoo-user] Re: sshfs - cannot unmount as normal user
On 13/09/12 14:37, Helmut Jarausch wrote: Hi, Since a short time I have a critical problem with sshfs. I cannot unmount it ! Since two days I think, I have the same problem. Not with sshfs, but with NTFS-3G, which uses FUSE. I can mount as user, but I can only unmount as root. I've no idea what package is responsible for this change of behavior. qlop -l for the last 6 days shows: Sat Sep 8 13:20:41 2012 dev-libs/elfutils-0.155 Sat Sep 8 13:21:02 2012 app-crypt/p11-kit-0.14 Sat Sep 8 13:25:54 2012 app-emulation/wine-1.5.12 Sat Sep 8 23:10:52 2012 sys-apps/kmod-10 Sat Sep 8 23:11:19 2012 net-misc/openssh-6.1_p1 Sun Sep 9 17:15:50 2012 sys-apps/portage-2.1.11.14 Sun Sep 9 17:28:38 2012 dev-libs/mpc-1.0.1 Sun Sep 9 17:28:50 2012 media-sound/alsa-utils-1.0.26 Sun Sep 9 17:28:53 2012 dev-util/gdbus-codegen-2.32.4 Sun Sep 9 17:29:30 2012 dev-libs/libxml2-2.8.0-r2 Sun Sep 9 17:30:03 2012 app-crypt/gcr-3.4.1 Sun Sep 9 17:30:30 2012 gnome-base/gnome-keyring-3.4.1 Sun Sep 9 17:30:42 2012 gnome-base/libgnome-keyring-3.4.1 Sun Sep 9 17:57:55 2012 sys-devel/gcc-4.6.3 Sun Sep 9 18:13:49 2012 sys-devel/gcc-4.7.1 Sun Sep 9 21:18:39 2012 dev-lang/v8-3.12.19.7 Mon Sep 10 12:46:27 2012 dev-libs/libxslt-1.1.26-r4 Mon Sep 10 12:46:44 2012 gnome-base/librsvg-2.36.3 Mon Sep 10 12:46:52 2012 dev-libs/quazip-0.5 Mon Sep 10 12:47:23 2012 app-crypt/gcr-3.4.1-r1 Mon Sep 10 19:28:47 2012 net-print/cups-filters-1.0.24 Mon Sep 10 19:30:21 2012 kde-base/kdepimlibs-4.9.1-r1 Mon Sep 10 19:31:01 2012 kde-base/konqueror-4.9.1-r1 Tue Sep 11 01:11:44 2012 app-crypt/gcr-3.4.1-r2 Tue Sep 11 13:08:28 2012 app-misc/mc-4.8.5 Tue Sep 11 21:17:04 2012 dev-vcs/mercurial-2.3.1 Tue Sep 11 21:17:19 2012 media-libs/taglib-1.8 Wed Sep 12 00:33:16 2012 net-libs/libpcap-1.3.0 Wed Sep 12 15:10:14 2012 sys-apps/portage-2.1.11.16 Wed Sep 12 15:31:13 2012 x11-apps/xbacklight-1.2.0 Wed Sep 12 15:32:15 2012 x11-libs/cairo-1.12.2-r4 Wed Sep 12 15:32:20 2012 app-benchmarks/i7z-0.27.2 Wed Sep 12 15:40:34 2012 dev-util/qt-creator-2.6.0_beta Thu Sep 13 20:25:53 2012 dev-lang/v8-3.12.19.8 Thu Sep 13 20:26:48 2012 net-dns/bind-tools-9.9.1_p3 Thu Sep 13 20:27:04 2012 app-admin/sudo-1.8.6_p1 Thu Sep 13 20:27:22 2012 gnome-base/librsvg-2.36.3 Thu Sep 13 20:27:40 2012 dev-cpp/libcmis-0.1.0-r1
Re: [gentoo-user] Question about updating /etc/portage/package.use
On Wed, Oct 17, 2012 at 07:26:54PM -0700, Mark Knecht wrote On Wed, Oct 17, 2012 at 7:19 PM, Mark Knecht markkne...@gmail.com wrote: Post package.use please. Cheers, Mark Also, what version of portage are you using? Note that I've never seen this message and other than adds and deletes haven't changed my package.use file in I don't know how long. It's sys-apps/portage-2.1.11.9 My /etc/portage/package.use is attached. I start my USE with -* so I have to put a lot of stuff in package.use. Anyhow, I ran an update world. When I ran etc-update, here are the changes it wanted to make to package.use... 1) -app-emulation/qemu-kvm sdl +# move app-emulation/qemu-kvm app-emulation/qemu +app-emulation/qemu sdl So they changed the name. No problem. I'll do this manually. 2) -media-video/mplayer iconv ?!?!? But, but, but... on my first attempt, the update refosed to run, claiming that iconv is required if I specify truetype. Now 5 minutes later, it wants me to remove the iconv flag. 3) -www-client/midori deprecated No bleeping way! * Short story Flash does not work on linux midori without this option * Long story. See I got midori working, including Flash which I posted on the 15th in this forum. The Flash binary is GTK+:2 and only works if linked with GTK+:2, which deprecated causes. The default install links against GTK+:3, which seems to be ABI-incompatable with Flash video (sound still works). BTW, this install is on my media PC hooked up to my 50 plasma TV, not my regular working machine. I went and deleted the new config, so I don't accidentally enable it it some day. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications app-arch/zip -bzip2 app-crypt/gnupg -X app-editors/vim -X app-emulation/dosemu -X app-emulation/wine -mp3 app-emulation/qemu sdl app-misc/mc -X ncurses app-shells/bash readline # following items required by xpdf app-text/poppler abiword xpdf-headers utils app-text/xpdf motif dev-lang/python readline xml dev-libs/xmlrpc-c curl dev-libs/libxml2 python mail-mta/ssmtp mta mail-client/mutt buffysize gpgme mbox pop smime smtp media-fonts/terminus-font pcf media-gfx/imagemagick raw media-gfx/ufraw contrast gimp hotpixels media-libs/alsa-lib midi media-libs/libsdl alsa audio -joystick video media-libs/mesa gallium media-libs/win32codecs real media-sound/timidity++ -X media-sound/mpg123 alsa media-video/ffmpeg alsa faac faad media-video/mplayer iconv media-libs/libpng apng media-libs/libtheora encode media-video/avidemux x264 media-video/mplayer alsa ass encode i8x0 mmxext real ssse3 -joystick quicktime rtmp -vorbis x264 xvmc net-misc/openssh -X net-nntp/slrn uudeview www-plugins/gecko-mediaplayer ass sys-apps/groff -X sys-devel/gcc fortran sys-fs/mtools -X sys-libs/glibc glibc-omitfp userlocales www-client/dillo gif jpeg png www-client/midori deprecated www-client/w3m -X -imlib www-plugins/adobe-flash 64bit x11-base/xorg-server xorg x11-wm/icewm imlib x11-base/xorg-x11 bitmap-fonts font-server truetype-fonts type1-fonts # If it's going to be a rescue package, it damn well better work # standalone when libraries get screwed up. Also set mdev for # udev-less operation. sys-apps/busybox mdev static # Goffice requires the next 2 lines # and first line also enables SVG support in Firefox x11-libs/cairo svg dev-libs/libpcre unicode # Next line required for Dillo to properly render scalable fonts x11-libs/fltk xft media-sound/alsaplayer alsa audiofile # Postgresql stuff dev-db/postgresql-base threads zlib doc readline dev-db/postgresql-server doc perl python tcl uuid xml
Re: [gentoo-user] Debian just voted in systemd for default init system in jessie
On Sun, Feb 16, 2014 at 12:59 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: [ snip ] or it is an idiotic decision. Because features means complexity. Yeah, like the kernel. Complexity means bugs. Bugs get reported, bugs get fixes. Life goes on. And you don't want complexity in PID1 or init. Let those 'features' be handled by their own specialists. Almost all the features of systemd live outside of PID 1. You know, the unix way. Do one thing, do it well. This is from my desktop machine: /usr/lib/systemd/systemd-reply-password /usr/lib/systemd/ntp-units.d /usr/lib/systemd/systemd-coredump /usr/lib/systemd/systemd-hostnamed /usr/lib/systemd/systemd-binfmt /usr/lib/systemd/systemd-localed /usr/lib/systemd/systemd-machined /usr/lib/systemd/systemd-sleep /usr/lib/systemd/system-generators /usr/lib/systemd/system-generators/systemd-system-update-generator /usr/lib/systemd/system-generators/systemd-gpt-auto-generator /usr/lib/systemd/system-generators/systemd-efi-boot-generator /usr/lib/systemd/system-generators/systemd-fstab-generator /usr/lib/systemd/system-generators/systemd-getty-generator /usr/lib/systemd/system-generators/gentoo-local-generator /usr/lib/systemd/systemd-fsck /usr/lib/systemd/systemd-bootchart /usr/lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-random-seed /usr/lib/systemd/system-sleep /usr/lib/systemd/systemd-remount-fs /usr/lib/systemd/user-generators /usr/lib/systemd/systemd-sysctl /usr/lib/systemd/systemd-timedated /usr/lib/systemd/catalog /usr/lib/systemd/system-shutdown /usr/lib/systemd/systemd-udevd /usr/lib/systemd/systemd-multi-seat-x /usr/lib/systemd/systemd-cgroups-agent /usr/lib/systemd/systemd-user-sessions /usr/lib/systemd/systemd-journal-gatewayd /usr/lib/systemd/systemd-quotacheck /usr/lib/systemd/systemd-shutdownd /usr/lib/systemd/systemd-modules-load /usr/lib/systemd/systemd-backlight /usr/lib/systemd/systemd-ac-power /usr/lib/systemd/systemd-initctl /usr/lib/systemd/systemd-readahead /usr/lib/systemd/systemd-journald /usr/lib/systemd/systemd-activate /usr/lib/systemd/systemd /usr/lib/systemd/systemd-update-utmp /usr/lib/systemd/systemd-vconsole-setup /usr/lib/systemd/systemd-logind All of them are different tools providing one capability to systemd as a whole. So systemd is a collection of tools, where each one does one thing, and it does it well. By your definition, systemd perfectly follows the unix way. Use text to communicate. systemd can comunicate basically everything via text: centurion ~ # systemctl show sshd.service | head Id=sshd.service Names=sshd.service Requires=basic.target Wants=system.slice WantedBy=multi-user.target Conflicts=shutdown.target Before=shutdown.target multi-user.target After=syslog.target network.target auditd.service systemd-journald.socket basic.target system.slice Description=OpenSSH server daemon LoadState=loaded For performance reasons, some things are passed or stored as data. Bu everything works with text also. So, again, it passes your definition. That stuff. That makes things easy. And flexible. And replaceable. Easy to whom? And systemd is more flexible that a lot of init systems, in my opinion including OpenRC. All the configuration and APIs are documented, public and open source. Everything is replaceable if there is someone willing and able to write a replacement. Regards. -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México