New shell server transition

Advanced feature discussion, beta programs and unsupported "Labs" features.
316 posts Page 11 of 32
by scott » Fri Mar 16, 2018 10:41 am
Guest wrote:
scott wrote:
I've enabled hmac-sha1-etm @ openssh.com -- please let me know if that works...

Thank you for enabling the "hmac-sha1" Mac algorithm. However, I'm at a complete lost to explain why the same client and Mac algorithm doesn't work with SH, but works flawlessly with Bolt. I can posts connection traces from Bolt and SH if you think that might help.


I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

Try again, I've set sshd to allow the original hmac-sha1 now.

-Scott
by scott » Fri Mar 16, 2018 10:43 am
gie wrote:
scott wrote:
gie wrote:

I know you must be really swamped, but alpine still the version compiled w/o debug. I'd love to work on this before the transition! Thank you for everything you're doing.


Installed!

-Scott


Thank you so much! Unfortunately even at -d9 the highest debug output, nothing is logged about why the self-signed cert files I've put in place are not working. The log just says alpine starts write_passfile subroutine,



16:06:46.596673
q_status_message(Attempting to
encrypt password file)


Then straight to this with no more explanation


16:06:46.599358
q_status_message(Refusing
to write non-encrypted
password file)

I've tried a bunch of ways to generate and store self-signed cert, but nothing is working. I didn't have success with the local inbox workaround. Any suggestions for next steps on this?


Not at the moment, unfortunately, I'm going to have to dig into it.

Seems like a basic part of alpine that isn't working, and it's a real pain that it isn't. :/

-Scott
by Guest » Fri Mar 16, 2018 5:00 pm
scott wrote:
I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

It wasn't until this morning that I learned from a friend that there is a subtle distinction between EtM and non-EtM SHA1.

scott wrote:
Try again, I've set sshd to allow the original hmac-sha1 now.

Thank you. I will try that as soon as a new issue is resolved. In my frustration to make a successful connection to SH this morning, I tried using v0.70 of PuTTY. Wow, PuTTY needs some help. In any case, not able to see what I was typing, evidently I typed the password wrong, twice. Before I could enter the password a third time, the connection dropped. I tried to connect again, but PuTTY displayed and continues to display the following error dialog:

    PuTTY fatal error: "Software caused connection abort"
The PuTTY doc says this is not the fault of PuTTY. So I tried SecureCRT and now SecureCRT is almost immediately displaying "Connection closed". Logged into Bolt with SecureCRT and I can successfully connect to SH from Bolt. I don't know if I have accidentally banned myself using PuTTY or the server is refusing outside connections or what. :(
by nhdesign » Fri Mar 16, 2018 5:13 pm
Yup, no sh, yes bolt.

--
Vic
by scott » Fri Mar 16, 2018 5:30 pm
Guest wrote:
scott wrote:
I enabled a slightly more secure version of hmac-sha1, guess that didn't work.

It wasn't until this morning that I learned from a friend that there is a subtle distinction between EtM and non-EtM SHA1.

scott wrote:
Try again, I've set sshd to allow the original hmac-sha1 now.

Thank you. I will try that as soon as a new issue is resolved. In my frustration to make a successful connection to SH this morning, I tried using v0.70 of PuTTY. Wow, PuTTY needs some help. In any case, not able to see what I was typing, evidently I typed the password wrong, twice. Before I could enter the password a third time, the connection dropped. I tried to connect again, but PuTTY displayed and continues to display the following error dialog:

    PuTTY fatal error: "Software caused connection abort"
The PuTTY doc says this is not the fault of PuTTY. So I tried SecureCRT and now SecureCRT is almost immediately displaying "Connection closed". Logged into Bolt with SecureCRT and I can successfully connect to SH from Bolt. I don't know if I have accidentally banned myself using PuTTY or the server is refusing outside connections or what. :(


Yeah, if it sees too many bad logins, it bans the IP address (using denyhosts).

I just purged all entries, try now.

-Scott
by nhdesign » Fri Mar 16, 2018 5:37 pm
All good,

Thank You
by casner » Sat Mar 17, 2018 8:16 am
Excuse me for butting in, but an obvious question is, why not get a new version of SecureCRT with more modern and secure cipher and MAC algorithms?
by fiberadm » Sun Mar 18, 2018 8:23 am
scott wrote:
lr wrote:
(About web logs)
...
The other thing, which I've only used a handful of times (in the last 15 or so years of being a Sonic customer) is to look in realtime at the error logs: When I'm messing with a web page and something goes wrong, it's nice to get immediate feedback of what the problem could be. AFAIK, the error log does not get split by customer, and is not visible in the by_user logs. But honestly, if that functionality goes away, it really won't kill me, it's so rare I use it.


One investigation I need to make is getting customers access to their error logs, as well as having the logs appear in realtime.

Seems to make sense that those should be available...

-Scott


It's true that you don't need the error log very often, but when you do need it, you need it,
and in real time. Any progress on that, Scott?

ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )
by scott » Tue Mar 20, 2018 10:49 am
fiberadm wrote:
scott wrote:
lr wrote:
(About web logs)
...
The other thing, which I've only used a handful of times (in the last 15 or so years of being a Sonic customer) is to look in realtime at the error logs: When I'm messing with a web page and something goes wrong, it's nice to get immediate feedback of what the problem could be. AFAIK, the error log does not get split by customer, and is not visible in the by_user logs. But honestly, if that functionality goes away, it really won't kill me, it's so rare I use it.


One investigation I need to make is getting customers access to their error logs, as well as having the logs appear in realtime.

Seems to make sense that those should be available...

-Scott


It's true that you don't need the error log very often, but when you do need it, you need it,
and in real time. Any progress on that, Scott?


Giving it a look-see today.

fiberadm wrote:
ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )

[/quote]

I didn't mount that hierarchy because I didn't think anyone still used separate cgi-bin directories. (You get the same effect in your web directory nowadays, given the proper filename suffix.)

Do you need an explicit cgi-bin directory?

-Scott
by fiberadm » Tue Mar 20, 2018 7:20 pm
scott wrote:
[
fiberadm wrote:
ALSO: where is my cgi-bin ? (was at /usr/local/lib/httpd/cgi-bin/$USER )

I didn't mount that hierarchy because I didn't think anyone still used separate cgi-bin directories. (You get the same effect in your web directory nowadays, given the proper filename suffix.)

Do you need an explicit cgi-bin directory?

-Scott

OK, I don't need ./cgi-bin/ anymore, and have emptied it out.
(BTW, I used the web error log, while figuring out some things about this.)

So, I presume that *.cgi and *.php are treated like cgi-bin.
Any others suffixes do the job?
(Could you perhaps list here the relevant section of the Apache config?)

Thanks, -LenW
316 posts Page 11 of 32

Who is online

In total there are 5 users online :: 0 registered, 0 hidden and 5 guests (based on users active over the past 5 minutes)
Most users ever online was 487 on Tue May 05, 2020 2:07 pm

Users browsing this forum: No registered users and 5 guests