| 31 Oct 2024 |
 ashugg | In reply to @f2-:matrix.org
If I want to learn xubuntu does I followe the Ubuntu course? Yes, if that's the closest course that you can find. Xubuntu is Ubuntu with the Xfce desktop environment instead of GNOME. For anything in the Ubuntu course referring specifically to GNOME software, such as the control panel to change network settings or the settings for software updates, you should find the equivalent (basic) functionality in Xubuntu. | 15:10:15 |
|  nlatp joined the room. | 15:26:09 |
 christophe | Who has similar issues with the pc-kernel snap?
# snap refresh
error: cannot refresh: cannot find installed snap "pc-kernel" at revision 1996: missing file /snap/pc-kernel/1996/meta/snap.yaml | 16:20:00 |
| christophe | * Who has similar issues with the pc-kernel snap?
# snap refresh
error: cannot refresh: cannot find installed snap "pc-kernel" at revision 1996: missing file /snap/pc-kernel/1996/meta/snap.yaml | 16:20:18 |
| christophe | This installation was made with 23.10. I might have to reinstall with 24.10. | 16:31:16 |
 Eduardo | In reply to @therealbevi:matrix.org
https://www.dannyvanheumen.nl/post/secure-boot-linux-shim-mokmanager/ It gives me this error: Unable to load certificate, When changing the format from the terminal this appears | 16:53:47 |
 David Strohmaier | Hi, got a problem with a VPN after updating to Ubuntu 24.04. Specifically, I'm using Strongswan and get errors of the form
handling INTERNAL_IP6_DNS attribute failed
installing DNS server < some IP address> via resolvconf
resolvconf: Dropped protocol specifier '.ipsec' from 'lo.ipsec'. Using 'lo' (ifindex=1).
resolvconf: Failed to set DNS configuration: Unit dbus-org.freedesktop.network1.service not found.
adding DNS server failed
| 17:23:28 |
| David Strohmaier | It seems to be this bug: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2067897 | 17:23:45 |
| David Strohmaier | but I don't see a way to resolve the issue. The final comment suggests switching interface (away from loopback/lo), but for vpn I don't see how I could do that (but I am not very familiar with these issues). | 17:24:56 |
| David Strohmaier | Any help would be appreciated | 17:26:09 |
| David Strohmaier | the error message above comes from using ipsec up VPN | 17:32:11 |
| David Strohmaier | * the error message above comes from using ipsec up VPN | 17:32:21 |
|  bglogic joined the room. | 18:10:04 |
| bglogic | Hi, On Ubuntu 24.04 some unknown process/app attempts to mount my Windows 11 boot partition which is in another drive. I get this warning/error as a notification:
"""
Unknown App
UDisks showexec issue
Applications cannot run from /media/root/460B-B2B4.
See https: //github.com/storaged-project/udisks/issues/707
""
(Screenshot uploaded here: https://postimg.cc/w7gr3HYD)
At first I thought it was a UDisks issue and created an issue there. You can see the bug report for some context (https://github.com/storaged-project/udisks/issues/1328). The conclusion after inspecting the UDisks dump was that all the properties look sane and correct for EFI System Partition, something else is ignoring these hints and performs automounting.
I'm trying to figure out the root cause but I have no idea. | 18:12:55 |
 Ubottu | GitHub Issue #1328 in storaged-project/udisks "UDisks tries to automount Windows boot partition" [closed]
| 18:12:56 |
| bglogic | * Hi, On Ubuntu 24.04 some unknown process/app attempts to mount my Windows 11 boot partition which is in another drive. I get this warning/error as a notification:
"""
Unknown App
UDisks showexec issue
Applications cannot run from /media/root/460B-B2B4.
See https://github.com/storaged-project/udisks/issues/707
""
(Screenshot uploaded here: https://postimg.cc/w7gr3HYD)
At first I thought it was a UDisks issue and created an issue there. You can see the bug report for some context (https://github.com/storaged-project/udisks/issues/1328). The conclusion after inspecting the UDisks dump was that all the properties look sane and correct for EFI System Partition, something else is ignoring these hints and performs automounting.
I'm trying to figure out the root cause but I have no idea. | 18:13:51 |
| Ubottu | GitHub Issue #707 in storaged-project/udisks "FAT disks should not be mounted with showexec" [closed]
| 18:13:52 |
| 1 Nov 2024 |
|  @j:matrix.nabro.co.uk joined the room. | 00:09:03 |
| @j:matrix.nabro.co.uk | Hi all, given "Public key authentication implemented within the SSH daemon itself bypasses the PAM auth stack. " can anyone provide me with some documentation around this? | 00:35:56 |
| @j:matrix.nabro.co.uk | Closest thing to docs I seen so far is comment 2 on https://bugzilla.redhat.com/show_bug.cgi?id=1492313 | 00:45:40 |
|  Chort joined the room. | 00:52:02 |
| Chort changed their profile picture. | 00:54:40 |
| ashugg | In the RedHat Bugzilla 1492313 you linked to, I believe this is the comment you're referring to?
"The auth section of PAM stack is executed only for the password (or keyboard-interactive too?) authentication. For others, the auth section is skipped. Even though it might be confusing at first, this is how it always was and the only way how it makes sense, since for example in public key authentication, you do not have any authentication tokens that could PAM accept in pam_authenticate(). Therefore SSH calls just account and session sections."
The explanation seems fairly clear to me,
i.e. key exchange with OpenSSH is not something that can be looped out through PAM.
The ssh(1) and ssh_config(5) man pages only reference PAM as an option for keyboard-interactive authentication. You can have a look at auth-pam.c in the OpenSSH-portable source code (https://github.com/openssh/openssh-portable) to see a bit more, or browse the archives of the openssh-portable mailing list.
However, in terms of opening an interactive shell on a remote Linux server, using public key authentication with OpenSSH, PAM should still be involved further down the chain by the Linux system's user login process. It's been a while since I've seen this but I'm pretty sure that's right. I recall being unable to log in over OpenSSH with an account that was locked in Active Directory. The key exchange was fine so OpenSSH was happy, but PAM then denied the login.
I hope this helps a bit. | 08:12:02 |
| ashugg | Actually… just having typed all that, this article (March 2024) covers it a lot better.
https://www.baeldung.com/linux/usepam-yes-ssh-effects
| 08:13:41 |
| @j:matrix.nabro.co.uk | Ty! | 08:14:24 |
| @j:matrix.nabro.co.uk | I guess knowing is the most important bit but was kinda hoping there was a specific bit of documentation or perhaps a design document that covered the fact that public key auth will jump past the PAM auth stack.
There seems to be plenty of call outs to the gotchas of this across bug reports etc... but it seems like man pages for sshd_config should probably explicitly call out the different behaviour between ssh auth and PAM interaction? | 08:20:20 |
| @j:matrix.nabro.co.uk | Particularly given the implications of public keys if system admins believe their rules in the auth stack for PAM are still taking effect. | 08:21:43 |
| ashugg | Well… despite the fact that it's widely used by corporations large and small across the entire planet, OpenSSH-portable is a volunteer effort. If any of the major operating system vendors or projects that incorporate OpenSSH-portable have useful documentation such as you wish for, they haven't chosen to (or haven't been able to) push that back upstream to be part of the codebase and thus available to all.
What you're pointing out is valuable, I think, and if you (and others) were to submit man page updates for the openssh-server package in Ubuntu, they might also be accepted upstream by Debian, and in turn by OpenSSH-portable. Or you could go straight to the top and start a discussion on the openssh-portable mailing list about it. | 08:31:38 |
| @j:matrix.nabro.co.uk | Aye, after all it's FOSS, be the change you want to see 🙂 | 08:34:02 |
| ashugg | You got it! :) | 08:47:55 |
