[09:01:43]
<orhtej2> TY @[Josué] ❤️
[15:01:25]
<plux> Coucou 👋, à la proposition de mise à jour de roundcube, il y a ce message dont je ne comprends pas toutes les conséquences, on perd les contacts ? Tous les messages ?
>automatic_addressbook plugin was replaced with updated version, but the migration of collected data is not possible. What this means you'll lose the contacts from Collected Recipients collection with this update. Sorry!
[15:59:51]
<orhtej2> > <plux> Coucou 👋, à la proposition de mise à jour de roundcube, il y a ce message dont je ne comprends pas toutes les conséquences, on perd les contacts ? Tous les messages ?
> >automatic_addressbook plugin was replaced with updated version, but the migration of collected data is not possible. What this means you'll lose the contacts from Collected Recipients collection with this update. Sorry!
Worry not, the plugin is likely defunct
[16:36:41]
<captainhonora> https://aria.im/_bifrost/v1/media/download/AcNYggdWyKrORvWoy-Dj6KAakQVT8yxFTWyi_doOHXZCmX7bd42VZDYEhcbtcjUJ2JblAWzOkd91gcB0cVPaR5NCefUgnKyQAG1hdHJpeC5vcmcvb2xuYVhEUkJjWXlDZE9ScEhoRnFndFJi
[16:36:42]
<captainhonora> Why does the copy read "suspiciously high number" instead of printing the number. Just tell me the number and let me decide if it's suspicious or not.
[16:48:17]
<captainhonora> Is it still a suspicious ammount of auth failures if I serve 20 users? 200 users?
[16:57:19]
<otm33> captainhonora: something like 750 auth failures every 24 hours (to be confirmed)
[16:58:57]
<@err404:matrix.numericore.com> captainhonora you should not expose your ssh server on Internet, you should use a vpn (wireguard is good) and allow ssh only from local network (so the user will need to use the vpn to reach the ssh server)
[17:02:40]
<otm33> or, at least, change the ssh port
https://doc.yunohost.org/en/admin/security#using-a-custom-port-for-ssh
[17:41:48]
<captainhonora> Ok. This is the information that need to be communicated by the text then. This is already more information than the warning message provided.
[17:43:37]
<captainhonora> How does that work with collaborators? do they have to do anything?
[17:45:36]
<captainhonora> it's been that way for 4 years
[17:45:47]
<captainhonora> Yeah but then I need to pay 10$ a month for the VPN yeah?
[17:45:53]
<captainhonora> plus per user charges
[17:49:35]
<@err404:matrix.numericore.com> I use my own server (promox, container Yunohost) all reachable with the vpn wireguard, I dont use external vpn provider
[17:49:49]
<artlog> Using a non standard port is the first way to eliminate 99% of ssh ennoying connections
[17:50:00]
<captainhonora> Got it, opening port 67 to the entire internet
[17:50:15]
<artlog> and certainly deactivate password on ssh, use only ssh keys
[17:50:16]
<captainhonora> not sure I understood that first part physically how many machines
[17:50:31]
<captainhonora> Man I think it's time for me to give up on sysadmin it's too much to keep track of.
[17:51:33]
<captainhonora> Which machine runs wireguard
[17:52:00]
<@err404:matrix.numericore.com> > <@captainhonora:matrix.org> not sure I understood that first part physically how many machines
Only one, in my kitchen, but I use public ip from my ISP
[17:53:18]
<@err404:matrix.numericore.com> I installed wireguard on my promox server, but also on the yunohost container
[17:55:39]
<@err404:matrix.numericore.com> On my laptop I also installed wireguard, so I can reach my yunohost from everywhere
[18:07:59]
<artlog> both ...
[18:08:00]
<artlog> after so many years using the term VPN i start to really dislike it. This is not virtual since it provide a real network, it is more a tunneled / layerd network. A network over a network hack.
[18:08:00]
<artlog> you can use a VPN to hide your internal address or to provide a public address to contact your services, those are two different usage of a VPN.
[18:08:00]
<captainhonora> yeah it's super confusing to me. Thought VPN was purposefully NOT at your home network
[18:08:59]
<captainhonora> I have a hard time understanding how having one more program installed brings more security since they are all under the same ipv4 IP
[18:11:39]
<artlog> it is a way to go through a small hole authorized by your provider and connecte to another provider that gives you a full network access.
[18:11:40]
<captainhonora> ok gotcha.
[18:11:43]
<miro5001> Just change ssh port (use port number between 500 and 1000)and forward it in the router. You'll get less bots on that new port.
You can also disable password login for ssh (use ssh key).
[18:18:22]
<artlog> yes expose to internet a port that is not 22 , internal port can remains 22. having a not standrad port internally can still be a good idea with ipv6 because it is unusaul to phave nat with ipv6
[18:18:22]
<artlog> and VPN that provide public adresses are more expensive, due to price of ipv4 public adresses
[18:18:22]
<captainhonora> Will try, thanks.
[18:21:11]
<miro5001> Don't hesitate to ask if you need more details.
I think it is a good idea for a tutorial on the forum
[18:21:55]
<captainhonora> Yeah I was thinking some kind of simplified guide to get minimal security going. Because the alternative is people like me freestyle it with port 22 open.
[18:24:58]
<captainhonora> (reading the documentation now)
[18:26:34]
<captainhonora> When connecting trough SSH trough any other port than 22 do we have to manually specify the new port every time?
[18:27:41]
<captainhonora> Or does the port forwarding to the address work and we still connect to the same .ynh.fr domain>
[18:27:46]
<miro5001> What is your ssh client?
[18:27:53]
<captainhonora> Just trough CLI
[18:28:24]
<miro5001> `ssh user@hostname -p 567`
[18:29:55]
<captainhonora> 567?
[18:29:55]
<artlog> Yes but... It can be set in .ssh/config of each client.
[18:29:56]
<miro5001> It's an example
[18:29:56]
<captainhonora> any port above 500 yeah?
[18:29:57]
<captainhonora> thanks
[18:30:43]
<artlog> .ssh/config is my favourite, it works with ssh and scp, while it is -p in ssh and -P in scp... ( who decided that ... )
[18:32:38]
<captainhonora> I need to regenerate all SSH keys since they were made for the previous port?
[18:32:58]
<miro5001> No
[18:34:19]
<miro5001> You just change the ssh port on the server and append `-p yourport ` to your ssh command, it will work right away
[18:35:24]
<captainhonora> mhh it did not work in that case
[18:36:43]
<captainhonora> I can reach the server but " Permission denied (publickey)."
[18:38:17]
<captainhonora> Server is now so secure I can't get in. 😎
[18:39:22]
<otm33> Trying to authenticate with ssh key ?
[18:40:25]
<captainhonora> I disabled password authentication. I thought since it's just a checkbox and I've been advised to ,why the hell not.
[18:42:51]
<otm33> Can you try authenticating with verbose mode aka -vv ?
[18:47:27]
<captainhonora> ```debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey```
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /var/root/.ssh/id_rsa
debug1: Will attempt key: /var/root/.ssh/id_ecdsa
debug1: Will attempt key: /var/root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /var/root/.ssh/id_ed25519
debug1: Will attempt key: /var/root/.ssh/id_ed25519_sk
debug2: pubkey_prepare: done
debug1: Trying private key: /var/root/.ssh/id_rsa
debug1: Trying private key: /var/root/.ssh/id_ecdsa
debug1: Trying private key: /var/root/.ssh/id_ecdsa_sk
debug1: Trying private key: /var/root/.ssh/id_ed25519
debug1: Trying private key: /var/root/.ssh/id_ed25519_sk
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[18:51:08]
<miro5001> Are you sure that it the correct ssh key
[18:51:39]
<captainhonora> i am not.
[18:51:48]
<otm33> Try shh with the path to your key ( -i /path/to/key )
Did it work before?
[18:52:29]
<otm33> Yeah, try shhhh and then ssh (sorry)
[18:53:03]
<miro5001> I mean, how were you used to ssh to the server? From your account on the client?
[18:56:55]
<captainhonora> password, port 22, in CLI
[18:57:22]
<captainhonora> What client?
[18:58:00]
<miro5001> So basically :
- when you generate ssh keys, the pairs are stored in "/home/username/.ssh"
- when you try to ssh to your server, the client will look inside that folder for available keys
- so if you ssh as another user (for ex root), the client will look inside the wrong location
[18:58:24]
<miro5001> Are you on windows or linux?
[18:58:37]
<captainhonora> trying to ssh same user
[18:58:42]
<captainhonora> mac
[18:59:15]
<captainhonora> logging in same user as before
[19:02:10]
<otm33> Well, in case of multiple keys, the sshd_config may allow a limited number of tries. Dunno what is the default limit.
[19:02:13]
<captainhonora> I used to always SSH as root
[19:02:14]
<miro5001> How many keys do you have? Inside /var/root/.ssh
Are there ones that you don't need anymore?
Were you able to login without password before changing the port?
[19:03:51]
<captainhonora> I never tried without password this is the first time.
But i have id_ed25519.pub and private.
[19:07:37]
<captainhonora> I generated the keys, but since log in with password was turned on, it never came up wether or not that method worked
[19:07:41]
<otm33> And you did copy the pub key on the ynh server?
[19:07:44]
<miro5001> Ah, I see. So you weren't able to login with keys
[19:07:53]
<captainhonora> Yeah I think so. I don't remember how tho.
[19:08:05]
<captainhonora> There is SSH at the app level (forgejo, our source control) where I have been adding the keys and validating them for my teammates.
[19:08:20]
<captainhonora> But at the level of Yunohost I don't remember how to do it.
[19:11:08]
<otm33> https://doc.yunohost.org/en/admin/security#ssh-authentication-via-key
[19:12:02]
<captainhonora> Failed to open ID file 'id_rsa.pub': No such file or directory
[19:30:09]
<otm33> Yours is id_ed25519.pub
[19:33:30]
<captainhonora> yes it saved but I still got the warning and idk what it is about
[19:34:44]
<captainhonora> I feel like a crucial part is not explained on this page.
[19:34:45]
<captainhonora> There has to be a moment where I paste the key on the server side.
[19:34:45]
<miro5001> ssh-copy-id user@hostname
[19:34:45]
<captainhonora> At which point do I tell my server which SSH key is trustworthy.
[19:34:46]
<otm33> Could the error be related to a permissions issue as explained in the doc?
[19:34:46]
<captainhonora> ERROR: Too many arguments. Expecting a target hostname, got:
[19:34:47]
<captainhonora> re-enabled password auth and ran the command again, same output.
[19:34:47]
<miro5001> But you need password authentication enabled for ssh-copy-id
[19:34:48]
<captainhonora> I ignore warnings because most of the time they are meaningless but sometimes they are not. It's hard to know what is worth paying attention to.
[19:34:48]
<captainhonora> Why does it say it saves successfully but then ERRo failed to open ID file
[19:52:26]
<miro5001> Did you add -p port?
For ssh-copy-id, -p port should be before user@hostname
ssh-copy-id -p 567 user@hostname
[19:55:59]
<captainhonora> "being vigilant on UNIX file/dir permissions across the whole system ;"
I have an idea what this is about but I don't think this is what the problem is about.
[19:59:04]
<captainhonora> yes
[19:59:37]
<captainhonora> Off topic but this is precisely why I find CLI insane
[19:59:37]
<captainhonora> Ok you are right port was in the wrong place
[19:59:38]
<captainhonora> As long as there is no conventions of where the argument goes people will feel stupid and frustrated.
[20:02:36]
<captainhonora> I now get a bit of progress which is to say I moved on to a new error which is related to what otm33 was saying about the UNIX file permissions being denied.
[20:03:37]
<miro5001> Believe me, I got frustrated a lot, a long time ago. But got a lot of help from the community and learnt a lot
[20:08:36]
<captainhonora> Thanks a lot. It's really hard sometimes because I really feel angry at myself for not understanding this as I know this 101 to some of y'all.
[20:08:37]
<miro5001> We all started "not understanding"
What is the next error
[20:10:57]
<captainhonora> so it authenticates correctly on port 512, but cannot chdir (does not exist) and can't cd (permission denied)
[20:11:37]
<captainhonora> and mkdir permission denied cannot create dir
[20:12:06]
<captainhonora> Ran the command again with sudo yeah. no difference.
[20:12:07]
<captainhonora> Is it trying to create a new SSH folder on the server? because that's not what I'm trying to do.
[20:12:08]
<otm33> What does return `pwd`?
Is it an user from admins group?
[20:12:09]
<captainhonora> yes the root user
[20:12:09]
<captainhonora> There is a server with yunohost installed. I'm trying to add the SSH key from my macbook to it. or the SSH keys from teammates I want to add.
[20:12:10]
<captainhonora> ie .ynh.fr
[20:12:11]
<captainhonora> do you put the domain extension in the hostname?
[20:16:36]
<miro5001> Of course. If it's not the local ip address.
You should also forward that port in the router
[20:17:03]
<captainhonora> Yeah I did.
[20:21:51]
<captainhonora> I'm going to assume ssh-copy-id is the culprit.
[20:22:36]
<captainhonora> I have drwx------ permissions over .ssh
[20:22:42]
<miro5001> When you run ssh-copy-id it will ask for password. Then tells you "Now try logging into the machine, with...."
Did you get that?
[20:22:56]
<miro5001> If not then the key has not been copied
[20:23:15]
<captainhonora> It asks for my current password for sudo, then the server root password, then fails due to permission denied on the folder (despite drwx-----)
[20:23:22]
<captainhonora> ``` sudo ssh-copy-id -p 512 enoravfx@niwlcoop.ynh.fr
Password:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/enoravfx/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
enoravfx@niwlcoop.ynh.fr's password:
Could not chdir to home directory /home/enoravfx: No such file or directory
sh: 1: cd: can't cd to /home/enoravfx
mkdir: cannot create directory '.ssh': Permission denied```
[20:23:41]
<miro5001> Retry but using the local ip address instead of the hostname
[20:24:08]
<captainhonora> still with user@ip format?
[20:24:16]
<captainhonora> Same output.
[20:24:28]
<otm33> `getfacl /home/enoravfx`
[20:24:31]
<miro5001> OK, then try to ssh to the server with password and see the permissions of .ssh
[20:24:37]
<captainhonora> authenticity of host can't be established
[20:24:47]
<captainhonora> Ok, after logging in with password I noticed an error messages gets added regardless of what command I run
[20:24:54]
<captainhonora> does not exist on mac.
[20:25:01]
<miro5001> In the server
[20:25:16]
<captainhonora> Ahh
[20:25:29]
<captainhonora> does not exist.
[20:25:32]
<captainhonora> it's a folder on my macbook
[20:25:37]
<otm33> Still with verbose enabled?
[20:25:43]
<captainhonora> https://aria.im/_bifrost/v1/media/download/AaXLeWx5n_NcqdPgL2V5qTqX7nkIIW3z35VN6oXOoEGOI4IcKyI3z1eSulpt09X5lpROjSjqPIHoqaa6bhnOeiRCefUtt6jAAG1hdHJpeC5vcmcvUVJpT3BCdGlycXhza2dSZVVwbmVYaWtC
[20:25:49]
<captainhonora> I mean even after connecting SSH and asking nothing in particular it tries to chdir
[20:25:52]
<captainhonora> Extremely confusing
[20:25:57]
<miro5001> Does this user exist in the yunohost server?
[20:26:01]
<captainhonora> yes
[20:26:05]
<miro5001> How were you able to ssh to the server? Using this user or root?
[20:26:15]
<captainhonora> it's a user on the server with the same name, and the name of the user on my macbook
[20:26:35]
<captainhonora> that's probably what I did yeah, trying again
[20:26:39]
<otm33> Did you change permissions on your Mac instead of on your ynh server?
[20:29:56]
<otm33> So having also a folder /home/enoravfx in your ynh server?
[20:30:00]
<miro5001> ssh-copy-id should be ran from your mac. This will copy your ssh key to the server
[20:30:02]
<captainhonora> not sure what I should do.
[20:30:08]
<miro5001> Can you ssh using root?
[20:30:38]
<captainhonora> is that not dfiferent than typing sudo i
[20:30:38]
<miro5001> `ssh root@local_ip_address -p 512`
[20:30:39]
<captainhonora> is that not different than typing sudo i
[20:30:44]
<captainhonora> is that different than typing sudo i?
[20:30:48]
<captainhonora> somehow I can't find the correct password for that.
[20:30:52]
<captainhonora> I did everything from enoravfx user with sudo before.
[20:30:54]
<miro5001> You can change it the webadmin
[20:31:07]
<artlog> Usual advice in security is to avoid login as root. su or sudo can help to become root after a user login.
[20:31:08]
<captainhonora> yeah that's what I was doing
[20:35:13]
<captainhonora> Thanks for the help on switching to port 512, that part works now.
[20:35:18]
<orhtej2> did the key work before? the most common pitfall is too lean permissions on `~/.ssh`, should be `600` IIRC
[20:35:23]
<orhtej2> (`sshd` will reject world-readable `authorized_keys`)
[20:35:26]
<miro5001> Every user in the server should have a folder in /home with the correct ownership
[20:35:31]
<orhtej2> make a folder in your `~` directory and see for yourself, the default permissions are borked
[20:35:36]
<orhtej2> (now that I think about it it's not server-side `authorized_keys` but client-side `id_*` that need said permissions)
[20:35:43]
<otm33> Yep. I messed up with folders names on the client and the server.
[20:35:57]
<captainhonora> Are the SSH keys also per user on the server side?
[20:35:57]
<miro5001> [@captainhonora:matrix.org](https://matrix.to/#/@captainhonora:matrix.org) seem to have lost home folder for her user. I just discovered "mkhomedir_helper" that is intended to create the full skeleton of the home folder
[20:36:51]
<captainhonora> Unrelated issue but if there are forgejo users, what are some possible leads I can investigate for extremely slow download speed when trying to download a .zip?
The server is directly connected via ethernet and should in theory give me a speed that is bottlenecked by max upload speed (4mbps) but instead I get 64kb/s
[20:52:11]
<orhtej2> of course, you need to add the public key to `authorized_keys` under `~/.ssh` on the server
[20:52:13]
<miro5001> Try running htop as root when downloading and see cpu and ram
[21:19:02]
<captainhonora> the download speed is 200mbps on my local computers so I don't think it's cpu bound
[21:19:03]
<captainhonora> The download is done before i can run htop
[21:19:03]
<captainhonora> 1 gig RAM used out of 16GB, 2% CPU
[21:19:04]
<captainhonora> So yeah it can only be my ISP.
[21:19:04]
<captainhonora> So it's not CPU bound, not RAM bound, not the cable not the router,
[21:19:05]
<captainhonora> 4mbps is already slow yeah but they get only 64kbps
[21:19:05]
<miro5001> So it's only team mates who experience this?
[21:19:07]
<captainhonora> which is the bottleneck of the wifi and normal.
[21:19:07]
<captainhonora> otherwise same file if I download the zip it serves it at 200mbps
[21:19:19]
<captainhonora> yes.
[21:27:37]
<miro5001> Is this slowness the same when downloading from nextcloud or directorylister?
[21:27:43]
<captainhonora> nextcloud is slow, git clone is fast
[21:27:51]
<captainhonora> nextcloud is euqually slow, git clone is fast
[21:28:00]
<captainhonora> nextcloud is euqually slow, EDIT: git is also slow.
[21:28:10]
<captainhonora> At a high level I'm trying to understand what I can do to speed things up closer to my 2010 upload speed of 4mbps than 1995 era speed of 64bps
[21:28:32]
<captainhonora> If I can upload at 4 mbps why isn't the download speed of my teammates closer to 4mbps, given that it's not bound by CPU or RAM or cable speed, or the router itself which can go to 1GBps
[21:32:14]
<miro5001> So it's not the server but some network issues.
When you upload files to external sites from your local network, is the speed slow?
Does speed test report slow uploads?
[21:46:44]
<captainhonora> Speed also slow wen uploading on wetransfer. Speed test reports 4mbps which way faster than what I experience in upload or teammates experience.
[21:47:16]
<captainhonora> You are right I just need to wait on my ISP. I was hopeful today as my speed jumped from 0.4 to 4mbps but it's still stuck somehow.
[22:34:54]
<Moté> plux: si je comprends bien, tu perds la liste de contacts "contacts récupérés", qui contient les contacts à qui tu as écrit mais que tu n'as pas spécialement enregistré dans un carnet d'adresses
[22:58:38]
<plux> Humm oki merci Moté . j'ai du réinstallé la sauvegarde car après l'upgrade je n'avais plus aucun message