Re: [qubes-users] PAM errors after disabling password-less root
Would it have anything to do with upgrading to kernel 4.8 (both dom0 and domU)? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b28b48b4-c3bb-3ed0-0e84-4377ac1e85d3%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/30/2016 03:55 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Nov 30, 2016 at 02:44:17PM -0500, Chris Laprise wrote: On 11/28/2016 05:27 PM, Patrick Schleizer wrote: Probably related issues: - https://github.com/QubesOS/qubes-doc/pull/176 - https://github.com/QubesOS/qubes-doc/pull/228 Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/ [which was reported to work now] (and the qubes-whonix package). I may not work much on this issue however due to Qubes project policy, explained in detail here: https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132 Btw I almost missed this mail. As of now, best way to get my attention btw is adding my e-mail address adrela...@riseup.net or adding Whonix to the subject. Otherwise I cannot monitor / read all on this kinda high traffic mailing list. Cheers, Patrick I'm having one remaining issue after restricting root in the templates... dom0 is logging tons of PAM 'audit' messages which makes the log very noisy. I think the auth requests are originating from dom0. I'd like to find a way to squelch them. It's a "feature" of systemd-journald: https://github.com/systemd/systemd/issues/959 In short: add "audit=0" to VM kernel command options, or run "auditd -s disable". Personally I have "auditd -s disable" in /rw/config/rc.local in some (most?) VMs. - -- I added 'audit=0' to my domU kernelopts, but after restarting all VMs I'm still getting the same amount of audit lines in dmesg. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9d7236a3-2f07-6546-81b0-27b48b8c9807%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Nov 30, 2016 at 02:44:17PM -0500, Chris Laprise wrote: > On 11/28/2016 05:27 PM, Patrick Schleizer wrote: > > Probably related issues: > > - https://github.com/QubesOS/qubes-doc/pull/176 > > - https://github.com/QubesOS/qubes-doc/pull/228 > > > > Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/ > > [which was reported to work now] (and the qubes-whonix package). > > > > I may not work much on this issue however due to Qubes project policy, > > explained in detail here: > > https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132 > > > > Btw I almost missed this mail. As of now, best way to get my attention > > btw is adding my e-mail address adrela...@riseup.net or adding Whonix to > > the subject. Otherwise I cannot monitor / read all on this kinda high > > traffic mailing list. > > > > Cheers, > > Patrick > > > > I'm having one remaining issue after restricting root in the templates... > > dom0 is logging tons of PAM 'audit' messages which makes the log very noisy. > I think the auth requests are originating from dom0. I'd like to find a way > to squelch them. It's a "feature" of systemd-journald: https://github.com/systemd/systemd/issues/959 In short: add "audit=0" to VM kernel command options, or run "auditd -s disable". Personally I have "auditd -s disable" in /rw/config/rc.local in some (most?) VMs. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYPzypAAoJENuP0xzK19csgcQH/33ad5ho12qjUhzxI4j+1CJE H6h+MdQXbKdgM+oYxyTsK8ET9x5ybrhkpPjnADyZP9SNcyb+IH2pI9FGZhtLpdph 5959inOLysYi1tiO/hYcUElKNQzjNFrGFBvlVNu4L25WSJT/hxueGNCDWrjF+fC6 bDO/tKt8ilCajCDnAijTp37Sk6kPIiFX+eMDafpgjli7SDhzALPo/ypc3KcCfow9 BQ19bW4WIYTOC4XTZWUDvffLvTtVZPBoHLXmW/g90GgOZXRTHeSCqLUJDi4qYbZ/ wzcFapVS02Jc5IvdfHzGwNqYj1ZAbEqAk+KnPqwJHFRjpaWpsXCm1wOrYcJvNJc= =6dXl -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161130205504.GW1145%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/28/2016 05:27 PM, Patrick Schleizer wrote: Probably related issues: - https://github.com/QubesOS/qubes-doc/pull/176 - https://github.com/QubesOS/qubes-doc/pull/228 Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/ [which was reported to work now] (and the qubes-whonix package). I may not work much on this issue however due to Qubes project policy, explained in detail here: https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132 Btw I almost missed this mail. As of now, best way to get my attention btw is adding my e-mail address adrela...@riseup.net or adding Whonix to the subject. Otherwise I cannot monitor / read all on this kinda high traffic mailing list. Cheers, Patrick I'm having one remaining issue after restricting root in the templates... dom0 is logging tons of PAM 'audit' messages which makes the log very noisy. I think the auth requests are originating from dom0. I'd like to find a way to squelch them. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/302796f6-8a43-96c3-4663-77b7f0e409d4%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
Chris Laprise: > On 11/16/2016 01:26 PM, Andrew wrote: >> 3n7r0...@gmail.com: >>> On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote: On 11/15/2016 04:04 PM, Unman wrote: > On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: >> On 11/15/2016 07:20 AM, Unman wrote: >>> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: > Following the instructions for the 'vm-sudo' doc, I get the > following error > in Debian 9: > > /usr/lib/qubes/qrexec-client-vm failed: exit code 1 > sudo: PAM authentication error: System error > > > Also, in the Debian 8 template the instructions don't match, as > there > appears to be no file '/etc/pam.d/common-auth'. > > Chris > Where did you get that template? The file is present in the default 3.2, and even in a minimal-no-recommends template for Debian-8. I'll look at the Debian-9 issue now. >>> I'm afraid I don't see this issue in a Debian-9 template. >>> Can you check your editing? >>> >>> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth >>> command, and making sure you get the expected output. >>> You should see the prompt(from the policy) and then output from >>> dom0. >>> >>> unman >>> >> Thanks for checking. However, I triple-checked my editing in >> Debian 9 and >> Debian 8 template is 'stock' basically nothing added to it. >> >> The qubes.VMAuth request said 'Request refused'. The doc appears >> to have a >> typo for the second command in Step 1. "Adding Dom0 “VMAuth” >> service" that >> causes '$anyvm' to disappear from the output. This line should use >> single >> quotes instead. >> >> Chris > You're right about that typo. Once you fixed it what happened? It works now for Debian 9, submitted PR to fix the doc. I don't know what the issue is with the missing file in Debian 8... The template's basic form may not have a necessary package. Chris >>> FWIW, the instructions work when applied to Whonix-Debian-8. >>> >>> If I may piggyback on this thread with a related issue... The >>> instructions (pre-typo) worked fine for both Fedora & Whonix VMs. But >>> while the Fedora VMs would spin up silently, each Whonix VM required >>> 4 sudo authorizations at each boot. Do you have any idea what that >>> might be or how I could trace it? I don't have any user scripts / >>> rc.local configured. The authorization requests sometimes appear >>> while the VM light is yellow and other times won't appear until it's >>> green. I'm worried that they might need to be clicked in the proper >>> order and there's not enough identifying information on the dialogue >>> to know what I'm authorizing. Would it be possible to pass the name >>> of the triggering command to the dom0 sudo prompt? >>> > > The typo causes the string '$anyvm dom0 ask' to be stored as ' dom0 ask' > because the shell expands $anyvm to nothing. > > So its definitely a bug, IMHO. > > The Whonix issue sounds like a decision they made to use sudo from a > user startup script...? I think Patrick may know which ones they are. > > Chris Probably related issues: - https://github.com/QubesOS/qubes-doc/pull/176 - https://github.com/QubesOS/qubes-doc/pull/228 Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/ [which was reported to work now] (and the qubes-whonix package). I may not work much on this issue however due to Qubes project policy, explained in detail here: https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132 Btw I almost missed this mail. As of now, best way to get my attention btw is adding my e-mail address adrela...@riseup.net or adding Whonix to the subject. Otherwise I cannot monitor / read all on this kinda high traffic mailing list. Cheers, Patrick -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ac311d2-b24f-f536-d7a0-eb362e4e22b5%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/18/2016 02:03 AM, entr0py wrote: Andrew: I think not without modifying the Qubes RPC code itself, which is probably a non-starter. Anyway you would be relying on untrusted self-reported information in the trusted Dom0 prompt, so maybe not a good idea. If you just want to investigate, this should be logged on the VM itself, anyway, no? Maybe I'm wrong. Look through journalctl and see. Andrew Andrew, thanks for the pointers. Chris resolved before I even looked: https://forums.whonix.org/t/fixing-whonix-boot-issue-after-securing-qubes-root-auth/3155 https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-261407737 I ended up having one remaining prompt during sys-whonix VM startup (based on whonix-gw template). So the full resolution of the issue involves creating a file '/etc/sudoers.d/zz99' in the whonix templates and adding *both* of these lines: ALL ALL=NOPASSWD: /usr/sbin/virt-what ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck * Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d99a7fa6-de76-3676-1539-70e2a5431c73%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
Andrew: > 3n7r0...@gmail.com: >> On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote: >>> On 11/15/2016 04:04 PM, Unman wrote: On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: > On 11/15/2016 07:20 AM, Unman wrote: >> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: >>> On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: Following the instructions for the 'vm-sudo' doc, I get the following error in Debian 9: /usr/lib/qubes/qrexec-client-vm failed: exit code 1 sudo: PAM authentication error: System error Also, in the Debian 8 template the instructions don't match, as there appears to be no file '/etc/pam.d/common-auth'. Chris >>> Where did you get that template? The file is present in the default 3.2, >>> and even in a minimal-no-recommends template for Debian-8. >>> >>> I'll look at the Debian-9 issue now. >>> >> I'm afraid I don't see this issue in a Debian-9 template. >> Can you check your editing? >> >> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth >> command, and making sure you get the expected output. >> You should see the prompt(from the policy) and then output from dom0. >> >> unman >> > Thanks for checking. However, I triple-checked my editing in Debian 9 and > Debian 8 template is 'stock' basically nothing added to it. > > The qubes.VMAuth request said 'Request refused'. The doc appears to have a > typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that > causes '$anyvm' to disappear from the output. This line should use single > quotes instead. > > Chris You're right about that typo. Once you fixed it what happened? >>> >>> It works now for Debian 9, submitted PR to fix the doc. I don't know >>> what the issue is with the missing file in Debian 8... The template's >>> basic form may not have a necessary package. >>> >>> Chris >> >> FWIW, the instructions work when applied to Whonix-Debian-8. >> >> If I may piggyback on this thread with a related issue... The instructions >> (pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora >> VMs would spin up silently, each Whonix VM required 4 sudo authorizations at >> each boot. Do you have any idea what that might be or how I could trace it? >> I don't have any user scripts / rc.local configured. The authorization >> requests sometimes appear while the VM light is yellow and other times won't >> appear until it's green. I'm worried that they might need to be clicked in >> the proper order and there's not enough identifying information on the >> dialogue to know what I'm authorizing. Would it be possible to pass the name >> of the triggering command to the dom0 sudo prompt? >> > > I think not without modifying the Qubes RPC code itself, which is > probably a non-starter. Anyway you would be relying on untrusted > self-reported information in the trusted Dom0 prompt, so maybe not a > good idea. > > If you just want to investigate, this should be logged on the VM itself, > anyway, no? Maybe I'm wrong. Look through journalctl and see. > > Andrew > Andrew, thanks for the pointers. Chris resolved before I even looked: https://forums.whonix.org/t/fixing-whonix-boot-issue-after-securing-qubes-root-auth/3155 https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-261407737 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3a7c6a4-91ac-2b8f-a99e-d65d70aeb011%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/16/2016 01:26 PM, Andrew wrote: 3n7r0...@gmail.com: On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote: On 11/15/2016 04:04 PM, Unman wrote: On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: On 11/15/2016 07:20 AM, Unman wrote: On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: Following the instructions for the 'vm-sudo' doc, I get the following error in Debian 9: /usr/lib/qubes/qrexec-client-vm failed: exit code 1 sudo: PAM authentication error: System error Also, in the Debian 8 template the instructions don't match, as there appears to be no file '/etc/pam.d/common-auth'. Chris Where did you get that template? The file is present in the default 3.2, and even in a minimal-no-recommends template for Debian-8. I'll look at the Debian-9 issue now. I'm afraid I don't see this issue in a Debian-9 template. Can you check your editing? Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth command, and making sure you get the expected output. You should see the prompt(from the policy) and then output from dom0. unman Thanks for checking. However, I triple-checked my editing in Debian 9 and Debian 8 template is 'stock' basically nothing added to it. The qubes.VMAuth request said 'Request refused'. The doc appears to have a typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that causes '$anyvm' to disappear from the output. This line should use single quotes instead. Chris You're right about that typo. Once you fixed it what happened? It works now for Debian 9, submitted PR to fix the doc. I don't know what the issue is with the missing file in Debian 8... The template's basic form may not have a necessary package. Chris FWIW, the instructions work when applied to Whonix-Debian-8. If I may piggyback on this thread with a related issue... The instructions (pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs would spin up silently, each Whonix VM required 4 sudo authorizations at each boot. Do you have any idea what that might be or how I could trace it? I don't have any user scripts / rc.local configured. The authorization requests sometimes appear while the VM light is yellow and other times won't appear until it's green. I'm worried that they might need to be clicked in the proper order and there's not enough identifying information on the dialogue to know what I'm authorizing. Would it be possible to pass the name of the triggering command to the dom0 sudo prompt? The typo causes the string '$anyvm dom0 ask' to be stored as ' dom0 ask' because the shell expands $anyvm to nothing. So its definitely a bug, IMHO. The Whonix issue sounds like a decision they made to use sudo from a user startup script...? I think Patrick may know which ones they are. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c5f0d194-acfd-05e3-79f1-5221f9c0dfd1%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
3n7r0...@gmail.com: > On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote: >> On 11/15/2016 04:04 PM, Unman wrote: >>> On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: On 11/15/2016 07:20 AM, Unman wrote: > On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: >> On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: >>> Following the instructions for the 'vm-sudo' doc, I get the following >>> error >>> in Debian 9: >>> >>> /usr/lib/qubes/qrexec-client-vm failed: exit code 1 >>> sudo: PAM authentication error: System error >>> >>> >>> Also, in the Debian 8 template the instructions don't match, as there >>> appears to be no file '/etc/pam.d/common-auth'. >>> >>> Chris >>> >> Where did you get that template? The file is present in the default 3.2, >> and even in a minimal-no-recommends template for Debian-8. >> >> I'll look at the Debian-9 issue now. >> > I'm afraid I don't see this issue in a Debian-9 template. > Can you check your editing? > > Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth > command, and making sure you get the expected output. > You should see the prompt(from the policy) and then output from dom0. > > unman > Thanks for checking. However, I triple-checked my editing in Debian 9 and Debian 8 template is 'stock' basically nothing added to it. The qubes.VMAuth request said 'Request refused'. The doc appears to have a typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that causes '$anyvm' to disappear from the output. This line should use single quotes instead. Chris >>> You're right about that typo. Once you fixed it what happened? >> >> It works now for Debian 9, submitted PR to fix the doc. I don't know >> what the issue is with the missing file in Debian 8... The template's >> basic form may not have a necessary package. >> >> Chris > > FWIW, the instructions work when applied to Whonix-Debian-8. > > If I may piggyback on this thread with a related issue... The instructions > (pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs > would spin up silently, each Whonix VM required 4 sudo authorizations at each > boot. Do you have any idea what that might be or how I could trace it? I > don't have any user scripts / rc.local configured. The authorization requests > sometimes appear while the VM light is yellow and other times won't appear > until it's green. I'm worried that they might need to be clicked in the > proper order and there's not enough identifying information on the dialogue > to know what I'm authorizing. Would it be possible to pass the name of the > triggering command to the dom0 sudo prompt? > I think not without modifying the Qubes RPC code itself, which is probably a non-starter. Anyway you would be relying on untrusted self-reported information in the trusted Dom0 prompt, so maybe not a good idea. If you just want to investigate, this should be logged on the VM itself, anyway, no? Maybe I'm wrong. Look through journalctl and see. Andrew -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e88e47e3-ed16-51fd-69cf-58a356fb4d04%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote: > On 11/15/2016 04:04 PM, Unman wrote: > > On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: > >> On 11/15/2016 07:20 AM, Unman wrote: > >>> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: > On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: > > Following the instructions for the 'vm-sudo' doc, I get the following > > error > > in Debian 9: > > > > /usr/lib/qubes/qrexec-client-vm failed: exit code 1 > > sudo: PAM authentication error: System error > > > > > > Also, in the Debian 8 template the instructions don't match, as there > > appears to be no file '/etc/pam.d/common-auth'. > > > > Chris > > > Where did you get that template? The file is present in the default 3.2, > and even in a minimal-no-recommends template for Debian-8. > > I'll look at the Debian-9 issue now. > > >>> I'm afraid I don't see this issue in a Debian-9 template. > >>> Can you check your editing? > >>> > >>> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth > >>> command, and making sure you get the expected output. > >>> You should see the prompt(from the policy) and then output from dom0. > >>> > >>> unman > >>> > >> Thanks for checking. However, I triple-checked my editing in Debian 9 and > >> Debian 8 template is 'stock' basically nothing added to it. > >> > >> The qubes.VMAuth request said 'Request refused'. The doc appears to have a > >> typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that > >> causes '$anyvm' to disappear from the output. This line should use single > >> quotes instead. > >> > >> Chris > > You're right about that typo. Once you fixed it what happened? > > It works now for Debian 9, submitted PR to fix the doc. I don't know > what the issue is with the missing file in Debian 8... The template's > basic form may not have a necessary package. > > Chris FWIW, the instructions work when applied to Whonix-Debian-8. If I may piggyback on this thread with a related issue... The instructions (pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs would spin up silently, each Whonix VM required 4 sudo authorizations at each boot. Do you have any idea what that might be or how I could trace it? I don't have any user scripts / rc.local configured. The authorization requests sometimes appear while the VM light is yellow and other times won't appear until it's green. I'm worried that they might need to be clicked in the proper order and there's not enough identifying information on the dialogue to know what I'm authorizing. Would it be possible to pass the name of the triggering command to the dom0 sudo prompt? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d88e219e-ded9-4f10-8e70-f7a86b5f9a00%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/15/2016 04:04 PM, Unman wrote: On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: On 11/15/2016 07:20 AM, Unman wrote: On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: Following the instructions for the 'vm-sudo' doc, I get the following error in Debian 9: /usr/lib/qubes/qrexec-client-vm failed: exit code 1 sudo: PAM authentication error: System error Also, in the Debian 8 template the instructions don't match, as there appears to be no file '/etc/pam.d/common-auth'. Chris Where did you get that template? The file is present in the default 3.2, and even in a minimal-no-recommends template for Debian-8. I'll look at the Debian-9 issue now. I'm afraid I don't see this issue in a Debian-9 template. Can you check your editing? Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth command, and making sure you get the expected output. You should see the prompt(from the policy) and then output from dom0. unman Thanks for checking. However, I triple-checked my editing in Debian 9 and Debian 8 template is 'stock' basically nothing added to it. The qubes.VMAuth request said 'Request refused'. The doc appears to have a typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that causes '$anyvm' to disappear from the output. This line should use single quotes instead. Chris You're right about that typo. Once you fixed it what happened? It works now for Debian 9, submitted PR to fix the doc. I don't know what the issue is with the missing file in Debian 8... The template's basic form may not have a necessary package. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38b9d015-dc6d-d74c-06ba-c3b6b536d638%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote: > On 11/15/2016 07:20 AM, Unman wrote: > >On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: > >>On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: > >>>Following the instructions for the 'vm-sudo' doc, I get the following error > >>>in Debian 9: > >>> > >>>/usr/lib/qubes/qrexec-client-vm failed: exit code 1 > >>>sudo: PAM authentication error: System error > >>> > >>> > >>>Also, in the Debian 8 template the instructions don't match, as there > >>>appears to be no file '/etc/pam.d/common-auth'. > >>> > >>>Chris > >>> > >>Where did you get that template? The file is present in the default 3.2, > >>and even in a minimal-no-recommends template for Debian-8. > >> > >>I'll look at the Debian-9 issue now. > >> > >I'm afraid I don't see this issue in a Debian-9 template. > >Can you check your editing? > > > >Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth > >command, and making sure you get the expected output. > >You should see the prompt(from the policy) and then output from dom0. > > > >unman > > > > Thanks for checking. However, I triple-checked my editing in Debian 9 and > Debian 8 template is 'stock' basically nothing added to it. > > The qubes.VMAuth request said 'Request refused'. The doc appears to have a > typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that > causes '$anyvm' to disappear from the output. This line should use single > quotes instead. > > Chris You're right about that typo. Once you fixed it what happened? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161115210433.GA24354%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On 11/15/2016 07:20 AM, Unman wrote: On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: Following the instructions for the 'vm-sudo' doc, I get the following error in Debian 9: /usr/lib/qubes/qrexec-client-vm failed: exit code 1 sudo: PAM authentication error: System error Also, in the Debian 8 template the instructions don't match, as there appears to be no file '/etc/pam.d/common-auth'. Chris Where did you get that template? The file is present in the default 3.2, and even in a minimal-no-recommends template for Debian-8. I'll look at the Debian-9 issue now. I'm afraid I don't see this issue in a Debian-9 template. Can you check your editing? Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth command, and making sure you get the expected output. You should see the prompt(from the policy) and then output from dom0. unman Thanks for checking. However, I triple-checked my editing in Debian 9 and Debian 8 template is 'stock' basically nothing added to it. The qubes.VMAuth request said 'Request refused'. The doc appears to have a typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that causes '$anyvm' to disappear from the output. This line should use single quotes instead. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33faf03d-b963-7136-2b73-6badc75f9efb%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote: > On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: > > Following the instructions for the 'vm-sudo' doc, I get the following error > > in Debian 9: > > > > /usr/lib/qubes/qrexec-client-vm failed: exit code 1 > > sudo: PAM authentication error: System error > > > > > > Also, in the Debian 8 template the instructions don't match, as there > > appears to be no file '/etc/pam.d/common-auth'. > > > > Chris > > > > Where did you get that template? The file is present in the default 3.2, > and even in a minimal-no-recommends template for Debian-8. > > I'll look at the Debian-9 issue now. > I'm afraid I don't see this issue in a Debian-9 template. Can you check your editing? Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth command, and making sure you get the expected output. You should see the prompt(from the policy) and then output from dom0. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161115122028.GA20798%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] PAM errors after disabling password-less root
On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote: > Following the instructions for the 'vm-sudo' doc, I get the following error > in Debian 9: > > /usr/lib/qubes/qrexec-client-vm failed: exit code 1 > sudo: PAM authentication error: System error > > > Also, in the Debian 8 template the instructions don't match, as there > appears to be no file '/etc/pam.d/common-auth'. > > Chris > Where did you get that template? The file is present in the default 3.2, and even in a minimal-no-recommends template for Debian-8. I'll look at the Debian-9 issue now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161115115513.GA20562%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] PAM errors after disabling password-less root
Following the instructions for the 'vm-sudo' doc, I get the following error in Debian 9: /usr/lib/qubes/qrexec-client-vm failed: exit code 1 sudo: PAM authentication error: System error Also, in the Debian 8 template the instructions don't match, as there appears to be no file '/etc/pam.d/common-auth'. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c39f545-b517-3c16-3312-6a3cf39976ba%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.