New shell server transition

[scott]

I've enabled hmac-sha1-etm @ openssh.com -- please let me know if that works...

Thank you for enabling the "hmac-sha1" Mac algorithm. However, I'm at a complete lost to explain why the same client and Mac algorithm doesn't work with SH, but works flawlessly with Bolt. I can posts connection traces from Bolt and SH if you think that might help.

I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

Try again, I've set sshd to allow the original hmac-sha1 now.

-Scott

[scott]

I know you must be really swamped, but alpine still the version compiled w/o debug. I'd love to work on this before the transition! Thank you for everything you're doing.

Installed!

-Scott

Thank you so much! Unfortunately even at -d9 the highest debug output, nothing is logged about why the self-signed cert files I've put in place are not working. The log just says alpine starts write_passfile subroutine,



16:06:46.596673
q_status_message(Attempting to
encrypt password file)


Then straight to this with no more explanation


16:06:46.599358
q_status_message(Refusing
to write non-encrypted
password file)

I've tried a bunch of ways to generate and store self-signed cert, but nothing is working. I didn't have success with the local inbox workaround. Any suggestions for next steps on this?

Not at the moment, unfortunately, I'm going to have to dig into it.

Seems like a basic part of alpine that isn't working, and it's a real pain that it isn't. :/

-Scott

[Guest]

I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

It wasn't until this morning that I learned from a friend that there is a subtle distinction between EtM and non-EtM SHA1.

Try again, I've set sshd to allow the original hmac-sha1 now.

Thank you. I will try that as soon as a new issue is resolved. In my frustration to make a successful connection to SH this morning, I tried using v0.70 of PuTTY. Wow, PuTTY needs some help. In any case, not able to see what I was typing, evidently I typed the password wrong, twice. Before I could enter the password a third time, the connection dropped. I tried to connect again, but PuTTY displayed and continues to display the following error dialog:

• PuTTY fatal error: "Software caused connection abort"

The PuTTY doc says this is not the fault of PuTTY. So I tried SecureCRT and now SecureCRT is almost immediately displaying "Connection closed". Logged into Bolt with SecureCRT and I can successfully connect to SH from Bolt. I don't know if I have accidentally banned myself using PuTTY or the server is refusing outside connections or what. :(

[nhdesign]

Yup, no sh, yes bolt.

--
Vic

[scott]

I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

It wasn't until this morning that I learned from a friend that there is a subtle distinction between EtM and non-EtM SHA1.

Try again, I've set sshd to allow the original hmac-sha1 now.

Thank you. I will try that as soon as a new issue is resolved. In my frustration to make a successful connection to SH this morning, I tried using v0.70 of PuTTY. Wow, PuTTY needs some help. In any case, not able to see what I was typing, evidently I typed the password wrong, twice. Before I could enter the password a third time, the connection dropped. I tried to connect again, but PuTTY displayed and continues to display the following error dialog:

• PuTTY fatal error: "Software caused connection abort"

The PuTTY doc says this is not the fault of PuTTY. So I tried SecureCRT and now SecureCRT is almost immediately displaying "Connection closed". Logged into Bolt with SecureCRT and I can successfully connect to SH from Bolt. I don't know if I have accidentally banned myself using PuTTY or the server is refusing outside connections or what.

Yeah, if it sees too many bad logins, it bans the IP address (using denyhosts).

I just purged all entries, try now.

-Scott

[nhdesign]

All good,

Thank You

[casner]

Excuse me for butting in, but an obvious question is, why not get a new version of SecureCRT with more modern and secure cipher and MAC algorithms?

[fiberadm]

(About web logs)
...
The other thing, which I've only used a handful of times (in the last 15 or so years of being a Sonic customer) is to look in realtime at the error logs: When I'm messing with a web page and something goes wrong, it's nice to get immediate feedback of what the problem could be. AFAIK, the error log does not get split by customer, and is not visible in the by_user logs. But honestly, if that functionality goes away, it really won't kill me, it's so rare I use it.

One investigation I need to make is getting customers access to their error logs, as well as having the logs appear in realtime.

Seems to make sense that those should be available...

-Scott

It's true that you don't need the error log very often, but when you do need it, you need it,
and in real time. Any progress on that, Scott?

ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )

[scott]

(About web logs)
...
The other thing, which I've only used a handful of times (in the last 15 or so years of being a Sonic customer) is to look in realtime at the error logs: When I'm messing with a web page and something goes wrong, it's nice to get immediate feedback of what the problem could be. AFAIK, the error log does not get split by customer, and is not visible in the by_user logs. But honestly, if that functionality goes away, it really won't kill me, it's so rare I use it.

One investigation I need to make is getting customers access to their error logs, as well as having the logs appear in realtime.

Seems to make sense that those should be available...

-Scott

It's true that you don't need the error log very often, but when you do need it, you need it,
and in real time. Any progress on that, Scott?

Giving it a look-see today.

ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )

[/quote]

I didn't mount that hierarchy because I didn't think anyone still used separate cgi-bin directories. (You get the same effect in your web directory nowadays, given the proper filename suffix.)

Do you need an explicit cgi-bin directory?

-Scott

[fiberadm]

[

ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )

I didn't mount that hierarchy because I didn't think anyone still used separate cgi-bin directories. (You get the same effect in your web directory nowadays, given the proper filename suffix.)

Do you need an explicit cgi-bin directory?

-Scott

OK, I don't need ./cgi-bin/ anymore, and have emptied it out.
(BTW, I used the web error log, while figuring out some things about this.)

So, I presume that *.cgi and *.php are treated like cgi-bin.
Any others suffixes do the job?
(Could you perhaps list here the relevant section of the Apache config?)

Thanks, -LenW