On Mon 02 Sep 2019 at 18:05:16 (-0400), Gene Heskett wrote:
> On Monday 02 September 2019 16:05:52 David Wright wrote:
> > On Mon 02 Sep 2019 at 13:16:28 (-0400), Gene Heskett wrote:
> > > On Monday 02 September 2019 12:07:48 David Wright wrote:
> > > > On Mon 02 Sep 2019 at 06:50:34 (-0400), Gene Heskett wrote:
[ … ]
> > > > > There are much better editors, like geany, but x won't let geany
> > > > > run as root over an ssh connection. Thats BS.
> > > > >
> > > > > Since wheezy, the security paranoia knows no limits and does not
> > > > > care how inconvenient they make it for the user. I am the ONLY
> > > > > user here, get this #@$%&^ crap out of my way!!! I used to be
> > > > > able to reboot a remote machine and could continue working via
> > > > > ssh 30 seconds later even if it took a root session to proceed.
> > > > >
> > > > > But no, someone has decreed that ssh isn't to be started until
> > > > > someone has gone to that machines own keyboard and logged in
> > > > > now. Then they decided ssh wasn't allowed to use x facilities as
> > > > > root.
> > > > >
> > > > > So if I'm working on a machine out in the shed on the hill,
> > > > > writing g-code to make an armstrong bolt out of a piece of 1"
> > > > > square bar stock, I have to get dressed including shoes for snow
> > > > > in the winter, climb the hill and log back in on that machines
> > > > > own keyboard before I can access that machine over an ssh
> > > > > connection from a warm and comfortable office chair here in the
> > > > > house. I'd like to make the person who thought that was a good
> > > > > idea, do that a few dozen times.
> > > > >
> > > > > Sorry Felix, something pulled my trigger.
> > > >
> > > > I don't understand all this (apart from the first bit,
> > > > commented on separately). ssh comes up without any fuss at all.
> > > > It always has done.
> > > >
> > > > Just to show you, I did the following: closed down agog, booted it
> > > > up again (waking it through the wired ethernet interface),
> > > > unlocked the encrypted /home partition, and logged in again as
> > > > myself; all done without getting out of my armchair.
> > > >
> > > > (The first login is to a pseudo-user whose home directory and
> > > > .bash_profile is in /var/local/home/unlock/.bash_profile, and
> > > > which unlocks and mounts /home, and logs out, all automatically.)
> > > >
> > > > Here's what I see on my screen as it all takes place:
> > > >
> > > > agog!david 10:55:24 ~ $
> > > > agog!david 10:55:39 ~ $ sudo /root/shutdown
> > > > Connection to agog closed by remote host.
> > > > Connection to agog closed.
> > > > 255 wren!david 10:55:57 ~ $
> > > > 255 wren!david 10:56:05 ~ $ agog-wake
> > > > Sending magic packet to 255.255.255.255:9 with 00:13:72:83:33:2a
> > > > wren!david 10:56:15 ~ $ agog-unlock
> > > > Mon Sep 2 10:56:40 CDT 2019
> > > > ssh: connect to host agog port 22: No route to host
> > > > 255 wren!david 10:56:58 ~ $
> > > > 255 wren!david 10:57:28 ~ $ agog-unlock
> > > > Mon Sep 2 10:57:33 CDT 2019
> > > > Linux agog 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2
> > > > (2019-08-08) x86_64
> > > >
> > > > The programs included with the Debian GNU/Linux system are free
> > > > software; the exact distribution terms for each program are
> > > > described in the individual files in /usr/share/doc/*/copyright.
> > > >
> > > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> > > > permitted by applicable law.
> > > > Last login: Mon Sep 2 10:42:44 2019 from 192.168.1.17
> > > > (This is /var/local/home/unlock/.bash_profile 2019 February 19)
> > > > Passphrase:
> > > > Unlocked /dev/sda6 as /dev/dm-0.
> > > > /home is now mounted
> > > > Connection to agog closed.
> > > > wren!david 10:57:51 ~ $ agog
> > > > Mon Sep 2 10:57:55 CDT 2019
> > > > Linux agog 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2
> > > > (2019-08-08) x86_64
> > > >
> > > > The programs included with the Debian GNU/Linux system are free
> > > > software; the exact distribution terms for each program are
> > > > described in the individual files in /usr/share/doc/*/copyright.
> > > >
> > > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> > > > permitted by applicable law.
> > > > You have new mail.
> > > > Last login: Mon Sep 2 10:43:05 2019 from 192.168.1.17
> > > > (This is /home/david/.bash_profile 2019 August 23)
> > > > (This is /home/david/.bashrc 2019 August 23 on /dev/sdb5)
> > > > (This is /home/david/.bash-1-agog 2019 January 26 on buster)
> > > > (This is /home/david/.bash-u-usbs 2019 July 28)
> > > > (This is /home/david/.bash-t-transfers 2019 June 17 enp2s0)
> > > > (This is /home/david/.bash-w-web 2019 August 15)
> > > > (This is /home/david/.bash-9-agog 2019 May 02)
> > > > agog!david 10:57:57 ~ $ uptime
> > > > 10:58:01 up 1 min, 1 user, load average: 2.22, 0.93, 0.34
> > > > agog!david 10:58:01 ~ $
> > >
> > > which if I follow the trace above, says ssh is not started until
> > > you've unlocked things.
> >
> > Locking /home makes no difference whatever to the ssh daemon. But in
> > any case, there's a /home already (the mount point), containing the
> > originally installed initialisation files for david (user 1000), plus
> > a single file /home/0 that indicates whether the encrypted partition
> > is mounted (/home/0 visible: unmounted, /home/0 absent: mounted).
> >
> > > I don't lock, theres nobody else that can get to it
> > > when I'm logged out. So when the login requester is showing on the
> > > local console, x nor ssh isn't running.
> >
> > I don't know what a login requester is. I never see a login prompt
> > from agog in the scenario I've described: it could just as well be
> > headless. If I want to know if agog is up, I either ping it (leaving
> > it in its current state) or wake it up.
> >
> > > Both are now dependent on someone
> > > (I'm assuming user 1000 since thats the only warm blooded user
> > > here), and both x and ssh are started by my logging into the local
> > > to the machine console.
> >
> > Nothing in this scenario involves X. And I don't see why sshd
> > shouldn't be running all the time the machine is on; to me
> > it's as fundamental as the network coming up. I guess you need
> > to fix that.
> >
> Instructions to fix it will be followed. As you say, it should be
> started with the network.
>
> > I've never installed Debian without asking for "ssh server" on the
> > "Software selection" screen. Does forgetting that make a difference,
> > anbody?
>
> Neither have I, which is why the late start after the local login is such
> a pita.
> >
> > > Now, there /are/ exceptions. This seems to be a wintel thing, I can
> > > reboot my pi, and log back in and get back to work, but I can't if
> > > its a wintel box on the far end of the cat5. Difference?
> > > DarnedifIknow. Hmmm, some of the wintels are running xfce4 and some
> > > are running TDE. This machine is running TDE. Should be a
> > > correlation but I'm still a quart low on coffee... Doctors orders,
> > > dammit.
> >
> > I don't know anything about these specifics. I'm just running Debian
> > on a hodgepodge of PCs, all buster bar one. Here are the scripts etc
> > for these tricks. No smoke or mirrors.
> >
> > $ cat /root/shutdown
> > #! /bin/sh
> > # Shutdown the system.
> > /sbin/shutdown now
> > #
> > $ type agog-wake
> > agog-wake is a function
> > agog-wake ()
> > {
> > wakeonlan 00:13:72:12:34:56
> > }
> > $ type agog-unlock
> > agog-unlock is a function
> > agog-unlock ()
> > {
> > date && ssh -X agog -l unlock
> > }
> > $ type agog
> > agog is a function
> > agog ()
> > {
> > local Thehost="$FUNCNAME";
> > [ "$HOSTNAME" = "$Thehost" ] && printf '%s\n' "(Same host!)" &&
> > return 0; if [ -z "$1" ]; then
> > date && ssh -X "$Thehost";
> > else
> > ping -c 1 -W 1 "$Thehost" | grep 'bytes from';
> > -snd-somewhere "$USER@$Thehost" "$@";
> > fi
> > }
> >
> > The following is on agog, of course:
> >
> > $ cat /var/local/home/unlock/.bash_profile
> > [ -n "$PS1" ] && printf '%s\n' "(This is $HOME/.bash_profile 2019
> > February 19)" [ ! -f /home/0 ] && printf '\n%s\n\n' "/home is mounted
> > already" && exit 99 sudo udisksctl unlock --block-device
> > /dev/disk/by-id/ata-ST3500641A_3PM20612-part6 mount /home && printf
> > '%s\n' "/home is now mounted" && exit 0 #
> > $
> >
> > Let me know if I've missed anything.
>
> Sorry, zero experience with this locking thing so I've no clue if you've
> missed something.
Yes, skip the encryption: it's just the ssh stuff that concerns you.
Didn't you have problems running ssh -X?
> With dd-wrt watching the doors any intruders might try to come thru, I
> simply am not concerned with other users. The only reason any of the
> others exist is to use their home tree as a perms sandbox.
Well it's fairly obvious why I encrypt the laptop, as it's vulnerable
to theft or robbery, but even the desktops are vulnerable to burglary.
Cheers,
David.
