Re: [gentoo-user] pip
Neil Bothwick: > On Wed, 13 Jul 2022 10:40:34 +0200 (CEST), k...@aspodata.se wrote: ... > > $ pip > > pip: no python-exec wrapped executable found in /usr/lib/python-exec. ... > You may need to re-emerge pip if the last file you have is for python3.6. ... Thanks, that solved it. Regards, /Karl Hammar
Re: [gentoo-user] net-libs/nodejs
tastytea: > On 2022-07-07 00:19+0200 k...@aspodata.se wrote: ... > > /usr/lib/gcc/x86_64-pc-linux-gnu/10.2.0/../../../../ > > x86_64-pc-linux-gnu/bin/ld: > > failed to set dynamic section sizes: memory exhausted ... > I'm not familiar with nodejs in particular, but dropping the debug > USE-flag will probably reduce the amount of memory it needs somewhat. > You could also add more swap, or look into zswap¹ or zram². Dropping debug and adding swap solved it, thanks. Regards, /Karl Hammar
Re: [gentoo-user] Any way to automate login to host and su to root?
On 7/18/22 3:28 AM, J. Roeleveld wrote: Either on the client where the agent is running, but also on the system I connected to. I have always considered that there is enough sensitive data on the client and that there are already enough things running there that I end up considering the client a sensitive / secure system as a unit. This seems to be especially true with servers hosting automation. But to each their own. As for the security of the forwarded agent, I've generally been okay with root on the target system having access to the agent. Especial when I have used different key pairs for different destination hosts and / or specify the from stanza in the authorized_keys file. If you want to, you can specify how long, in seconds, that a key can be used in an agent. So if you have a running agent, you can load a key and specify that it can be used for up to two seconds. So even if someone does compromise the target host and does talk to the agent, the agent won't allow the key to be used and will behave as if the key wasn't loaded. You can also lock / unlock the agent on the source side as you see fit. Unlock it for authentication, and then immediately re-lock it after authenticating. Local commands and / or a local process using ssh remote commands makes this more reasonable. Aside: Backgrounded / multiplexed connections make running multiple remote commands on a host a lot more expedient. 1) Log in to the remote host with a background connection. 2) Run multiple remote commands via "ssh @ " 3) Log out of the remote host closing the background connection. The business logic of the script lives on the client and all the intermediate commands (#2) avoid the overhead of establishing a connection and authenticating again. But, I just noticed the following, which is hopeful, but need to read up on this: https://www.openssh.com/agent-restrict.html Interesting. More reading. Agreed, which is why I always stop and think when I see that. ;-) Usually the answer is: "Oh, yes, I didn't access this host from my laptop yet". But that is usually after the 2nd or 3rd connection attempt with retyping the hostname and verifying the IP-address that is resolved for it first. I think I mis-took a previous statement to mean that you did something to distribute the contents of the known_hosts file so that re-loads would already be known. I guess I misunderstood. -- Grant. . . . unix || die
Re: [gentoo-user] Any way to automate login to host and su to root?
On 7/18/22 12:23 AM, J. Roeleveld wrote: I've been using ansible for some of my automation scripts and am happy with the way that works. The existing implementations for "adding users" and such is tested plenty by others and does actually check if the user exists before trying to add one. ACK I only use expect to automate the login-process as mentioned in the original email. I've been a fan of the sshpass command explicitly for sshing into systems. Though I've gotten it to work for a few other very similar things. The line it's expecting is more then just "*?assword" like in all the examples. Currently, SSH puts the password-prompt as: (@) Password: As I know both, the expected string is this full line. If SSH changes its behaviour, the script will simply fail. Nice! -- Grant. . . . unix || die
Re: [gentoo-user] About to have fiber internet and need VPN info
On Sun, Jul 17, 2022 at 2:41 AM Dale wrote: > Peter Humphrey wrote: > > On Saturday, 16 July 2022 11:57:25 BST Dale wrote: > > > >> Basically, I can upload files as fast as I download them. Now I can > upload > >> videos or something. > > ...or run a web server! > > > > > That's way above anything I'd want to tackle. Heck, this VPN thing is a > bit confusing. I've never seen it used before so sort of lost with it. > Maybe once installed it will make sense. > That prompts the question - why do you want a VPN? (what do you think it will do for you?) If it's to get around geo-blocking, it's probably a good option if there's no legal implications. If it's for something else it's probably worth digging a bit deeper. If it's to try to avoid legal responsibility (eg. to download copyrighted content), don't do anything you're not prepared to pay the fine / do the time for.
Re: [gentoo-user] Any way to automate login to host and su to root?
On Monday, 18 July 2022 08:03:44 CEST Grant Taylor wrote: > On 7/17/22 11:48 PM, J. Roeleveld wrote: > > It could, but that would open up an unsecured key to interception if > > an intermediate host is compromised. > > What are you thinking? -- I've got a few ideas, but rather than > speculating, I'll just ask. See below > > See previous answer, the agent, as far as I know, will have the keys > > in memory and I haven't seen evidence that it won't provide the keys > > without authenticating the requestor. > > Are you concerned about a rogue requestor on the host where the agent is > running or elsewhere? Either on the client where the agent is running, but also on the system I connected to. But, I just noticed the following, which is hopeful, but need to read up on this: https://www.openssh.com/agent-restrict.html[1] > > Yes, copy/paste has no issues with multi-page texts. But manually > > reading a long password and copying that over by typing on a keyboard > > when the font can make the difference between "1" (ONE), "l" (small > > letter L) and "|" (pipe- character) and similar characters make it > > annoying to say the least. > > Agreed. > > > Currently, when that comment pops up, the first thing I do is wait > > and wonder why it's asking for it. As all the systems are already > > added to the list. > > Such a pop-up would be a very likely indication of a problem. Agreed, which is why I always stop and think when I see that. Usually the answer is: "Oh, yes, I didn't access this host from my laptop yet". But that is usually after the 2nd or 3rd connection attempt with retyping the hostname and verifying the IP-address that is resolved for it first. -- Joost [1] https://www.openssh.com/agent-restrict.html
Re: [gentoo-user] About to have fiber internet and need VPN info
> > And you'll need to always keep in mind that a VPN is a low-level > protection. It's enough for protecting yourself against spammers, script > kiddies or > similar but it can't keep you private in the face of any high-level > threats. Don't place too much trust in VPNs. > I'm not an expert, but AFAIK VPNs don't offer any particular benefit with regards to spam or script kiddies. A VPN will; - Hide your internet activity from your ISP - Make your internet activity available to your VPN provider - Make your internet activity available to your VPN provider's ISP Without a VPN, your ISP could sell the details used to sign up for the account (eg. name, phone number, email address) along with your internet activity. With a VPN, the VPN provider could sell similar information, however, there is typically an explicit claim that they won't do this, whereas your ISP has probably buried information on what they do with your information and metadata in Terms and Conditions documents. Your VPN provider's ISP will be able to monitor your internet activity but it will be mixed with the activity of the VPN provider's other customers, and they won't have any of your sign up information. I've heard some VPNs let you pay pseudo anonymously with crypto currency (albeit with a cryptographically verifiable public ledger!), to prevent direct matching of internet activity to an identity.
Re: [gentoo-user] Any way to automate login to host and su to root?
On Friday, 15 July 2022 18:39:25 CEST Grant Taylor wrote: > On 7/14/22 3:22 PM, Steve Wilson wrote: > > Have you looked at dev-tcltk/expect? > > Expect has it's place. > > Just be EXTREMELY careful when using it for anything security related. I agree > Always check for what is expected before sending data. Don't assume > that something comes next and blindly send it (possibly after a pause). > > Things break in a really weird and unexpected way. (No pun intended.) > > Also, do as much logic outside of expect as possible. E.g. don't try to > add a user and then respond to a failure. Instead check to see if the > user exists /before/ trying to add it. I've been using ansible for some of my automation scripts and am happy with the way that works. The existing implementations for "adding users" and such is tested plenty by others and does actually check if the user exists before trying to add one. > Plan on things failing and try to control the likely ways that it can fail. > > Paying yourself forward with time and effort developing (expect) scripts > will mean that you reap the rewards for years to come. I only use expect to automate the login-process as mentioned in the original email. The line it's expecting is more then just "*?assword" like in all the examples. Currently, SSH puts the password-prompt as: (@) Password: As I know both, the expected string is this full line. If SSH changes its behaviour, the script will simply fail. -- Joost
Re: [gentoo-user] Any way to automate login to host and su to root?
On 7/17/22 11:48 PM, J. Roeleveld wrote: It could, but that would open up an unsecured key to interception if an intermediate host is compromised. What are you thinking? -- I've got a few ideas, but rather than speculating, I'll just ask. See previous answer, the agent, as far as I know, will have the keys in memory and I haven't seen evidence that it won't provide the keys without authenticating the requestor. Are you concerned about a rogue requestor on the host where the agent is running or elsewhere? Yes, copy/paste has no issues with multi-page texts. But manually reading a long password and copying that over by typing on a keyboard when the font can make the difference between "1" (ONE), "l" (small letter L) and "|" (pipe- character) and similar characters make it annoying to say the least. Agreed. Currently, when that comment pops up, the first thing I do is wait and wonder why it's asking for it. As all the systems are already added to the list. Such a pop-up would be a very likely indication of a problem. -- Grant. . . . unix || die
