Category: ssh

Attic Tips

I’ve been saving space with my backups by putting them into an attic repository. I have a backup roughly every 6 months, but much of it is the same info. By using attic, I can simply store each one into a single repository without using a huge amount of space.

My latest issue was my backup session was interrupted in the middle. I had to figure out how to resume.

Spacing

Just to give you an idea of amounts of storage …

  • Current Home Directory: 378G (not backed up yet)
  • April Backup: 320G (backed up)
  • Attic Repository Size: 507G
  • Attic includes 4 backups

Adding a backup

So, here’s the command that I used to add my backup directory to the repo.

<br />
attic create --verbose \<br />
     /backup-drive/backup-repo/repo.attic::2016-04-23-Pistachio \<br />
     /home/skp/mnt/2016-04-23-Pistachio\ Backup<br />

Resuming a Backup

I’m having to run my commands over SSH since my server’s kind of hard to get to without a screen. I had to take my laptop with me before the backup completed, and I had to stop the backup.

It creates a checkpoint every 5 minutes as I understand. I could see the checkpoint by running a list command:

<br />
attic list /backup-drive/backup-repo/repo.attic<br />

Here’s the output (after I restarted it and it finished):

<br />
2012-11-10-pecan                     Sat Apr 23 00:21:13 2016<br />
2014-10-19-pistachio.checkpoint      Sat Apr 23 21:06:24 2016<br />
2014-10-19-pistachio                 Sun Apr 24 04:51:12 2016<br />
2013-05-25-pecan.checkpoint          Sat Oct 29 08:42:25 2016<br />
2013-05-25-pecan                     Tue Nov  1 10:54:33 2016<br />
2016-04-23-Pistachio.checkpoint      Sun May 28 09:02:29 2017<br />
2016-04-23-Pistachio                 Mon May 29 02:37:59 2017<br />

I was looking for some special command to make it restart. I actually just used the same command that I had initially used.

<br />
attic create --verbose \<br />
     /backup-drive/backup-repo/repo.attic::2016-04-23-Pistachio \<br />
     /home/skp/mnt/2016-04-23-Pistachio\ Backup<br />

Disconnectable Sessions

Next time, I thought I would look for a better solution. I like RDP in that I can disconnect and my session keeps running. I found this command would let me do the same thing with SSH sessions:

<br />
screen<br />

To reconnect, I can just run:

<br />
screen -r<br />

Resources

Ubuntu 16.04 — Restore

This is my first post in the series for installing Ubuntu 16.04 on my Inspiron 17R laptop. In this step, I am mainly just restoring files and putting the data back after formatting the drive.

Series Navigation:

I didn’t take screenshots of the install process. I just basically accepted the defaults.

Restoring files

These are the directories that I restored.  Maybe it will give you an idea of things you may want to restore if you do the same thing.

  • ~/.ssh: The keys for my remote ssh connections — most important because of backuppc restoring
  • ~/Documents: This is where I put all my document files
  • ~/Pictures: I have Shotwell pointed at this directory, so it contains all the pictures from my cell phone and digital camera
  • ~/GideonTaylor: I keep my work files in a different directory
  • ~/.config/google-chrome: The settings for Chrome (extensions, bookmarks, etc)  (or, ~/.config/google-chrome-beta)
  • ~/.local/share/keyrings: My saved passwords
  • ~/.Skype: Skype history
  • ~/.remmina: The settings for my remote connections
  • ~/.local/share/shotwell: The settings and thumbnails for my photos
  • ~/.sword: The downloaded Bible files for Xiphos (and the underlying Sword library)
  • ~/.filezilla: The settings for my FTP connections
  • ~/.sqldeveloper: The connection settings for SQL developer
  • ~/.vim: stores the plugins installed in Gvim
  • ~/.vimrc: preferences for Gvim
  • /etc/NetworkManager/system-connections: this saves all of my wireless connections and VPN connections

My backup this time was located on an external USB drive.  I also had a BackupPC installation, but I didn’t restore a lot from it.  For smaller directories/files, just copy and paste works fine.  For larger directories, it was better to use grsync, which I installed from Ubuntu Software.

Shortcuts / Menu Entries

I had a couple of items that I had added to help me get to Vmware View machines.  Unfortunately, I didn’t remember the exact commandline.  Instead of looking it up again, I found that I could copy the .desktop files from the directory:

  • ~/.local/share/applications

BackupPC

I’m not going through the whole configuration of the server.  In this case, I just need it to connect and begin to back up the laptop after my install.

I checked the version of my apps:

<br />
$rsync --version<br />
rsync version 3.1.1 protocol version 31<br />

First, SSH is not enabled on Ubuntu 16.04 by default.  I had to install it:

<br />
sudo apt-get install openssh-server<br />

Then, I generated the keys with this command (left the passphrase blank)

<br />
sudo ssh-keygen -t rsa<br />

On my backup server, the backuppc user’s home directory is /var/lib/backuppc (you can confirm in the /etc/passwd file).  Using vi, I copied the contents of  /root/.ssh/id_rsa.pub on the client to /var/lib/backuppc/.ssh/known_hosts.  I’m not sure this step worked … on my test I had to remove the pistachio key (maybe I should have done that first):

ssh-keygen -f "/var/lib/backuppc/.ssh/known_hosts" -R pistachio

Then, I opened up /root/.ssh/authorized_keys2 on my laptop (client) and pasted the contents of /var/lib/backuppc/.ssh/id_rsa.pub from the server. In the end, Copy and Paste in a text editor wasn’t good enough. I had to scp the file across between the computers.

I verified security on the directory:

sudo chmod -R go-rwx /root/.ssh

Finally, I tested as the backuppc user on the backup server:

<br />
sudo su backuppc<br />
ssh -l root pistachio whoami<br />

To troubleshoot, I ran the server with debugging messages as root:

<br />
service ssh stop<br />
/usr/sbin/sshd -d<br />

Next time, I will configure Backup PC to backup the root .ssh directory to avoid having to reconfigure all of this.

Next Steps

If you want to follow along with my install process, you can check out the next post: Ubuntu 16.04 — Internet.

 

Resources

My Server Configuration

These were the steps that I went through to configure my server after installing Ubuntu.  (just to help remember)

Installing SSH

My first requirement for a server is that I be able to get to it from my laptop.  SSH will allow me to both open remote terminal sessions and copy files from nautilus.

I simply installed this ssh metapackage from the Software Center.

My first attempt to connect brought me this message:

</p>
<p>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br />
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!<br />
Someone could be eavesdropping on you right now (man-in-the-middle attack)!<br />
It is also possible that a host key has just been changed.

This was because I was reinstalling my server, and I had connected to the previous installation with my laptop.  The fix was easy (it was actually in the message):

ssh-keygen -R israel

To set it up to where I could connect without a password, I ran this command:

ssh-copy-id israel

Printing

I have an HP printer, so I chose to install the HPLIP Toolbox from the Software Center.

I could launch it through ssh with the command “hp-toolbox”.  Then, I chose the Setup Device option off the Device menu for my printer.

I selected USB:

Then, I selected the device:

Then, I entered the information about the printer:

This added, the printer.  Next, I made it the default printer:

To make the printer accessible over the network, I had to tweak the cups configuration.  I edited the /etc/cups/cupsd.conf.  I added a Listen line with the machine’s hostname.

I also turned “Browsing” on to make it easier to discover the printer.

To make the network name resolve correctly, I removed this line from /etc/hosts:

Finally, I restarted the cups service with the command:

sudo service cups restart

That gave me some access, but I still had issues.  Then, I found an easier way to do it.  I ran the the printer configuration:

system-config-printer

On the printer dialog, there is a Server > Settings option.

There, I checked the sharing options to open things up for my private network.

Java Installation

I have a personal application that I use at home, and Java is a requirement for that.  I took the easy route and installed Java using Web Upd8’s method.  That just meant running these three commands:

sudo add-apt-repository ppa:webupd8team/java<br />
sudo apt-get update<br />
sudo apt-get install oracle-java8-installer

I confirmed that it installed with:

</p>
<p>skp@israel:~$ java -version<br />
java version &quot;1.8.0-ea&quot;<br />
Java(TM) SE Runtime Environment (build 1.8.0-ea-b55)<br />
Java HotSpot(TM) Client VM (build 24.0-b22, mixed mode)<br />
skp@israel:~$ javac -version<br />
javac 1.8.0-ea

Finally, I needed to add a mysql user.  I don’t need to install mysql because it’s embedded into my application, but I do need the user.  I used this command:

useradd -r mysql

Resources

Sudo Plus X11 Forwarding

I originally published this script on my PeopleSoft Blog, but since it is as much Linux related, I thought it should go here, too.

The problem was that I was trying to install the Oracle Database via SSH using the GUI installer.  The sudo command was breaking my X11 forwarding.

I found the answer on the “Bag of Tricks” blog:

Bag of Tricks: x forwarding and sudo for oracle installs

Here’s my version:

</p>
<p>#!/bin/sh</p>
<p>user=$1<br />
if [ -z &quot;$user&quot; ]; then<br />
 user=&lt;default user&gt;<br />
fi</p>
<p>displayNum=`echo $DISPLAY | sed -e 's/^.*://' -e 's/\.[0123456789]*//'`<br />
echo &quot;Display # = $displayNum&quot;<br />
cookie=`xauth list | grep &quot;:$displayNum&quot;`<br />
echo &quot;Cookie = $cookie&quot;<br />
cookiename=`echo $cookie | sed 's/\s*MIT-MAGIC.*$//'`<br />
echo &quot;Cookie Name: $cookiename&quot;<br />
echo &quot;user = $user&quot;<br />
sudo -u $user bash -c &quot;xauth list; xauth add $cookie; bash; xauth remove $cookiename&quot;</p>
<p>

 

Troubleshooting SSH Connections and Using syslog

I have been struggling with ssh connections.  So, I thought I would write down some of the different troubleshooting tips that I found.

Permissions

Make sure that your permissions are correct on your home directory and your key files.  Here are the permissions that you need.

Check with this:

ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys $HOME/.ssh/id_rsa

Note: make sure that you check this on your local computer and your remote computer.  The permissions should be:

chmod go-w $HOME<br />
chmod 700 $HOME/.ssh<br />
chmod 600 $HOME/.ssh/authorized_keys<br />
chmod 600 $HOME/.ssh/id_rsa<br />

SELinux

Another thing I found was that SE Linux was stopped the private keys from working.  Using dmesg, I found lines like this:

</p>
<p>type=1400 audit(1332520527.110:51337): avc: denied { read } for pid=25240 comm=&quot;sshd&quot; name=&quot;authorized_keys&quot; dev=dm-5 ino=167 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

I checked the status with sestatus, and found that SELinux was enforcing.  Then, I used the following command to turn it to permissive mode:

setenforce 0

Checking again, you’ll see it is in permissive mode now:

</p>
<p>$ sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /selinux<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy version: 24<br />
Policy from config file: targeted

Then, when I tried connecting, I found that the key authentication and X11 forwarding worked.  Just a note: the key authentication worked with policy version 23 but not 24.

Logging on the Client

Use the “-v” parameter to ssh will provide some output as to what is wrong.  In fact, you can maximize the debugging messages with “-vvv”.  So, you can see what’s going on, you can do something like this:

ssh -vvv remoteuser@remotecomputer

Writing messages to dmesg

I read that the messages go to dmesg.  I had trouble telling if dmesg was changing.  So, I decided to see if I could add something to the log.  Then, I would know that anything after that message was new.

Here’s the command that did the trick:

sudo bash -c "echo hello world > /dev/kmsg "

Configuring Logging for SSH on the remote machine

At first, I couldn’t get any log messages out of the remote machine.  I found that I had to adjust the configuration for both syslog and sshd.

First, I change syslog to create a separate log file for sshd.  You can make this change in /etc/rsyslog.conf.  The local7.* already existed in my configuration.  I added the local6.debug line:

</p>
<p># Save boot messages also to boot.log<br />
local7.* /var/log/boot.log</p>
<p># SSH specific (Added by Stephen)<br />
local6.debug /var/log/sshd.log</p>
<p>

Then, I had to change the sshd configuration.  You can make this change in /etc/ssh/sshd_config.  I set the SysLogFacility to “LOCAL6” to make the separate log file setting work from above.  Then, I changed the LogLevel to “DEBUG”.  I think there is also a “DEBUG3” that might provide even more.

</p>
<p># Logging<br />
# obsoletes QuietMode and FascistLogging<br />
#SyslogFacility AUTH<br />
#SyslogFacility AUTHPRIV<br />
#LogLevel INFO<br />
SyslogFacility LOCAL6<br />
LogLevel DEBUG

Finally, restart both sshd and rsyslog to make the changes take effect.

sudo service sshd restart && sudo service rsyslog restart

This is a cool trick.  If you open a shell to monitor the log, you can use the tail command to print messages to the screen as they are written:

tail -f /var/log/sshd.log

This is what helped me find my problem.

End Result/My Problem

I finally found that my problem was the permissions of the home directory.  I found this in the log file:

Authentication refused: bad ownership or modes for directory /home/remoteuser

After I changed ownership of the home directory, my key authentication worked great.

Resources