Category: ssh

Ubuntu 16.04 — Restore

This is my first post in the series for installing Ubuntu 16.04 on my Inspiron 17R laptop. In this step, I am mainly just restoring files and putting the data back after formatting the drive.

Series Navigation:

I didn’t take screenshots of the install process. I just basically accepted the defaults.

Restoring files

These are the directories that I restored.  Maybe it will give you an idea of things you may want to restore if you do the same thing.

  • ~/.ssh: The keys for my remote ssh connections — most important because of backuppc restoring
  • ~/Documents: This is where I put all my document files
  • ~/Pictures: I have Shotwell pointed at this directory, so it contains all the pictures from my cell phone and digital camera
  • ~/GideonTaylor: I keep my work files in a different directory
  • ~/.config/google-chrome: The settings for Chrome (extensions, bookmarks, etc)  (or, ~/.config/google-chrome-beta)
  • ~/.local/share/keyrings: My saved passwords
  • ~/.Skype: Skype history
  • ~/.remmina: The settings for my remote connections
  • ~/.local/share/shotwell: The settings and thumbnails for my photos
  • ~/.sword: The downloaded Bible files for Xiphos (and the underlying Sword library)
  • ~/.filezilla: The settings for my FTP connections
  • ~/.sqldeveloper: The connection settings for SQL developer
  • ~/.vim: stores the plugins installed in Gvim
  • ~/.vimrc: preferences for Gvim
  • /etc/NetworkManager/system-connections: this saves all of my wireless connections and VPN connections

My backup this time was located on an external USB drive.  I also had a BackupPC installation, but I didn’t restore a lot from it.  For smaller directories/files, just copy and paste works fine.  For larger directories, it was better to use grsync, which I installed from Ubuntu Software.

Shortcuts / Menu Entries

I had a couple of items that I had added to help me get to Vmware View machines.  Unfortunately, I didn’t remember the exact commandline.  Instead of looking it up again, I found that I could copy the .desktop files from the directory:

  • ~/.local/share/applications

BackupPC

I’m not going through the whole configuration of the server.  In this case, I just need it to connect and begin to back up the laptop after my install.

I checked the version of my apps:

[sourcecode]
$rsync –version
rsync version 3.1.1 protocol version 31
[/sourcecode]

First, SSH is not enabled on Ubuntu 16.04 by default.  I had to install it:

[sourcecode]
sudo apt-get install openssh-server
[/sourcecode]

Then, I generated the keys with this command (left the passphrase blank)

[sourcecode]
sudo ssh-keygen -t rsa
[/sourcecode]

On my backup server, the backuppc user’s home directory is /var/lib/backuppc (you can confirm in the /etc/passwd file).  Using vi, I copied the contents of  /root/.ssh/id_rsa.pub on the client to /var/lib/backuppc/.ssh/known_hosts.  I’m not sure this step worked … on my test I had to remove the pistachio key (maybe I should have done that first):

[sourcecode]ssh-keygen -f "/var/lib/backuppc/.ssh/known_hosts" -R pistachio[/sourcecode]

Then, I opened up /root/.ssh/authorized_keys2 on my laptop (client) and pasted the contents of /var/lib/backuppc/.ssh/id_rsa.pub from the server. In the end, Copy and Paste in a text editor wasn’t good enough. I had to scp the file across between the computers.

I verified security on the directory:

[sourcecode]sudo chmod -R go-rwx /root/.ssh[/sourcecode]

Finally, I tested as the backuppc user on the backup server:

[sourcecode]
sudo su backuppc
ssh -l root pistachio whoami
[/sourcecode]

To troubleshoot, I ran the server with debugging messages as root:

[sourcecode]
service ssh stop
/usr/sbin/sshd -d
[/sourcecode]

Next time, I will configure Backup PC to backup the root .ssh directory to avoid having to reconfigure all of this.

Next Steps

If you want to follow along with my install process, you can check out the next post: Ubuntu 16.04 — Internet.

 

Resources

My Server Configuration

These were the steps that I went through to configure my server after installing Ubuntu.  (just to help remember)

Installing SSH

My first requirement for a server is that I be able to get to it from my laptop.  SSH will allow me to both open remote terminal sessions and copy files from nautilus.

I simply installed this ssh metapackage from the Software Center.

My first attempt to connect brought me this message:

[sourcecode]

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.[/sourcecode]

This was because I was reinstalling my server, and I had connected to the previous installation with my laptop.  The fix was easy (it was actually in the message):

[sourcecode]ssh-keygen -R israel[/sourcecode]

To set it up to where I could connect without a password, I ran this command:

[sourcecode]ssh-copy-id israel[/sourcecode]

Printing

I have an HP printer, so I chose to install the HPLIP Toolbox from the Software Center.

I could launch it through ssh with the command “hp-toolbox”.  Then, I chose the Setup Device option off the Device menu for my printer.

I selected USB:

Then, I selected the device:

Then, I entered the information about the printer:

This added, the printer.  Next, I made it the default printer:

To make the printer accessible over the network, I had to tweak the cups configuration.  I edited the /etc/cups/cupsd.conf.  I added a Listen line with the machine’s hostname.

I also turned “Browsing” on to make it easier to discover the printer.

To make the network name resolve correctly, I removed this line from /etc/hosts:

Finally, I restarted the cups service with the command:

[sourcecode]sudo service cups restart[/sourcecode]

That gave me some access, but I still had issues.  Then, I found an easier way to do it.  I ran the the printer configuration:

[sourcecode]system-config-printer[/sourcecode]

On the printer dialog, there is a Server > Settings option.

There, I checked the sharing options to open things up for my private network.

Java Installation

I have a personal application that I use at home, and Java is a requirement for that.  I took the easy route and installed Java using Web Upd8’s method.  That just meant running these three commands:

[sourcecode]sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer[/sourcecode]

I confirmed that it installed with:

[sourcecode]

skp@israel:~$ java -version
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b55)
Java HotSpot(TM) Client VM (build 24.0-b22, mixed mode)
skp@israel:~$ javac -version
javac 1.8.0-ea[/sourcecode]

Finally, I needed to add a mysql user.  I don’t need to install mysql because it’s embedded into my application, but I do need the user.  I used this command:

[sourcecode]useradd -r mysql[/sourcecode]

Resources

Sudo Plus X11 Forwarding

I originally published this script on my PeopleSoft Blog, but since it is as much Linux related, I thought it should go here, too.

The problem was that I was trying to install the Oracle Database via SSH using the GUI installer.  The sudo command was breaking my X11 forwarding.

I found the answer on the “Bag of Tricks” blog:

Bag of Tricks: x forwarding and sudo for oracle installs

Here’s my version:

[sourcecode]

#!/bin/sh

user=$1
if [ -z "$user" ]; then
user=<default user>
fi

displayNum=`echo $DISPLAY | sed -e ‘s/^.*://’ -e ‘s/\.[0123456789]*//’`
echo "Display # = $displayNum"
cookie=`xauth list | grep ":$displayNum"`
echo "Cookie = $cookie"
cookiename=`echo $cookie | sed ‘s/\s*MIT-MAGIC.*$//’`
echo "Cookie Name: $cookiename"
echo "user = $user"
sudo -u $user bash -c "xauth list; xauth add $cookie; bash; xauth remove $cookiename"

[/sourcecode]

 

Troubleshooting SSH Connections and Using syslog

I have been struggling with ssh connections.  So, I thought I would write down some of the different troubleshooting tips that I found.

Permissions

Make sure that your permissions are correct on your home directory and your key files.  Here are the permissions that you need.

Check with this:

[sourcecode]ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys $HOME/.ssh/id_rsa[/sourcecode]

Note: make sure that you check this on your local computer and your remote computer.  The permissions should be:

[sourcecode]chmod go-w $HOME
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/id_rsa
[/sourcecode]

SELinux

Another thing I found was that SE Linux was stopped the private keys from working.  Using dmesg, I found lines like this:

[sourcecode]

type=1400 audit(1332520527.110:51337): avc: denied { read } for pid=25240 comm="sshd" name="authorized_keys" dev=dm-5 ino=167 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file[/sourcecode]

I checked the status with sestatus, and found that SELinux was enforcing.  Then, I used the following command to turn it to permissive mode:

[sourcecode]setenforce 0[/sourcecode]

Checking again, you’ll see it is in permissive mode now:

[sourcecode]

$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted[/sourcecode]

Then, when I tried connecting, I found that the key authentication and X11 forwarding worked.  Just a note: the key authentication worked with policy version 23 but not 24.

Logging on the Client

Use the “-v” parameter to ssh will provide some output as to what is wrong.  In fact, you can maximize the debugging messages with “-vvv”.  So, you can see what’s going on, you can do something like this:

[sourcecode]ssh -vvv remoteuser@remotecomputer[/sourcecode]

Writing messages to dmesg

I read that the messages go to dmesg.  I had trouble telling if dmesg was changing.  So, I decided to see if I could add something to the log.  Then, I would know that anything after that message was new.

Here’s the command that did the trick:

[sourcecode]sudo bash -c "echo hello world > /dev/kmsg "[/sourcecode]

Configuring Logging for SSH on the remote machine

At first, I couldn’t get any log messages out of the remote machine.  I found that I had to adjust the configuration for both syslog and sshd.

First, I change syslog to create a separate log file for sshd.  You can make this change in /etc/rsyslog.conf.  The local7.* already existed in my configuration.  I added the local6.debug line:

[sourcecode]

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# SSH specific (Added by Stephen)
local6.debug /var/log/sshd.log

[/sourcecode]

Then, I had to change the sshd configuration.  You can make this change in /etc/ssh/sshd_config.  I set the SysLogFacility to “LOCAL6” to make the separate log file setting work from above.  Then, I changed the LogLevel to “DEBUG”.  I think there is also a “DEBUG3” that might provide even more.

[sourcecode]

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
#LogLevel INFO
SyslogFacility LOCAL6
LogLevel DEBUG[/sourcecode]

Finally, restart both sshd and rsyslog to make the changes take effect.

[sourcecode]sudo service sshd restart && sudo service rsyslog restart[/sourcecode]

This is a cool trick.  If you open a shell to monitor the log, you can use the tail command to print messages to the screen as they are written:

[sourcecode]tail -f /var/log/sshd.log[/sourcecode]

This is what helped me find my problem.

End Result/My Problem

I finally found that my problem was the permissions of the home directory.  I found this in the log file:

[sourcecode]Authentication refused: bad ownership or modes for directory /home/remoteuser[/sourcecode]

After I changed ownership of the home directory, my key authentication worked great.

Resources