Re: Networking nonfunctional on 8.0

[Steve Matzura]

Yes. While I was waiting for a reply, I did try another, and either
the connector has gone bad, or some other thing, because that seems to
have been the problem. Very odd that it would fail in the manner which
it did, just died in the middle of the day.

On Thu, 28 Jul 2016 12:26:16 +0300, you wrote:

>   Hi.
>
>On Thu, Jul 28, 2016 at 04:44:09AM -0400, Steve Matzura wrote:
>> 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
>> state DOWN group default qlen 1000
>
>Check your Ethernet cable. NO-CARRIER either means that the cable is
>unplugged from your NIC, or from whenever other end of the cable should
>be plugged to, or the cable itself is damaged.
>
>Reco
>

Re: OK to upgrade to 8.5?

[Steve Matzura]

That article talks about upgrading from 7 (Weezy) to 8 (Jessie). I am
already on 8--8.0 specifically. I was thinking of updating, maybe
upgrade is the wrong term, to 8.5.

On Thu, 28 Jul 2016 12:38:12 +0300, you wrote:

>Steve Matzura [2016-07-28 05:21:59-04] wrote:
>
>> Should I follow the standard procedure--edit sources.list to include
>> the DVD drive (if it's not there already), then 'apt-get upgrade'
>> followed by 'apt-get full-upgrade'?
>
>I think it's useful to follow the "standard procedure", that is the
>release notes. It's written here (amd64):
>
>https://www.debian.org/releases/stable/amd64/release-notes/

Re: OK to upgrade to 8.5?

[Steve Matzura]

I am running 8.0; 8.5 is out. Came out on June 24. Are you saying I
should wait for 9 to become stable release and then upgrade to that
version? I thought by going to 8.5 would be a good idea. Maybe not?

On Thu, 28 Jul 2016 11:34:01 +0200, you wrote:

>Steve Matzura:
>>
>> Should I follow the standard procedure--edit sources.list to include
>> the DVD drive (if it's not there already), then 'apt-get upgrade'
>> followed by 'apt-get full-upgrade'?
>
>What do you mean with "8.5"? Debian jessie is version 8, Debian stretch
>ussupposed to be version 9, I think. Either way, it isn't stable yet so
>technically the latest Debian version is 8.
>
>In any case, the canonical answer to "How do I upgrade to the latest
>Debian release?" is to go through the release notes of your current
>release+1 until you have reached the desired version.
>
>Example: if you have installed Debian squeeze (version 6) you would
>first follow this (I have picked amd64 randomly):
>https://www.debian.org/releases/wheezy/amd64/release-notes/
>
>and then this:
>https://www.debian.org/releases/jessie/amd64/release-notes/
>
>J.

OK to upgrade to 8.5?

[Steve Matzura]

Should I follow the standard procedure--edit sources.list to include
the DVD drive (if it's not there already), then 'apt-get upgrade'
followed by 'apt-get full-upgrade'?

Re: Networking nonfunctional on 8.0

[Steve Matzura]

On Wed, 27 Jul 2016 20:46:23 +0200, you wrote:

>Le 27/07/2016 à 15:43, Steve Matzura a écrit :
>> My 8.0 system has been running great up until Monday evening when
>> users started reporting they were unable to connect. Sure enough, I
>> couldn't even connect from my LAN. I rebooted, looked at messages from
>> dmesg, and saw nothing unusual--nothing that said networking couldn't
>> start, or there was a hardware failure, nothing to indicate a problem.
>> What should I check next?
>
>Check the current network (link+IP) configuration.
>
>ifconfig -a

eth0  Link encap:Ethernet  HWaddr bc:5f:f4:5b:80:09  
  inet addr:192.168.1.130  Bcast:192.168.1.255
Mask:255.255.255.0
  UP BROADCAST MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000 
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

loLink encap:Local Loopback  
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:45 errors:0 dropped:0 overruns:0 frame:0
  TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0 
  RX bytes:3794 (3.7 KiB)  TX bytes:3794 (3.7 KiB)

>ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
link/ether bc:5f:f4:5b:80:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.130/24 brd 192.168.1.255 scope global eth0
   valid_lft forever preferred_lft forever

>ip route

default via 192.168.1.1 dev eth0 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.130 

Provided by sneakernet. I mounted a thumb drive and redirected the
output from the above commands thereto, then pasted the files herein.

Networking nonfunctional on 8.0

[Steve Matzura]

My 8.0 system has been running great up until Monday evening when
users started reporting they were unable to connect. Sure enough, I
couldn't even connect from my LAN. I rebooted, looked at messages from
dmesg, and saw nothing unusual--nothing that said networking couldn't
start, or there was a hardware failure, nothing to indicate a problem.
What should I check next?

As always, thanks in advance. I learn so much just by casual browses
of messages on this list. If I made a career of Debian sys admin, I'm
sure I'd get all my knowledge fromlearn everything I need to know from
here. It's a great resource.

Re: synaptic package manager error

[steve]

Hi,

Le 19-07-2016, à 22:49:48 -0400, Jesse Stephen a écrit :


  I am using GNOME. I have a problem with no sound on you tube I cant run
  updates And I can not download the Google talk plug-in because it says the
  package updater is open



You need to kill the "package updater" first.

One way to do it is:

ps aux | grep dpkg

(or if it's not dpkg but apt-get or aptitude, you can try:

ps aux | grep apt )

which will give you the PID of the process. Then you kill it with

sudo kill -9 

Then you can try to update process.

Hope it helps.

Best,
Steve

Re: dépôts "stable" intéressants ou sympas

[steve]

Le 27-06-2016, à 16:16:03 +0200, VieuxGeek DuSystem a écrit :


Bonjour Pierre


[…]


Donc au final ton system ne peut plus êtres considère comme
stable(dans le sens debian stable).


Je ne peux qu'abonder dans ce sens. Ajouter des dépôts externes dont on
ne connaît rien est la porte GRANDE ouverte à des emmerdes sans fin qui
finiront 99 fois sur 100 à devoir réinstaller. 


Avant de (se) demander l'adresse de dépôts « sympas », il faudrait se
demander quel besoin on a à combler et comment le faire dans un cadre
bien défini. Se poser la question permet en général d'y répondre et
trace la voie pour y arriver.


mes 2 centimes

Steve

Re: jessie won't install/boot on a Dell Poweredge R815

[Steve McIntyre]

On Fri, Jun 24, 2016 at 06:22:37PM -0400, Jeffrey Mark Siskind wrote:
>Please note that bootint with rootdelay=20 does not solve the problem. It only
>masks it.
>
> 1. If I attempt a fresh USB install of jessie, when md0 is correctly built
>before the install, the process of doing the fresh install breaks
>md0. When it gets to grub install, components of md0 are missing (even
>though all six components were present before the install). And
>grub-install fails. At this point it is impossible to complete the install
>and produce a bootable system.
>
> 2. If I do a fresh minimal USB install of wheezy, rebuilding md0 in the
>process, and then do a dist-upgrade to jessie, I can manually add
>rootdelay=20 in grub and boot into jessie with all six components of md0
>present. But if I do so, then after boot, if I do dpkg-reconfigure pc-grub,
>doing that gives errors, drops components of md0, precludes me from adding
>them back, fails to install grub, and leaves the machine in an unbootable
>state.
>
>I fear that there is a problem writing to disk. Even if I boot with
>rootdelay=20, unless the kind of writes that dpkg-reconfigure pc-grub does are
>different, doing ordinary writes to disk may also corrupt the disk.
>
>Please let me know what new information you would like me to gather.

Ummm. Checking back up-thread, I can see that you're using md0 across
more than 4 disks and you're trying to boot off it with
grub-pc. You're hitting BIOS limitations here - the BIOS is only
capable of accessing 4 disks. I'm *guessing* that maybe the newer grub
in jessie is just being pickier about checking BIOS access to those
disks. Try just using 4 of the disks for md0, and I'd expect it to
work.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Arguing that you don't care about the right to privacy because you have
 nothing to hide is no different than saying you don't care about free
 speech because you have nothing to say."
   -- Edward Snowden

Re: Bug with lib ssl

[Steve Witt]

On Sat, 18 Jun 2016, Fabrice Vaillant wrote:


Hey

I'm running debian testing and I have encountered a weird bug. Wanted to 
check if that was a real bug or an issue on my end.


The site https://www.w3.org/2010/05/video/mediaevents.html fails on my 
computer with both iceweasel on chromium whereas it succeds on other computer 
(not debian) I have tried it with. The reason is that media content 
downloaded  from media.w3.org over https fail due too :


```
An error occurred during a connection to media.w3.org.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)
```
Similar error message show up when I try to directly download the content 
from the site using curl. I suspect an issue in the ssl implementation but I 
have not been able to reporduce on other site.


Does anybody have a similar problem?


Works for me using Firefox and Google Chrome on unstable. Also works using 
Firefox on Jessie.  I don't have a testing system to try.

Re: home directory fail-over using automount ?

[Steve Witt]

On Fri, 17 Jun 2016, bri...@aracnet.com wrote:


I have my nfs shares set-up to automount to

/home/nfs4/

and then that directory name is used in the /etc/passwd file.

What i'd like to do is have it use /home/ in the event it 
can't see the nfs server.


it seems like some automount trickery might be possible if, for example, 
nfs mount didn't work it would actually mount /home/ on 
/home/nfs4/.


Haven't found a way to do this, probably because it's a horrible hack, 
or not possible and I should probably be trying to do this some other 
way.


Any suggestions ?


I'm not an NFS expert, but I've been using/sys admin'g NIS/NFS on various 
Sun and Linux systems at home and at work since the late '90s. I have 
never heard of what you're trying to do, but can't categorically say that 
it isn't possible (if the double negative isn't too confusing). I don't 
think the result would be very satisfactory as it seems you'd end up with 
a split home directory with files in both the local and server home 
directories. I think it would be pretty chaotic.


My experience over the years is the NFS automouting is very reliable and 
fairly easy to administer. If your network is stable, then you shouldn't 
have a problem with it at all. If your network isn't stable, then that 
problem should be fixed. I've had software development systems consisting 
of approx. 100 client workstations automouting user home directories from 
a couple of Linux servers (almost always Debian, but some Redhat and SUSE 
- doesn't really matter) with 30 - 40 heavy users. It was very reliable 
and there were almost never any problems.

Re: Compteur de temps d'utilisation

[steve]

Salut,

As-tu essayé le paquet xprintidle ?

S

Re: Désactiver la carte son d'un Laptob

[steve]

Le 04-06-2016, à 12:28:49 +, Alex PADOLY a écrit :


  Bonjour,

  La sortie casque de mon ordinateur portable est HS, j'ai du son uniquement
  par le modeste haut-parleur de mon PC Portable (DELL D430. Je vais donc
  acheter une carte son externe sur port USB.

  Je souhaiterai avant d'utiliser ce nouveau périphérique désactiver la
  carte son de l'ordinateur portable afin que le noyau
  ne gère désormais que la carte son sur port USB.


Peut-être peux-tu faire ça dans le BIOS directement.

Re: Mise à jour des librairies

[steve]

Le 04-06-2016, à 12:24:37 +, Alex PADOLY a écrit :


  Bonjour,

   

  Merci pour vos réponses, cela signifie quoi exactement "activer les
  backports''?


Cela veut dire ajouter la ligne suivante dans le fichier
/etc/apt/sources.list:

# backports
deb http://ftp.fr.debian.org/debian jessie-backports main contrib


puis, si tu utilises aptitude comme gestionnaire de paquets:

# aptitude update
# aptitude safe-upgrade

Re: bien configurer son mailman

[steve]

Le 04-06-2016, à 12:13:52 +0200, Bernard Schoenacker a écrit :


bonjour,

je suis en train de mettre en place mailman et j'ai quelques soucis ...
voici les liens :

https://doc.ubuntu-fr.org/mailman
https://guide.ubuntu-fr.org/server/mailman.html


pour info j'ai installé :

-a) php 5.x et php7.x
-b) apache
-c) exim 4 (de base)

et l'adresse localhost/cgi-bin/mailman ne fonctionne pas

qu'est ce que j'ai oublié ?


Lire les logs d'Apache ?

Re: jessie install cd no network

[Steve McIntyre]

Javier wrote:
>Hello, I downloaded the Jessie install cd and added a preseed file to
>automatically install some packages, but running the install cd does not
>recognize the realtek network cards, telling me that no network hardware
>was detected.
>
>If I install it in a Virtualbox machine (with a phisical disk mapped)
>and then I boot with that disk, the network cards work perfectly.
>
>the cards I have are:
>
>javier@javier-System-Product-Name:~$ lspci | grep -i ethernet
>04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
>RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)
>06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
>RTL-8100/8101L/8139 PCI Fast Ethernet Adapter (rev 10)
>
>How can I make the debian installer to automatically boot these modules
>in the kernel?

At a guess you may just be missing firmware. Try using the
firmware-included netinst:

  http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Who needs computer imagery when you've got Brian Blessed?

Re: soucis pour installer teamviewer 11 sur amd64 ( debian stretch)

[steve]

Salut Bernard,

C'est un problème d'architecture.

Essaie avec

http://download.teamviewer.com/download/teamviewer_i386.deb

(pris ici: https://www.teamviewer.com/en/download/linux/ )

c'est une version aussi pour le multiarch 64 bits, contrairement à ce
que le nom pourrait laisser supposer.

Upgrading from 8.2 to 8.4

[Steve Matzura]

Are 'apt-get update' and 'apt-get dist-upgrade' sufficient?

Re: Timing issue with fstab NFS mounts

[Steve Matzura]

Dan,

On Fri, 13 May 2016 05:12:56 -0400, you wrote:

>The options field in fstab should include "_netdev" for devices
>which cannot be mounted until networking is stable.

I have never heard of that option. I'll try it and report back. Now,
what about the lines for the binds that immediately follow the network
device? Do the binds still operate even if the network device isn't
online yet? In other words, does the mounting of devices processing
stop until the line in fstab with _netdev in its options field is
processed, then the binds run? If so, then this is the answer to a
humble man's prayer. I've been wrestling with this literally for
months.

Re: archivemail corrompt les sauvegardes

[steve]

Le 03-05-2016, à 20:13:08 +0200, Bernard Schoenacker a écrit :


essayes d'ouvrir l'archive avec mc


Pas de différence. Par contre, il semble que

gunzip < fichier.gz > fichier_out

soit plus tolérant aux fautes que

gunzip fichier.gz


En tout cas, cela m'a permis de récupérer le message recherché.

Timing issue with fstab NFS mounts

[Steve Matzura]

While the rest of my system is just cherry, I have not yet been able
to solve the problem of why an NFS mount and associated binds don't
work unless and until I wait a minute or two after the system comes
up, then issue a 'mount -a'. I have tried putting 'mount -a'  into
/etc/init.d/rc.local, and still no happiness. Is there something I
need to check for before the fstab stuff starts, or should the NFS
mount and associated binds be taken out of fstab and dealt elsewhere?
This seems a kluge, but I cannot think of another way to get around
this problem.

Thanks in advance as always.

Re: Chromium. Good Alternative for Chrome?

[steve]

Hi,

Install the package 'debian-security-support'.

Best,
Steve

Re: archivemail screwed up (some of) my backups

[steve]

Hi Sven,



I have been using archivemail since March 2003, always with compression.
My configuration generates a new gzipped archive for every month for
every IMAP folder.

To give you some peace of mind, I just did a simple decompression test
of all archives [~5000 right now] (gunzip $file > /dev/null) to check
for errors and found none.

Whatever error you have, I don't think archivemail is the culprit
creating them.


Well thanks for your checks.

It seems that I have to dig into this problem more thoroughly. 


If I find anything that could be useful, I'll post here.

Thanks again.

Best,
Steve

Re: Portable Debian?

[Steve Matzura]

On Wed, 27 Apr 2016 23:00:53 +0100, Lisi wrote:

>Did you discover the Adriane version?  Now available as an alternative boot on 
>the mainstream disk.  It is specifically for the blind and partially sighted, 
>and has things like Daisy Player there, as well as screen readers and speech.  
>Adriane is Karl Knopper's wife, and is in some way visually disabled.  He 
>originally did the Adriane version for her, and it was originally completely 
>separate.

No, I did not. Better take another look! Thanks for the tip there.

Re: archivemail screwed up (some of) my backups

[steve]

Hi Thomas,

Thanks for your answer!

Le 11-05-2016, à 12:22:18 +0200, Thomas Schmitt a écrit :


steve wrote:

gzip: mail_archive.gz: invalid compressed data--crc error


It seems that
 gunzip 

You're right, with gunzip < file.gz > file, I can recuperate almost the
whole file:

ls -l
-rw-r--r-- 1 steve steve 313033001 mai 11 13:15 file_archive
-rwxr-xr-x 1 steve steve 192528981 mai  3 14:00 file_archive.gz

I don't know what is the compression rate, but if it's in the x2 range,
I'm almost there.

Anyway, I have been able, by chance, to put the hand on the needed message.

[snip]


should I buy a couple of
handkerchiefs and start a period of mourning for my lost messages?


A few handkerchiefs seem appropriate.

But you should not blame the archiver program before you have
outruled that your storage system spoiled the data.
Especially since unreliable storage would be a much more severe
problem than a buggy archiver.


I understand, but since I have more or less 2/3 of the *.gz that are ok,
I thought archivemail was the responsible. But after gunzipping some
other files, it seems that the problem only arises on ISO-8850 text file,
not on UTF-8. But not tech savvy enough to know why.

The thing is now, how could I be 99.99% sure that the backups
created by archivemail are reliable? My confidence is a bit broken now.



Have a nice day :)


The sun just rose above horizon, thanks to you!

Steve

archivemail screwed up (some of) my backups

[steve]

Hi there,

This is my first post on this mailinglist, so I hope to find the right
tone pretty quickly. If not, please correct me gently  ;-)

I'm using archivemail to archive my messages on a Jessie box up to date.
Recently I needed to find an old message so I tried to gunzip the
mail_archive.gz file and I got this answer:

gzip: mail_archive.gz: invalid compressed data--crc error

I tried the same thing on other archives and the result is that more or
less one third were corrupted. I searched the Net for a solution, but
since the error is a rather general one, I failed to find something
really useful.

Anyone here with a brilliant idea? Or should I buy a couple of
handkerchiefs and start a period of mourning for my lost messages?

Thank you.

Best,
Steve

archivemail corrompt les sauvegardes

[steve]

Salut,

Ayant besoin d'un ancien message, j'essaie de gunzipper une archive et
je reçois le sympathique message que voici :

gzip: mail_archive.gz: invalid compressed data--crc error

Et donc impossible de récupérer mes messages. J'ai essayé sur d'autres
fichiers, histoire de voir si toutes mes archives étaient à jeter à la
poubelle, et le constat et qu'environ un tiers était dans le même état…

Après quelques recherches sur le Net, il semble pratiquement impossible
de récupérer mes messages. Aucune entrée dans le BTS et rien de bien
probant pour résoudre le problème. C'est la première fois que ça
m'arrive et je trouve ça très em*ant (et inattendu pour le moins).

Suis-je le seul dans ce cas ? Une idée pour (me) sauver ?

Belle soirée,
Steve

Re: Portable Debian?

[Steve Matzura]

Joe:

On Wed, 27 Apr 2016 19:05:26 +0100, you wrote:

>The most versatile system that I know of is Debian-based Knoppix, but
>the development effort goes into hardware detection and driving, with
>the result that it is not maintainable. It is installable to a hard
>drive, but you throw it away and install the next version when that
>becomes available, there is no carefully-designed upgrade path as with
>straight Debian.

Either I'm smarter than I think (LOL), or you're psychic. I looked at
Knoppix earlier this morning. I didn't know about the throwaway aspect
of it, though, so that is now out the window and I'm back to straight
Debian, from which I probably should not have strayed in the first
place.

>So I don't think it's possible to make a long-term boot-anywhere
>installation, but a 32-bit all-drivers Debian goes a long way towards
>the goal.

Right. That's what I'll do. I'm using it primarily for backup and
restore, so it's going to be really slimmed down. As long as it talks
(with Speakup) and I can put IFL on it, I'm happy. I've tried it
before with other distros such as Arch Linux but wasn't happy with the
results. Do you still think I should go the mech drive route and not
put it on a USB key?

Re: Portable Debian?

[Steve Matzura]

On Mon, 25 Apr 2016 19:04:40 -0700, David Christensen
 wrote:

>Alternatively, make your own Debian Live images (hybrid ISO -- can put 
>on optical discs or USB drives):
>
> https://www.debian.org/devel/debian-live/

Good solution. It solves the drivers problem for sure.

Re: Portable Debian?

[Steve Matzura]

On Mon, 25 Apr 2016 20:22:48 +0100, Joe wrote:

>I've found that a minimal installation, then dpkg --get-selections and
>--set-selections and a bit of judicious /etc copying, to be a fairly
>painless way to get a clean near-copy of an existing installation. I
>migrated a server, I think lenny or squeeze, from 32bit to 64bit
>hardware that way, and it had years of configurations built up by then,
>having started life as sarge. I did actually try a straight copy and
>then an in-place 32bit to 64bit upgrade, but the complexity quickly
>outran my gumption, and I cheated.

Sounds like a plan. I'll look into the external disk thing first. One
final question: Is it even possible to build an all-hardware system?
Different machines have different audio cips, disk controllers, etc.,
so what's the best way to ensure one of these portable builds will run
on as many varieties of hardware as possible? Or is that not a valid
consideration? Maybe what I should be doing is to build the system on
the specific piece of hardware I want to run it on? That way I know it
will run correctly.

Re: Portable Debian?

[Steve Matzura]

Joe:

On Mon, 25 Apr 2016 15:17:08 +0100, you wrote:

>I run ssh on a non-standard port, and my router redirects to 22 of my 
>server, alternatively ssh itself will listen wherever you tell it to.

That's probably what I should be doing. As you say, it keeps the logs
clean and the riff-raff at bay.

>I have a sid installation on a portable USB [mechanical] hard drive 
>which was installed as 32bit with all drivers, and therefore boots on 
>just about any PC. I just plugged the drive into a 64bit desktop and 
>made a new installation to the drive.

That's the ticket, yes. I'll get me one of those USB-powered drives
and build an installation on it.

>You might get away with copying 
>your existing installation if you have the right drivers installed to 
>suit your target PCs.

That's a chance I'd prefer not to take. It's easy enough to make
another piece of boot media as you suggest.

So, do I start with the running installation and run something to
create the new media, or boot from the distro itself and create the
new system on the target USB device? I'd rather the former, as now
that I have everything running correct, I probably answered some basic
configuration questions wrong and corrected them later, so I'd prefer
not to have to go through that mess again unless it's really
necessary.

Re: Internal error: found 2 (choice -> promotion) mappings for a single choice.

[steve]

En fait il semble que le problème provienne du fait que tu as dû
installer un paquet qui a des dépendances insolubles. Probablement un
paquet deb ne faisant pas partie des dépôts officiels. Ne reste plus
qu'à trouver lequel, le désinstaller et trouver une manière plus saine
de le réinstaller.

Re: Internal error: found 2 (choice -> promotion) mappings for a single choice.

[steve]

Salut,

Le 25-04-2016, à 18:31:52 +0200, C. Mourad Jaber a écrit :


Bonjour,

Depuis quelques jours, j'ai le message suivant :
"Internal error: found 2 (choice -> promotion) mappings for a single choice."
quand je veux faire un "aptitude upgrade"...

Au bout de quelques temps, cela semble fonctionnement, mais cela ne me semble 
pas très sain...

Avec la commande apt-get tout roule !

Est-ce qu'il y a un moyen de corriger aptitude ?


Juste une idée : n'y aurait-il pas deux lignes sensiblement pareilles
dans ton sources.list ? Genre une avec le nom stable et l'autre avec
jessie (ou pareil avec testing et stretch etc…).

Sinon, peux-tu montrer ce qu'il y a avant et après ce message ?

Portable Debian?

[Steve Matzura]

My system that I built late last year/early this year is running
great, except for the occasional overrun of inbound ssh from such
addresses as 59.*.*.*, 213.*.*.* and others, but that's only because I
have not put any blockers in place, either on my home gateway device
or my Debian system, but that one's on me. I have no GUI desktops
installed, I run completely from CLI and use Speakup for all of it,
including and especially Image for Linux for backup and restore, which
I use on all my Windows machines..

I'd like to take the installed Debian system as it is, write it to a
CD or DVD, and use that as a talking backup/restore disc. Is this
possible? Or should I create a new installation and write it to an ISO
image, or just what should I do to accomplish the goal of creating a
basic talking Debian shell environment that includes a licensed IFL?

As always, thanks in advance for any and all suggestions.

Re: visualiser une image au format emz

[steve]

Le 20-04-2016, à 16:22:05 +0200, Bernard Schoenacker a écrit :


mais je ne sais toujours pas comment le faire sous linux 


As-tu essayé convert du paquet imagemagik ?

Re: regénérer le mot de passe de secours "admin" Mysql (mariadb)

[steve]

Salut,

essaie ça:

https://support.rackspace.com/how-to/mysql-resetting-a-lost-mysql-root-password/

Re: SOLVED - I hope! was: Re: Repeated failure of install of Jessie

[Steve McIntyre]

Lisi Reisz wrote:
>
>Right.  Have installed 4.4.6.  I appear to have a working computer  
>
>Thanks to all, especially Steve and Henrique.  I'll flash the BIOS when I see 
>another version of the firmware available, but meanwhile all seems great - 
>though I obviously don't know yet how stable.  Even sound is now working!!
>
>The solution in this case:
>Skylake i5 with Giga-Byte GA-H110M-S2H, DDR4 version.
>re-flash BIOS
>Install backported kernel.
>
>Now running Jessie with TDE 14.0.3.
>
>If I could do so without waking my husband (it is 3:20 a.m. in my timezone) 
>and upsetting my hips I would dance a jig. :-))

Woo! \o/

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Re: Repeated failure of install of Jessie

[Steve McIntyre]

Lisi Reisz wrote:
>On Tuesday 29 March 2016 23:55:33 Steve McIntyre wrote:
>> Lisi Reisz wrote:
>> >No help - but "Join the club".  Been there, done that, got the tee shirt.
>> >Mine was a new computer and, after over a day of tearing my hair out,
>> > trying again, trying differently,and re-downloading etc. etc., I
>> > installed Ubuntu MATE (how are the mighty fallen!!),  just to make sure
>> > that something would install.  It did.  I am about to try a few more
>> > methods of getting Jessie on. But I want a night's sleep first!  (This is
>> > a companion saga to the one I have already reported, not the same one). 
>> > It is not helped by the fact that check sums are not available for the
>> > 8.02 or 8.03 firmware net-install isos. And 8.0.0 (for which I have got
>> > the check sums) has not got the necessary drivers.
>>
>> We've never made 8.02 or 8.03 firmware netinstall images. If you mean
>> 8.2.0 or 8.3.0, 
>
>Yes, I'm sorry.  I do mean 8.2.0 and 8.3.0.

OK, cool. :-)

>> look in the directories on cdimage.debian.org for the 
>> signed checksums alongside the images:
>
>I'm very grateful for everything the dds do, honestly.  But please, now that 
>you help the blind a little, could you not start to remember the partially 
>sighted?
>
> > http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware
>>/archive/8.2.0/amd64/iso-cd/ (8.2.0 in the archive)
>>  
>> http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware
>>/8.3.0/amd64/iso-cd/ (8.3.0, the current stable release)
>
>This information is not available on the website.  It is gold-dust.  The 
>website has a hyperlink that says "AMD64"
>https://www.debian.org/releases/stable/debian-installer/
>
>
>Yes, it says that the check-sums are available.  It says that they are in the 
>same directories.  It doesn't say where and what those directories are.  It 
>just has flipping hyperlinks that don't go to the directories, which would be 
>fine, they just go straight into downloading. 
>
>So to find the directory one has to go into the raw HTML.  But I have great 
>difficulty reading raw HTML.  I have great difficulty finding the place on 
>the page.  Letters dance and lines merge.  I haven't been able to read even 
>large print books for ten or fifteen years.  

Sorry to hear that. :-(

>And the lines I want are not even at the beginning or the end.  So this time I 
>googled it, in the hope of being taken straight to the directory.  And found 
>an email from you, presumably in fact out-dated, saying that the check sums 
>for the firmware isos had not yet been put up.  So I gave up.
>
>I just don't understand why the dds have decided to make it so difficult to 
>get the check-sums, when check-sums are so important.  There are so many ways 
>that they could be made available.  
>

Agreed.

>You have just made them available to me.  That is just fantastic!  I can now 
>at least be sure that my iso is not corrupted.
>
>So thank you very, very much Steve.  But could you perhaps persuade your 
>colleagues to make them readily available via the website?

Argh, yes. I've just filed a bug (http://bugs.debian.org/819664) to
try and get some of this mess cleared up. We have far too many web
pages with different details on them for things like downloads, and
it's a confusing mess. :-(

>> >I had not got the motherboard manual and did not know what the motherboard
>> >was, so couldn't download the manual.  I have now asked the shop what it
>> > is, and downloaded the manual.
>>
>> Are you trying to dual-boot with Windows, or replace the Windows
>> setup?
>
>No.  It has no Windows on it.  And now I have the manual, I see that if the 
>BIOS is at its defaults, the BIOS is fine, but from what the tech support 
>chap said, I suspect that settings have been changed by Novatech, so that is 
>what I shall look at next.  I did look before, but without the manual I was a 
>bit at sea.

Yup, of course! I can see that based on your information "Giga-Byte
GA-H110M-S2H" Henrique has provided more help and it may be
bleeding-ege hardware issues.  Let's see how that goes when you get
back from your trip, I guess. :-)

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

[Info] Ubuntu sur windows 10

[steve]

J'ai dû relire trois fois pour y croire (et le 1er avril, c'est
seulement demain).

http://www.zdnet.fr/actualites/ubuntu-pas-linux-debarquera-sur-windows-10-39834872.htm#xtor=RSS-1

http://blog.dustinkirkland.com/2016/03/ubuntu-on-windows.html

Changement de paradigme ?

Re: Repeated failure of install of Jessie

[Steve McIntyre]

Lisi Reisz wrote:
>
>No help - but "Join the club".  Been there, done that, got the tee shirt.  
>Mine was a new computer and, after over a day of tearing my hair out, trying 
>again, trying differently,and re-downloading etc. etc., I installed Ubuntu 
>MATE (how are the mighty fallen!!),  just to make sure that something would 
>install.  It did.  I am about to try a few more methods of getting Jessie on.  
>But I want a night's sleep first!  (This is a companion saga to the one I 
>have already reported, not the same one).  It is not helped by the fact that 
>check sums are not available for the 8.02 or 8.03 firmware net-install isos.  
>And 8.0.0 (for which I have got the check sums) has not got the necessary 
>drivers.

We've never made 8.02 or 8.03 firmware netinstall images. If you mean
8.2.0 or 8.3.0, look in the directories on cdimage.debian.org for the
signed checksums alongside the images:

  
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/archive/8.2.0/amd64/iso-cd/
  (8.2.0 in the archive)
  
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.3.0/amd64/iso-cd/
  (8.3.0, the current stable release)

and there are signed checksum files for *all* the images we publish.

>I have been installing Debian for years on a good many different computers of 
>different ages.  I have NEVER had problems like this.  I expect a basic 
>Debian installation to take half an hour, not days.

Ouch. :-(

>One of the tech help chaps, at the shop from which I bought the computer, 
>suggested forgetting about gpt and sticking with Legacy, and looking at the 
>Windows settings in the BIOS, which he though might be interfering.  As I 
>said, I am going to have a night's sleep first.  I didn't get much last night 
>because I was battling with this.   FWIW, Ubuntu insisted on installing with 
>Legacy partitions, not gpt.
>
>I had not got the motherboard manual and did not know what the motherboard 
>was, so couldn't download the manual.  I have now asked the shop what it is, 
>and downloaded the manual.

Are you trying to dual-boot with Windows, or replace the Windows
setup? If you're talking about GPT, you're looking at a UEFI/legacy
BIOS choice. There *are* machines/motherboards which come stupidly
configured out of the box to boot removable media in one mode
(e.g. UEFI) but to use the *other* mode (e.g. BIOS) for booting off
hard disk. You then can end up with a system where the installer will
appear to work flawlessly, but the newly-installed system will fail to
boot.

If you've found out the manufacturer/model for your motherboard,
telling us what you have could be helpful here.

I'm surprised to hear that Ubuntu worked but not Debian at this point
- under the covers, the installers for both are remarkably similar...

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Re: Repeated failure of install of Jessie

[Steve McIntyre]

a...@his.com wrote:
>Long before I joined this List, I purchased a DVD and a thumb device from
>LinuxCollections.  The DVD contained the first Jessie DVD, and, I'm guessing,
>the thumb device contained the rest.
>
>I kept the same partitions that I had had on my old squeezy install.
>the first was /boot, the fifth was /, the sixth was /usr, the seventh
>was /var, the eighth was swap, the ninth was /tmp and the tenth was
>/home.  The sizes I kept from  squeezy; all were overly generous(my HD
>is one TB.)
>
>I reformatted them all with ext4 at first, then later with
>ext3, which what my old system had.  [  Sorry for the vague terminology,
>I'm writing this on a loaner Windoze box many yards away from my
>own machine and documentation. ]

OK, that's understandable.

>The _many_ install attempts crashed at random points but after a while
>they congregated when I tried to choose a kernel.  After choosing a kernel
>one must then choose the associated drivers.

When exactly did the installer ask you to choose a kernel? Or do you
mean after the installation had finished and rebooted? I'd *guess* the
latter, but your later text doesn't tally with that.

>This crashed almost inevitably, although once I got through to stage
>where I received a black screen with the white text prompt 'grub>'.
>This was before the kernel was booted, and I have no clue how to use
>this, even if I once again get this far.

If you're at a grub menu, then hitting "e" should give you the option
to edit the selected boot option. I'd try doing that and remove the
"quiet" kernel argument as a start in the hope that you might get some
more useful diagnostics. I'm *guessing* where you've got to here,
though.

>I have tried choosing 'none' for a kernel.  But then one must choose an
>installer.  I've tried choosing grub, even tried using the ancient LILO.
>All produce red screens, indicating failures of one kind or other.

And this is totally confusing, I'm afraid. If you could retry the
installer and tell us exactly what the screen says when you choose
"none", that would be helpful.

>I have discovered the informative 'tty4' where the progress of the
>installation is more copiously displayed.

Yup, that's the syslog output. If you've got that far, you can use
tty2 or tty3 to start a shell and play with the system, or from the
installer menu you can even start a tiny built-in web server in the
installer environment so that you can grab logfiles from another
machine over the network.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Re: fichier tableur xml

[steve]

Le 10-03-2016, à 13:48:13 +0100, Bernard Schoenacker a écrit :


>il ne s'agit pas de fichier html ou xhtml ...
>
>mais de fichier issu d'un logiciel de généalogie qui génère un p** de
>fichier xml tableur ...

Quel logiciel de généalogie ? Geneweb ?



http://genj.sourceforge.net/



Connais pas, peux pas t'aider, désolé…

Re: fichier tableur xml

[steve]

Le 10-03-2016, à 13:05:04 +0100, Bernard Schoenacker a écrit :


il ne s'agit pas de fichier html ou xhtml ...

mais de fichier issu d'un logiciel de généalogie qui génère un p** de
fichier xml tableur ...


Quel logiciel de généalogie ? Geneweb ?

Re: fichier tableur xml

[steve]

Salut Bernard,


Le 10-03-2016, à 12:49:14 +0100, Bernard Schoenacker a écrit :


bonjour,

j'ai un fichier tableur xml que je n'arrive pas à ouvrir pour le
convertir en csv quels sont les outils disponibles ?


Serait-il possible de voir avec Beautiful Soup ?

http://www.crummy.com/software/BeautifulSoup/

Re: Why so big EFI partition?

[Steve McIntyre]

al...@otterhall.com wrote:
>On 03/03/2016 12:55 AM, Steve McIntyre wrote:
>> Basically, there are lots of
>> reported (real and potential) issues with smaller sizes, so we've
>> picked a larger size by default for the guided partitioning.
>
>I wasn't aware of the potential problems. Funny that Ubuntu's
>documentation still recommends 200MiB if at least 512MiB is recommended.

Yes, it's odd...

>Btw, can the Debian installer handle *iB units? When I installed it only
>mentioned "MB" and "GB".

Sorry, no. The code is in the "partman" module if you'd like to take a
look and maybe try to add the support.

-- 
-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Re: Why so big EFI partition?

[Steve McIntyre]

al...@otterhall.com wrote:
>On 03/02/2016 07:42 PM, Pascal Hambourg wrote:
>> There is no ratio. 500 MB is the generally recommended size for the EFI
>> system partition even though the Debian GRUB EFI bootloader needs much
>> less, and 250 MB for /boot is one of the questionable arbitrary choices
>> that the guided mode does for you. If you're not happy with these
>> choices feel free to use the manual mode instead.
>
>Why is it generally recommended? Does other distributions store other
>things in the EFI partition that Debian doesn't?

There's a reasonable discussion of this in Ubuntu's BTS at

  https://bugs.launchpad.net/curtin/+bug/1306164

with lots of links to articles elsewhere. Basically, there are lots of
reported (real and potential) issues with smaller sizes, so we've
picked a larger size by default for the guided partitioning. Feel free
to pick smaller if you like and if it works for you.

(The Ubuntu and Debian UEFI support is broadly similar, sharing a lot
of code and ideas.)


-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Re: Windows Shares Abound Continuously

[Steve Matzura]

Martin:

On Sun, 28 Feb 2016 08:44:07 +, you wrote:

>Ever since Windows 3.11 its networking has been just awful and prone to
>malfunction without notice, they originally lifted the network stack from
>FreeBSD but managed to completely screw it, and it is still awful now, both
>in sharing and even trying to find shares.
>You would probably be better off putting all that stuff on a samba share
>on a nice Debian box, you would be much more likely to get a good nights 
>sleep.

I have a fine Synology NAS box where everything just works, so I think
that's what I'm going to do--move that content onto the NAS and be
done with it. Now I wish I had put bigger drives in that thing! LOL.

Windows Shares Abound Continuously

[Steve Matzura]

Just when I thought it was safe to let my Debian 8.2 system alone for
a few days, I started getting emails from users of the service I
provide which uses that system that they could not access any content
on the shared-mounted drives on one of my Windows machines. Sure
enough, I tried an 'ls' and got "cannot access {name of remote shared
folder}: Remote I/O error".

Thinking this has *got* to be a Windows problem, I rebooted
everything, and everything came back. But within an hour, the remote
I/O error came back, too. Might there be something in dmesg I could or
should look for? Is mounting a Windows shared drive or directory a
problem, and if so, should I go to something else, and what would that
be?

Re: Need a Live CD [was Re: Need a downgrade :(}

[Steve McIntyre]

Glenn English wrote:
>
>> On Feb 24, 2016, at 1:06 AM, brian <br...@meadows.pair.com> wrote:
>> 
>> On Wed, 24 Feb 2016 07:46:50 +, you wrote:
>> 
>>> On Wed, 2016-02-24 at 02:39 -0500, brian wrote:
>>> 
>>>> Anybody know anywhere where I can download a Wheezy live image, or
>>>> even just installation disks, for (preferably) 64-bit Wheezy with an
>>>> XFCE desktop? 
>>> 
>>> Top google hit for me for 'wheezy iso' is...
>>> https://www.debian.org/releases/wheezy/debian-installer/
>> 
>> Hmm. Thank you. Seems I was too quick to believe the Debian website
>> that Wheezy images were no longer available. 
>
>Those don't look like Live images to me; they look like install
>disks. Forgive me -- I've never used anything but Netinstall CDs, and
>I'm on a T1, so it'd take days to check them out myself. I need a
>Live Wheezy disk for debugging purposes.
>
>Does anyone know if any of those are Live Wheezy isos? Or maybe how
>to build one from a Netinstall?

We have a large set of older images online at

  http://cdimage.debian.org/cdimage/archive/

for both live and install media.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

nytimes pages that fail in iceweasel

[Steve Kleene]

On Sat, 20 Feb 2016 19:12:15 -0800, Patrick Bartek wrote:

> What I'd like to know is how iceweasel broke on the OP's system in the
> first place. I did a standard install of the browser on my 64-bit Wheezy
> system years ago, installed Flash, etc., and it works.  Maybe, it's
> because I don't use or have installed any desktop. Just use a window
> manager, Openbox.

I'm the OP.  I don't know when the feature got turned off, but I also use
just a windowing system (fvwm).  I also wasn't using Tor.

Re: nytimes pages that fail in iceweasel [SOLVED]

[Steve Kleene]

On Fri, 19 Feb 2016 21:13:26 -0500, I wrote:

>> A lot of sites on nytimes.com don't work correctly in my iceweasel, e.g.
>>
>> http://www.nytimes.com/interactive/2016/us/elections/fact-check.html#/factcheck-109
>>
>> If I click on any of the many "Read more" links, I get nothing.  I don't
>> guess this is flash.  Lots of flash sites work for me, and they ask if I want
>> to allow flash.  The nytimes pages do not.  Other examples:
>>
>> http://www.nytimes.com/interactive/2016/02/17/upshot/scalia-supreme-court-senate-nomination.html#g-detailed-responses
>> http://www.nytimes.com/interactive/2016/01/02/opinion/collins-our-new-year-quiz.html
>>
>> I am running iceweasel 38.6.1 under Wheezy.  Any ideas what format these 
>> pages
>> use or why they are failing?

On Sat, 20 Feb 2016 09:04:18 +0100, Sven Arvidsson  replied:

> You could try starting Iceweasel with -P and create a new profile. If
> it works there, something is wrong in your normal profile.

I moved my ~/.mozilla directory away, called mozilla, and got a new, very
simple profile.  Its prefs.js file was much shorter.  By brute force, I
edited out lines that were only in my old prefs.js file until I found the
responsible line:

user_pref("dom.indexedDB.enabled", false);

When I changed this to "true" in my original prefs.js, the web pages worked
properly.

The newly enabled function, IndexedDB, apparently has some security
shortcomings:

https://www.researchgate.net/publication/281066023_Some_Potential_Issues_with_the_Security_of_HTML5_IndexedDB

The databases that various servers create are stored in the sqlite files
under my iceweasel profile.  I may clear those out from time to time.

Thanks to everyone who responded.

nytimes pages that fail in iceweasel

[Steve Kleene]

A lot of sites on nytimes.com don't work correctly in my iceweasel, e.g.

http://www.nytimes.com/interactive/2016/us/elections/fact-check.html#/factcheck-109

If I click on any of the many "Read more" links, I get nothing.  I don't
guess this is flash.  Lots of flash sites work for me, and they ask if I want
to allow flash.  The nytimes pages do not.  Other examples:

http://www.nytimes.com/interactive/2016/02/17/upshot/scalia-supreme-court-senate-nomination.html#g-detailed-responses
http://www.nytimes.com/interactive/2016/01/02/opinion/collins-our-new-year-quiz.html

I am running iceweasel 38.6.1 under Wheezy.  Any ideas what format these pages
use or why they are failing?

Thanks.

Re: I need help

[Steve Witt]

On Thu, 11 Feb 2016, Ghaith Etaiwi wrote:


Hello, I'm starting in linux I used Ubuntu and didn't like it and I have
read that many people that used Debian had a better experience, I have a
MacBook Pro 4GB ram/ 500HDD/Intel HD 3000/ i5 2nd generation, can it run
Debian?. Also, I want to know what version of Debian to download, I saw
something about DVD1, DVD2...etc which one should I get and whats the
difference between them?



I have no direct experience with this but there is information on the 
Debian wiki about installing Debian on a Macbook Pro. It is at 



I've used Linux for many years now both at home and at work. I very much 
prefer Debian, use it at home and on any computers at work that I control. 
But I've had to use Ubuntu, Red Hat, and SUSE at work also. Although I 
don't perfer Ubuntu, I have to say that for inexperienced users, it can be 
a little more friendly than Debian. For example, if you try to run an 
application that isn't installed, Debian gives you a 'file not found' 
error. Ubuntu will advise you to install the package that provides that 
application with the package manager. And in the end, all of these are 
Linux distributions, the applications available are basically the same and 
the user experience is pretty similar. There are differences in system 
administration, where config files are kept, etc. Ubuntu does have their 
rather different desktop manager, Unity, which I don't like, but that is 
a very subjective opinion.


I wonder what it was about Ubuntu that you didn't like? Did you actually 
install it on your Macbook?

Re: télécharger une image jigdo

[steve]

Et pourquoi tu ne lirais pas ça :

 https://www.debian.org/CD/jigdo-cd/

S

Re: Trouble mounting nfs share

[Steve Matzura]

On Sun, 7 Feb 2016 17:27:11 -0500, Carlos Kosloff
 wrote:

>There was a package installed liblockfile1, which was causing grief.

I wonder if this might be my problem as well, but I don't find any
such package installed on my system.

Re: NVMe et Jessie

[steve]

Le 05-02-2016, à 16:29:13 +0100, Olivier a écrit :


  Je sais qu'il est possible de changer le noyau d'une stable mais ne
  perd-ton pas alors une bonne partie des bénéfices d'une stable


Non, seul le noyau est différent.


 ou tout au moins, la possibilité de partager, dans une liste comme
 celle-ci, par exemple, ses propres expériences ?


Pas compris la question…

Re: NVMe et Jessie

[steve]

Salut,

Le 05-02-2016, à 10:54:09 +0100, Olivier a écrit :


  2. Dans le rapport de bug [1], je comprend que l'installeur de Jessie ne
  permet pas encore de booter sur un disque NVMe.
  Le lien [2] indique le support du NVMe est bien meilleur à partir du noyau
  3.19.
  Comme le mieux est l'ennemi du bien (ou plus honnêtement, j'ai peur
  d'utiliser autre chose qu'une version stable), peut-on penser, les
  difficultés d'installation mises à part, que "le noyau 3.16 de Jessie
  donne des performances acceptables avec une disque NVMe, performances qui
  s'amélioreront automatiquement lors du passage à Stretch" ?


Je ne peux pas te répondre pour ton point 1 mais pour le 2, il faut
savoir qu'il existe des versions backport du noyau qui sont actuellement
à la version 4.3 pour Jessie. Peut-être cela peut-il t'enlever quelques
angoisses… :)

S

Windows share problem is back

[Steve Matzura]

After a couple system reboots for various things, mostly some hardware
changes, adding disks, etc., my Windows shares aren't mounting any
more, plus I'm getting a console error that the mount failed error
connecting to socket, error 115 mount operation in progress, etc. What
I want to know, aside from the obvious (what'd I do to break this),
is, what can I do on the Debian side to view what network resources
are out there for mounting? My NAS mounts all work just fine, so
what's up with the Windows side?

Re: Simuler un navigateur dans firefox (ancien sujet : remplacer flasplayer)

[steve]

Le 29-01-2016, à 16:13:02 +0100, André Debian a écrit :


bonsoir, quelle est la sortie de:
dpkg --list *opera*


# dpkg --list *opera*
dpkg-query: aucun paquet ne correspond à *opera*

# dpkg --list opera
dpkg-query: aucun paquet ne correspond à opera

et pourtant il a été installé et est fonctionnel.


Probablement parce que tu l'as installé via un deb trouvé sur le ouebe
et non via APT. D'après

https://wiki.debian.org/Opera

il faudrait mettre

deb http://deb.opera.com/opera stable non-free

dans le sources.list.

A heart-felt thank-you to all

[Steve Matzura]

Thanks to all who've helped me climb the learning curve of Debian 8.2
to get my system up and running. Specific thanks go, in no particular
order, to Daniel, Gary, Reco, Lisi, Dan, Mudongliang, Joe, the
Wanderer, Rick Thomas, and many others who took the time and had the
patience to bootstrap my knowledgebase and put me back on the path to
Linux enlightenment. Where there's a need, there's a tool. :-) And
usually more than one. All my hard- soft- and symbolic links except
two are working correctly, and I know what those two's problems are
and have fixed but not re-tested them, so my usership is once again at
piece with the world, and more importantly, me! Thanks again to all of
you, and I hope I get to pay it forward.
--
Steve M, listening, out.

Re: Network controller [0280]: Broadcom Corporation BCM4312

[steve]

Le 20-01-2016, à 14:45:43 +0100, Bernard Schoenacker a écrit :


serait il possible de taper dans les dépôts aptosid ?


Mauvaise idée Bernard. Debian a tout ce qu'il faut pour que sa carte
fonctionne.

Re: Network controller [0280]: Broadcom Corporation BCM4312

[steve]

Salut,

As-tu regardé cette page ?

https://wiki.debian.org/fr/wl

Re: DenyHosts

[Steve Matzura]

Reco:

On Sat, 16 Jan 2016 12:57:30 +0300, you wrote:

>>-j, --jump target
>>   This specifies the target of the rule; i.e., what to do
>> if  the packet  matches  it.   The  target  can  be a user-defined
>> chain (other than the one this rule is in), one of the special builtin
>>   targets  which  decide the fate of the packet
>> immediately, or an extension (see EXTENSIONS below).  If this option
>> is omitted  in a rule (and -g is not used), then matching the rule
>> will have no effect on the packet's fate, but the counters on the rule
>> will be incremented.
>> 
>> So if the inbound packet has some property which matches any of those
>> specified in the `--tcp-flags' list, drop it?
>
>This rule simply drops all incoming NEW connections to tcp:22.
>By itself, this rule is evil as it forbids to connect via ssh to anyone.
>
>But with conjunction with the previous one it implements the following
>policy:
>
>- anyone can connect up to 16 times via ssh.
>- anyone exceeding the connection limit is tarpitted, and must wait
>for an hour to try again.

That seems more than fair. Nobody using the system correctly should
ever break this rule under normal circumstances and/or conditions.

>> How do these commands function to lock out specific addresses or
>> address ranges?
>
>The current implementation works with single source IPs.
>Modifying the rules to work with IP ranges is an exercise left for the
>reader :)

By "the current implementation," do you mean before or after I used
the commands you gave? There is nothing in either of these two
complex-side command sets that specify a single address.

>> In the `--tcp-flags' list, why is `SYN' mentioned twice?

>It's simple. There's absolutely no need for these rules to apply once
>the connection is established.
>Removing SYN match would effecively limit any ssh session to 16 packets
>total, which will break ssh in a most curious ways.

OK. This is way over my head, I'll just accept it as gospel until I
understand it better. Thanks for the explanations though.

Re: ssh Problem using it for SFTP

[Steve Matzura]

Daniel,

On Sat, 16 Jan 2016 14:50:20 -0300, you wrote:

>I'm sorry. I Had forgotten of the detail of the accessibility :(

No worries. Things are in a sorry state at the moment because of other
things I did without realizing I did them, but I've already told my
usership that Voyager will have to go. They're OK with it, the ones
that use it.

Re: DenyHosts

[Steve Matzura]

On Sat, 16 Jan 2016 20:16:28 +0300, you wrote:

>> What'd I do?
>> 
>
>Exactly this:
>
>iptables -F INPUT
>iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
>   -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
>   --hashlimit-mode srcip --hashlimit-name ssh \
>   --hashlimit-htable-expire 6 -j ACCEPT
>iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
>   -j DROP
>
>Note that the order of netfilter rules is top-down (i.e. highest
>matching rule plays).
>So, first rule on your current list, namely:
>
>-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
>
>blocked anyone from using ssh.

I have to tell you, that one *did* look suspicious. Should I remove it
from the list of iptables commands and re-apply the rest of them?


>Reco
>

Re: ssh Problem using it for SFTP

[Steve Matzura]

It helps to explain things, Daniel, but truly, the client in question
is horrendously out of date and deprecated for all secure intents and
purposes, I'm quite happy to retire it from active support on my
server.

On Sat, 16 Jan 2016 15:19:33 -0300, you wrote:

>Hi, Steve.
>
>On 14/01/16 13:10, Steve Matzura wrote:
>
>> Failing connection:
>> (...)
>> no matching cipher found: client
>> aes192-cbc,3des-cbc,blowfish-cbc,aes128-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-...@lysator.liu.se,des-cbc,des-...@ssh.com
>> server
>> aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
>
>> The rest of the lines show connection run-down, omitted.
>
>H... Maybe you could fix this by allowing users to choose between
>SHA1 and SHA2 hash functions.
>
>Since the openssh-server version used in Jessie (and presumably the
>upstreams of SSHD) now has diffie-hellman-group1-sha1 disabled, this
>means that connections some clients could fail. A workaround would be to
>add the following in /etc/ssh/sshd_config:
>
>KexAlgorithms
>curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>
>But at some point I think the support for diffie-hellman-group1-sha1
>completely disappear instead of being disabled by default.
>
>I hope this helps.
>
>Best regards,
>Daniel

Re: Mounting a Windows Share

[Steve Matzura]

After a reboot, one of my shares will no longer mount. And of course,
it's the big one, the NAS box. Here is output from `strace mount.cifs
//DISKSTATION1/BigVol1 /mnt/bigvol1 -o
vers=2.1,username=***,password=*** (*** is real username and password
covered up):


execve("/sbin/mount.cifs", ["mount.cifs", "//DISKSTATION1/BigVol1",
"/mnt/bigvol1", "-o", "vers=2.1,username=***,password"...], [/* 15
vars */]) = 0
brk(0)  = 0x7f98fbf17000
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f98fa212000
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=27175, ...}) = 0
mmap(NULL, 27175, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f98fa20b000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
open("/usr/lib/x86_64-linux-gnu/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) =
3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\25\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=22312, ...}) = 0
mmap(NULL, 2117648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f98f9be3000
mprotect(0x7f98f9be7000, 2097152, PROT_NONE) = 0
mmap(0x7f98f9de7000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f98f9de7000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\34\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1729984, ...}) = 0
mmap(NULL, 3836448, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f98f983a000
mprotect(0x7f98f99d9000, 2097152, PROT_NONE) = 0
mmap(0x7f98f9bd9000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19f000) = 0x7f98f9bd9000
mmap(0x7f98f9bdf000, 14880, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f98f9bdf000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f98fa20a000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f98fa208000
arch_prctl(ARCH_SET_FS, 0x7f98fa208740) = 0
mprotect(0x7f98f9bd9000, 16384, PROT_READ) = 0
mprotect(0x7f98f9de7000, 4096, PROT_READ) = 0
mprotect(0x7f98fa214000, 4096, PROT_READ) = 0
mprotect(0x7f98fa009000, 4096, PROT_READ) = 0
munmap(0x7f98fa20b000, 27175)   = 0
geteuid()   = 0
getpid()= 1580
capget({0 /* _LINUX_CAPABILITY_VERSION_??? */, 0}, NULL) = 0
gettid()= 1580
open("/proc/sys/kernel/cap_last_cap", O_RDONLY) = 3
read(3, "37\n", 7)  = 3
brk(0)  = 0x7f98fbf17000
brk(0x7f98fbf38000) = 0x7f98fbf38000
capget({_LINUX_CAPABILITY_VERSION_3, 1580},
{CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_admin|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0
open("/proc/1580/status", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f98fa211000
read(4, "Name:\tmount.cifs\nState:\tR (runni"..., 1024) = 783
close(4)= 0
munmap(0x7f98fa211000, 4096)= 0
prctl(PR_CAPBSET_DROP, 0, 0, 0, 0)  = 0
prctl(PR_CAPBSET_DROP, 0x1, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x2, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x3, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x4, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x5, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x6, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x7, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x8, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0x9, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0xa, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0xb, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0xc, 0, 0, 0)= 0
prctl(PR_CAPBSET_DROP, 0xd, 

Re: DenyHosts

[Steve Matzura]

Reco:

On Sat, 16 Jan 2016 23:49:57 +0300, you wrote:

>Reverse the order of these two rules. As I wrote in another part of this
>thread, I mistook rules' sequence.

Like this?

iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
-j DROP
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
--hashlimit-mode srcip --hashlimit-name ssh \
--hashlimit-htable-expire 6 -j ACCEPT

Re: DenyHosts

[Steve Matzura]

Reco:

On Sat, 16 Jan 2016 23:48:54 +0300, you wrote:

>Correct sequence would be:
>
>iptables -F INPUT
>iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
>   -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
>   --hashlimit-mode srcip --hashlimit-name ssh \
>   --hashlimit-htable-expire 6 -j ACCEPT
>iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
>   -j DROP

OK, got it perfect now. THANKS!

Re: Mounting a Windows Share

[Steve Matzura]

Emanuel,

On Sun, 17 Jan 2016 00:41:11 +0100, you wrote:

>modprobe cifs maybe can help you.

What is supposed to happen when I enter that command? All I got was
another shell prompt.

Re: DenyHosts

[Steve Matzura]

Well, I thought I was doing so well. I discover now that no one,
including me, can get into my system any more via ssh. Here are the
current iptables rules:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
COMMIT

What'd I do?

Re: DenyHosts

[Steve Matzura]

I tried redoing the tables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
--hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
6 -j ACCEPT
COMMIT

This list looks a lot cleaner, and the first thing on it is to accept
everything. But still I cannot connect, even after restarting the sshd
service.

DenyHosts

[Steve Matzura]

My new fledgling server is being slammed, and I mean slammed like
Sandy slammed New York, by root login attacks from 59.46.71.36,
ShenYang, China. Of course, I don't allow root logins except from the
console or via ssh key pair, so I presume I'm safe that way, but I'd
sure like to cut down on the log churning of /var/log/auth.log,
particularly since it makes it harder to read that log to get the
stuff I need to know out of it. My router (Fios Quantum gateway) is
useless at blocking anything from the outside, so I've got to do it
internally. What are folks' favorite deny-hosts applications? I tried
installing DenyHosts, but it must be from a private repo because
whatever I have in sources couldn't find it.

Thanks in advance.

Re: OT - gap -Re: Using bind mount

[Steve Matzura]

On Fri, 15 Jan 2016 14:36:24 +, you wrote:

>:-)  O.K. Please, no group "hugs" among friends I haven't met yet.  ;-)  Let's 
>wait until we know each other better. ;-)

My arms are at my sides where they belong. :-)

Re: DenyHosts

[Steve Matzura]

Reco:

All of this is an excellent learning opportunity for me. Please bear
with me just a bit as I ask the following:

On Sat, 16 Jan 2016 01:55:38 +0300, you wrote:

>A simple solution:
>
>iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP

`-p dcp'? manpages says:

   [!] -p, --protocol protocol
  The protocol of the rule or of the packet to check.  The
specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp,
  ah, sctp, mh or the special  keyword  "all",  or  it can
be  a numeric  value, representing one of these protocols or a
different one.  A protocol name from /etc/protocols is  also  allowed.
...

>A complex one:
>
>iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
>   -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
>   --hashlimit-mode srcip --hashlimit-name ssh \
>   --hashlimit-htable-expire 6 -j ACCEPT

   -m, --match match
  Specifies  a  match  to  use,  that is, an extension
module that tests for a specific property. The set of matches  make up
the condition under which a target is invoked. Matches are evaluated
first to last as specified on  the  command  line  and  work in
short-circuit fashion, i.e. if one extension yields false, evaluation
will stop.

If I understand the above, in this command you are doing something
with two rule `conntrack' and `hashlimit'. But what? Adding them?
Setting rule behavior?

>iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
>   -j DROP

   -j, --jump target
  This specifies the target of the rule; i.e., what to do
if  the packet  matches  it.   The  target  can  be a user-defined
chain (other than the one this rule is in), one of the special builtin
  targets  which  decide the fate of the packet
immediately, or an extension (see EXTENSIONS below).  If this option
is omitted  in a rule (and -g is not used), then matching the rule
will have no effect on the packet's fate, but the counters on the rule
will be incremented.

So if the inbound packet has some property which matches any of those
specified in the `--tcp-flags' list, drop it?

Questions:

How do these commands function to lock out specific addresses or
address ranges?

In the `--tcp-flags' list, why is `SYN' mentioned twice?

Re: DenyHosts

[Steve Matzura]

On Sat, 16 Jan 2016 01:55:38 +0300, Reco wrote:

>A complex one:
>
>iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
>   -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
>   --hashlimit-mode srcip --hashlimit-name ssh \
>   --hashlimit-htable-expire 6 -j ACCEPT
>
>iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
>   -j DROP

Thank you. Since the simple solution didn't work, I took a chance and
used the second more complex one. The two commands were accepted
without error, and with no other status or output messages. I will now
use manpages and figure out what it is I just did.

Re: DenyHosts

[Steve Matzura]

On Sat, 16 Jan 2016 01:55:38 +0300, Reco wrote:

>A simple solution:
>
>iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP

iptables v1.4.21: unknown protocol "dcp" specified
Try `iptables -h' or 'iptables --help' for more information.

Should I try the complex solution, or find out what went wrong with
the simple one first?

Re: ssh Problem using it for SFTP

[Steve Matzura]

I decided to put the two logs from `sshd -d' side-by-side to try to
figure out where the differences are. Both logs have the following
lines immediately after the connection request:

debug1: Client protocol version 2.0; client software version
FTP-Voyager-15.2.0.15
debug1: no match: FTP-Voyager-15.2.0.15
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1

The working connection log has this line next:

debug1: SELinux support disabled [preauth]

Then the two logs continue with the same lines, although some of the
parameters may differ. I don't think they're important.

debug1: permanently_set_uid: 74/74 [preauth]

Now it gets interesting.

Working connection:

debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes192-cbc hmac-sha1 z...@openssh.com
[preauth]
debug1: kex: server->client aes192-cbc hmac-sha1 z...@openssh.com
[preauth]
debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]

Then come lines indicating a successful sign-in, which I omitted.

Failing connection:

debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
no matching cipher found: client
aes192-cbc,3des-cbc,blowfish-cbc,aes128-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-...@lysator.liu.se,des-cbc,des-...@ssh.com
server
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
[preauth]

The rest of the lines show connection run-down, omitted.

The major difference that I see is that the connection that works has
the line `SELinux support disabled [preauth]', and the connection that
doesn't work does not have that line. What I know about SELinux is
that incorrect usage could have disastrous results, so I haven't done
anything with it. Do I need to change anything in my default Debian
installation? Suggestions welcome.

Re: OT - gap -Re: Using bind mount

[Steve Matzura]

Whoa folks, let's apply the brakes.

The fact is, if you think about it, Lisi is quite correct, but for a
reason she may not even realize. Visually impaired people, at least
those of us whose visual impairment is to the point where we don't use
print at all, don't hear in paragraphs, but anybody who deals with
information input via the mechanism of sight, does. I freely admit
that sometimes I forget this, too, and write run-on paragraphs that
should be broken into smaller segments, which I'm quite happy to do in
order to accommodate those photo-dependent (ha ha) among us who need
such things. In short, it's nothing to fight about or be
over-sensitive about.

-End-

Re: ssh Problem using it for SFTP

[Steve Matzura]

One more piece of the puzzle. The working system is Red Hat Fedora 20,
the non-working one is Debian 8.2.

Re: OT - gap -Re: Using bind mount

[Steve Matzura]

On Wed, 13 Jan 2016 22:08:02 +, Lisi wrote:

>On Wednesday 13 January 2016 09:38:12 Steve Matzura wrote:
>> And once again, I ask you to hand me the spatula so's I can scrape the
>> egg off my face. I completely forgot I needed to `mkdir -p' the mount
>> point directory! IT WORKS! Didn't I say I was missing something
>> stupid? :-)
>>
>> Now to look up the syntax for putting it into fstab to make it
>> permanent. THANK YOU AGAIN EVER SO MUCH!
>
>Thank you, Steve. That may not have been for my benefit, but was what I was 
>talking about.  Between the smiley and the word "Now" there is a nice big 
>gap.  If you could break larger paragraphs up with more of those it would be 
>very helpful.

I suspect I got it.

Re: Using bind mount

[Steve Matzura]

Jonathan,

On Wed, 13 Jan 2016 16:07:47 +, you wrote:

>On Wed, Jan 13, 2016 at 04:38:12AM -0500, Steve Matzura wrote:
>> Now to look up the syntax for putting it into fstab to make it
>> permanent. THANK YOU AGAIN EVER SO MUCH!
>
>The syntax is 
> /olddir /newdir none bind
>
>You must put this after the /olddir (/mnt/nas) and /newdir (/home/steve)
>mount entries, if there are any (if /home is separate from /), to ensure
>that those mount points are resolved first. Or write systemd .mount unit
>files and set up the dependencies between them explicitly (instead of
>fstab entries)

Thank you. I didn't know the first part, but the second is mostly
obvious in that you can't use something whose existence you have not
yet declared or defined.

Re: ssh Problem using it for SFTP

[Steve Matzura]

Tomas, 
On Wed, Jan 13, 2016 at 07:13:57PM -0500, Steve Matzura wrote:
>> I hope this isn't off-topic by too much. If it is, a word to me
>> privately and I'll wait for responses to queries I've made elsewhere.
>I'm not as much of an SSH guru to "get" what's going on by just reading
>configs, but as a hint: there is an "-d" option to sshd which starts
>it in debug mode. If you then chose a non-standard port (i.e. 2022 or
>whatever seems suitable), then you can follow, on the terminal what's
>going on, like so:
>
>  sshd -d -p 2022

Brilliant!

debug1: sshd version OpenSSH_6.7, OpenSSL 1.0.1k 8 Jan 2015
debug1: private host key: #0 type 1 RSA
debug1: private host key: #1 type 2 DSA
debug1: private host key: #2 type 3 ECDSA
debug1: private host key: #3 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2022'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
debug1: Bind to port 2022 on ::.
Server listening on :: port 2022.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.140 port 54230 on 192.168.1.130 port 2022
debug1: Client protocol version 2.0; client software version
FTP-Voyager-15.2.0.15
debug1: no match: FTP-Voyager-15.2.0.15
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5
debug1: permanently_set_uid: 107/65534 [preauth]
debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
no matching cipher found: client
aes192-cbc,3des-cbc,blowfish-cbc,aes128-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-...@lysator.liu.se,des-cbc,des-...@ssh.com
server
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
[preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 7999

I understand the output, but not what's wrong and how to fix it.

Re: ssh Problem using it for SFTP

[Steve Matzura]

Tomas,

On Thu, 14 Jan 2016 05:32:04 -0500, I wrote:

>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5
>debug1: permanently_set_uid: 107/65534 [preauth]
>debug1: list_hostkey_types:
>ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
>debug1: SSH2_MSG_KEXINIT sent [preauth]
>debug1: SSH2_MSG_KEXINIT received [preauth]
>no matching cipher found: client
>aes192-cbc,3des-cbc,blowfish-cbc,aes128-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-...@lysator.liu.se,des-cbc,des-...@ssh.com
>server
>aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
>[preauth]

This is clearly the problem area. I tried some ssh option settings in
Voyager with no success. Should this client be retired? It's not
*that* old.

Re: ssh Problem using it for SFTP

[Steve Matzura]

Lars,

On Thu, 14 Jan 2016 12:45:09 +0200, you wrote:

>Can you update the client to one that uses the safer ciphers and avoids
>the deprecated ones?

You and I came to the same conclusion with the same lines of log as
evidence at about the same time. Amazing.

Many of my users use Voyager version 15 because it's the last
accessible one using a screenreader. Yes, there are several other
clients, all equally accessible. I think maybe it's time to retire
Voyager from my supported clients list. Too bad, really, as it has a
very nice and easy-to-read (with a screenreader) file transfer status
window, which is why we who use it like it as much as we do.

Re: ssh Problem using it for SFTP

[Steve Matzura]

More info. I used getenforce' and found SELinux is installed but
disabled on the system where FTP Voyager can connect using SFTP over
ssh, and not installed at all on the system where FTP Voyager cannot
connect. In fact, using either the `getenforce' or `'sestatus' on the
no-connect system yields `command not found'. Am I on to something?

Re: ssh Problem using it for SFTP

[Steve Matzura]

Daniel,

On Thu, 14 Jan 2016 09:05:36 -0300, you wrote:

>Hi, Steve.
>
>On 14/01/16 08:45, Steve Matzura wrote:
>
>> This is clearly the problem area. I tried some ssh option settings in
>> Voyager with no success. Should this client be retired? It's not
>> *that* old.
>
>I do not know that client, but if your users are using Firefox, maybe
>you could use FireFTP [1]. I never had problems with it, and we could
>also say that while users use Firefox, you could run it on different
>operating systems.

It would be an administrative nightmare, as I have seventy users,
(oy!) and I'd have to test to see if FireFTP is accessible with a
screenreader, as many of my users are visually impaired. That's why
it's important to stay with what they're using and not force a change
on them if at all possible. However, there may be other things to look
at (see message I just posted re SELinux).

Re: Using bind mount

[Steve Matzura]

On Wed, 13 Jan 2016 10:01:03 +0300, you wrote:

>strace is used for tracing system calls, it does not influence your
>problem per se. Please install it first, run mount via strace second.

In between your message and now, my mount problem was solved, but I
installed strace anyway for future use. Thanks for the info about
doing that. I thought it was part of the system.

Re: SFTP via ssh and symlink permissions

[Steve Matzura]

Tomas,

On Wed, 13 Jan 2016 08:26:16 +0100, you wrote:

>Those are totally meaningless. Just ignore them (BTW there was a
>discussion about this not long ago in this mailing list: if you're
>interested I can dig it out for you).

I would be very interested. So as not to clutter up the list, please
send it to me at my subscribed email address.

>> . the permission and ownership of the object the symlink points to
>
>Those *do* matter.

OK. As long as they're world read, I don't care what they are, but for
possible future needs and general information, fstab probably needs
something special to mount them owned and grouped by something other
than root, which is what they are now. What is the syntax for that
inside fstab? Or is it done after the things are mounted?

>> . the permission and ownership of the mount point created with `mkdir
>> -p' on which the filesystem is mounted.
>
>The FTP server might not even know about these details. But it might
>fail to open a file given its name if it fails to read some of the
>directories along the path.

I tried it and it works. These things are all world read-only, and I
did test them and they do work.

>And there's one last point: the FTP server might decide to not
>resolve symlinks, depending on some security settings.

Ah, got that covered with the mod_vroot module in ProFTPD.

Re: Using bind mount

[Steve Matzura]

On Tue, 12 Jan 2016 23:49:02 -0500, you wrote:

>On 12/01/16 10:23 PM, Steve Matzura wrote:
>> On Tue, 12 Jan 2016 18:12:11 -0300, Daniel wrote:
>>
>>> M... I used the following syntax:
>>>
>>> mount --bind /mnt/nas/doc /home/steve/doc
>>>
>>>
>>> That works for you?
>> Sorry ...
>>
>> mount: mount point docs does not exist
>>
>That error would indicate that /home/steve/doc doesn't exist.

And once again, I ask you to hand me the spatula so's I can scrape the
egg off my face. I completely forgot I needed to `mkdir -p' the mount
point directory! IT WORKS! Didn't I say I was missing something
stupid? :-)

Now to look up the syntax for putting it into fstab to make it
permanent. THANK YOU AGAIN EVER SO MUCH!

ssh Problem using it for SFTP

[Steve Matzura]

I hope this isn't off-topic by too much. If it is, a word to me
privately and I'll wait for responses to queries I've made elsewhere.

I maintain two FTP servers and support four Windows-based FTP clients
for users of those servers--FTP Voyager, FlashFXP, Filezilla, and
WinSCP. One server accepts all four clients, the other accepts all but
FTP Voyager, indicating a configuration difference.

I've asked about this on the comp.security.ssh Usenet newsgroup, but
Usenet being what it is, I might have to wait at least a week before
getting a response of any kind, and my Voyager users are starting to
get restless for an answer as to what I did to break access for
them--i.e., they'd rather fight than switch.

Here are the two sshd_configs without comments, greatly shortening
what you'll be looking at.

First, the one that accepts all four clients:

SyslogFacility AUTHPRIV
PermitRootLogin  without-password
AuthorizedKeysFile  .ssh/authorized_keys
PermitEmptyPasswords  no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Compression  delayed
Banner /etc/issue.net
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
ListenAddress ::
ListenAddress 0.0.0.0

Now, the one from the server that won't accept SFTP-over-ssh
connections from FTP Voyager:

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp
UsePAM yes
Match Group documenters
ChrootDirectory /home/documenters
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

At first, I thought the problem has to do with the stanza beginning
with the MatchGroup directive, so I commented it out. The problem
didn't go away, and I don't perceive any differences between the two
configurations except maybe a few options that are defined explicitly
which are already at their default values according to the ssh
documentation.

Any help greatly appreciated, on- or off-list.

[HS] Un peu de lecture...

[steve]

Salut,

Pour ceux qui s'ennuient devant leur(s) firewall(s), voici un peu de lecture
fort intéressante. Certain-e-s connaissent déjà, donc à lire ou à
relire. 


http://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

où on trouve

http://www.ssi.gouv.fr/uploads/2012/07/NP_Linux_Configuration.pdf
http://www.ssi.gouv.fr/uploads/IMG/pdf/NP_Linux_NoteTech_1_1.pdf

et celui-ci, rigolo parfois

http://references.modernisation.gouv.fr/sites/default/files/SILL-2016-socle-interministeriel-logiciels-libres.pdf


Bonne lecture !

S

Re: Using bind mount

[Steve Matzura]

Reco:

On Wed, 13 Jan 2016 00:21:19 +0300, you wrote:

>Please post the output of:
>
>strace mount -B /mnt/nas/doc /home/steve/doc

I *knew* I was missing something. I get 'command not found".

Re: Using bind mount

[Steve Matzura]

Gary:

>I just tried something similar with an NFS share and was able to do it. 
>My situation was I have ///mnt mounted in ~/mnt. I was then 
>able to (as root) mount -o bind ./mnt/archives ./mnt1 while in my normal 
>~ folder.
>
>You could also try mounting the share locally or sharing the "doc" 
>folder in addition to sharing the entire volume.

Everything I try yields either the `is not a special device' or 'mount
point' error as previously described whether I choose the mount point
itself (e.g. /mnt/nas) or any directory (e.g. /mnt/nas/doc,
/mnt/nas/doc/household, etc.).

Re: Using bind mount

[Steve Matzura]

On Tue, 12 Jan 2016 18:12:11 -0300, Daniel wrote:

>M... I used the following syntax:
>
>mount --bind /mnt/nas/doc /home/steve/doc
>
>
>That works for you?

Sorry ...

mount: mount point docs does not exist

Re: Using bind mount

[Steve Matzura]

On Tue, 12 Jan 2016 22:56:28 +0100, you wrote:

>Le 12/01/2016 22:12, Daniel Bareiro a écrit :
>
>> mount --bind /mnt/nas/doc /home/steve/doc
>>
>>
>> That works for you?
>
>I use such syntax failry often
>
>jdd

Even on a virtual filesystem like a Windows share or NAS volume? Am I
maybe missing a special support package perhaps?

Using bind mount

[Steve Matzura]

I am trying to get around the restriction of symlinks not resolving in
FTP when the account is DefaultRoot'ed and CHRoot'ed. I mounted a NAS
volume, some directories of which I want to appear as being rooted
elsewhere, thus:

# mkdir -p /mnt/nas
# mount.cifs //ds1/vol1 /mnt/nas -o [various options]

When I 'ls -l /mnt/nas', I see all the directories at the top level of
//ds1/vol1. Fine.

Now, according to everything I've read about bind mount, I should be
able to:

# mount -o bind /mnt/nas/doc /home/steve/doc

where `doc' is a directory on /mnt/nas as described above, and
`/home/steve/doc' is where I want it to appear in my own directory
structure. Therefore, if I FTP into the steve account, while I cannot
escape up the tree past /home/steve, the path /home/steve/doc should
have been able to be created, and I should be able to access it in the
normal FTP way. However, the above mount with bind command yields:

mount special device /mnt/nas/doc does not exist

While that path exist but isn't a special device, the documentation
(mount manpages and
http://backdrift.org/how-to-use-bind-mounts-in-linux) says this should
work. What am I missing about mount with the bind option?

SFTP via ssh and symlink permissions

[Steve Matzura]

My SFTP setup works, almost. Local file access is OK. However,
symlinks can be seen but not followed. The symlink itself is owned by
root and in the root group, but the thing to which the symlink points
I have changed to the owner and group names associated with the login
username I'm using for the SFTP. If I use chown on the symlink, it
doesn't change, but the thing it's a symlink of, does. Remember, all
my symlinks are to mounted filesystems (Windows shares and NAS
shares).

This is clearly a permissions problem, but I'm not sure which of these
three things it is, and it could possibly be a combination of any two:

. the permission and ownership of the symlink itself,
. the permission and ownership of the object the symlink points to
. the permission and ownership of the mount point created with `mkdir
-p' on which the filesystem is mounted.

Any thoughts appreciated.

Re: Generating ssh key pairs

[Steve Matzura]

Dan,

On Mon, 11 Jan 2016 14:15:53 -0500, Dan wrote:

>In general, you want your SFTP users to send you their own
>public keys, and you drop them into ~user/.ssh/authorized_keys

That's going to be difficult, as most of my users wouldn't know a
public key from their house key (LOL). I was hoping it would be
simpler than that.

>Creating /etc/skel/.ssh/ will make sure that new users get that
>directory created for them automatically.

I'll do that forthwith.

FTP with all files elsewhere

[Steve Matzura]

I asked this question on the ProFTPD list, but I thought it might be
more of a system question than an FTP server question. The more I look
at the message, I think it's probably both.

My system, which is now working correctly after reboot testing
following fstab changes discussed elsewhere, will serve files via FTP
located on media mounted either via Windows
share or network-attached storage. I only want certain directories
from these sources to be accessible by the server. I'm symlinking
all the top-level directories I want accessible to the login directory
of the FTP account. Although there aren't more than ten of these, I'm
wondering is this the right way to do this? I don't know of any other
easy yet secure way to set this up. Thoughts and advice welcome.