My error is: mount.nfs4: access denied by server while mounting fileserver:/export/path/one My question is: >where would the detailed log information be on the server (under systemd)? More information: == I asked a similar question from the Ubuntu client perspective on AskUbuntu. My focus in this question is on the Arch Linux server. In particular, I am looking for logs on the server that will help me understand the problem. **Here's the background:** Our small LAN is running an Arch Linux NFS v4 file server. We have several clients running Ubuntu 15.10 and 16.04. We have one client running Ubuntu 14.04. The 14.04 client will not connect to the file server. The others all connect fine. The settings are the same on all clients. And all clients are listed in /etc/exports on the server. I need to find more detailed error information on the Arch linux server. However, journalctl does not show anything related to nfs and it does not contain any entries that are related to the nfs access denied errors. The 14.04 client can ping the fileserver as well as log in via SSH. The user name / ID as well as group match. (I'm using the same user account / uid on both client and server. It is uid 1000.) Even more info: ==

$ sudo mount -a (on client)
mount.nfs4: access denied by server while mounting fileserver:/export/path/one
mount.nfs4: access denied by server while mounting fileserver:/export/path/two

The client can ping the fileserver (and vice versa):

$ ping fileserver
PING fileserver (192.168.1.1) 56(84) bytes of data.
64 bytes from fileserver (192.168.1.1): icmp_seq=1 ttl=64 time=0.310 ms

The client successfully logs into the LAN-based fileserver:

$ ssh fileserver
Last login: Tue Aug 16 14:38:26 2016 from 192.168.1.2
[me@fileserver ~]$

The fileserver's mount export and rpcinfo are exposed to the client:

$ showmount -e fileserver    # on client
Export list for fileserver:
/export/path/one/ 192.168.1.2
/export/path/two/ 192.168.1.2,192.168.1.3

$ rpcinfo -p fileserver (on client)
    program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  58344  status
    100024    1   tcp  58561  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    4   tcp   2049  nfs
    100003    4   udp   2049  nfs

This is the error when mounting the export directly:

$ sudo mount -vvv -t nfs4 fileserver:/export/path/one /path/one/

    mount: fstab path: "/etc/fstab"
    mount: mtab path:  "/etc/mtab"
    mount: lock path:  "/etc/mtab~"
    mount: temp path:  "/etc/mtab.tmp"
    mount: UID:        0
    mount: eUID:       0
    mount: spec:  "fileserver:/export/path/one"
    mount: node:  "/path/one/"
    mount: types: "nfs4"
    mount: opts:  "(null)"
    mount: external mount: argv = "/sbin/mount.nfs4"
    mount: external mount: argv[1]  = "fileserver:/export/path/one"
    mount: external mount: argv = "/path/one/"
    mount: external mount: argv = "-v"
    mount: external mount: argv = "-o"
    mount: external mount: argv = "rw"
    mount.nfs4: timeout set for Tue Aug 16 16:10:43 2016
    mount.nfs4: trying text-based options 'addr=192.168.1.1,clientaddr=192.168.1.2'
    mount.nfs4: mount(2): Permission denied
    mount.nfs4: access denied by server while mounting fileserver:/export/path/one

When changing the hostname in the icewm-session, the application startup breaks down. Such errors are written in the logs .xsession-errors when launching applications:

Authorization required, but no authorization protocol specified
xterm: Xt error: Can't open display: :0

When i start the distribution (native build), xdm starts. After logging in to xdm, the script .xsession is run from the user's home directory, which contains:

#!/bin/bash

icewm-session -s

Next, the icewm session starts. If I log in again, then everything works fine. But as soon as I change the hostname, it becomes impossible to launch applications, although there are no problems in the icewm session. I created a issue for the problem, but it was rejected. Do I need to configure something additionally?

What is difference between **pbrun** and **sudo** command? I have seen people executing pbrun sudo su - what this means? I know su -, it will try to switch to root user. What speciality pbrun gives to sudo when it is used along with sudo command?

I am using Ubuntu 16.04. There is a file located at /usr/share/polkit-1/actions/org.freedesktop.login1.policy which seems to control the permissions regarding shutdown/suspend/hibernate options. In this file, the revelant options are in this format: no auth_admin_keep yes corresponding to every action (shutdown, suspend etc.). [Here](http://pastebin.com/SwKJN9Dq) is the full version of that file. I want to know the meaning of allow_any, allow_inactive and allow_active options. What do they mean exactly ? The reason for my curiosity is that I want to hibernate non-interactively without root (from cron), but am getting [authorization errors](https://askubuntu.com/questions/785509/hibernating-from-cron) . And it seems that those errors can be solved by modifying this file.

When you change password via kpasswd, does it change your password that is stored on the Kerberos server, or does it change your password that is stored in the OpenLDAP server?

## Question: Are there any further sources to catch up on the **implementation of groups in the linux kernel**. The man page about credentials helped me out so far, but I like to delve deeper (though still in a way more abstract than reading the source code of the kernel itself).

I'm currently trying to set up an SSH server so that access to it from outside the network is ONLY allowed using an SSH Key and does not allow access to root or by any other username/password combination. At the same time, internal users inside the network, still need to be able to connect to the same system, but expect to log in in the more traditional sense with a user name and password. Users both external & internal will be accessing the system from windows using PuttySSH and the external access will be coming into the system via a port forwarding firewall that will open the source port to the outside world on some arbitrarily chosen high numbered port like 55000 (or what ever the admins decide) The following diagram attempts to show the traffic flows better. I know how to set up the actual login to only use keys, and I know how to deny root, what I don't know is how to separate the two login types. I had considered running two copies of SSHD listening on different ports on the same IP and having two different configurations for each port. I also considered setting up a "match" rule, but I'm not sure if I can segregate server wide configurations using those options. Finally, the external person logging in will always be the same user let's call them "Frank" for the purposes of this question, so "Frank" will only ever be allowed to log in from the external IP, and never actually be sat in front of any system connecting internally, where as every other user of the system will only ever connect internally, and never connect from an external IP. Franks IP that he connects from is a dynamically assigned one but the public IP he is connecting too is static and will never change, the internal IP of the port forwarder like wise will also never change and neither will the internal IP address of the SSH server. Internal clients will always connect from an IP in the private network range that the internal SSH servers IP is part of and is a 16 bit mask EG: 192.168.0.0/16 Is this set up possible, using one config file and one SSH server instance? If so, how do I do it? or Am I much better using 2 running servers with different config? For ref the SSH server is running on Ubuntu 18.04.

This may be an x-y problem and please feel free to point me in other directions as well. I'm trying to write a login mechanism to dovecot's passdb, using either a Lua plugin or a CheckPassword program. The end goal is to be able to use a yubikey OTP specifically for dovecot, rather than mandating yubikey for all login as a user. I found that the facilities available in /usr/libexec/auth seems usable. Specifically, I can call /usr/libexec/auth/login_yubikey -d username and get a password prompt. The program will print authorize to the terminal and exit with a 0 status on successful authorization. Now, using these facilities from another program seems difficult. The login_* facilities use readpassphrase(3) that does not read from stdin, but rather from /dev/tty (and the difference here eludes me, I must confess). How can I call the /usr/libexec/auth/login_* facilities supplying a password, rather than prompting the user for one? If this is not possible, how can I authorize a given password or key for a user from a program?

My servers are incessantly being brute-force attacked on my SSH port. I am using non-standard SSH port, firewall blacklist for port-scanners, and I am also using custom fail2ban-like script to ban offending IP addresses on my SSH port. However these attacks are distributed, and even if I block offending IP, there seems to be unlimited never-ending supply of new attacking IPs. Is there some authentication mechanism, where the SSH server would only react to authorized clients? I think something similar exists in wireguard. The server will completely ignore any network traffic that is not using the correct key. So that the attacking agent does not even know if anything is listening on that port. Does something similar exist for SSH? So that my ssh server would only reply with login prompt, if authorized clients connects? Is this perhaps what client-certificate authentication does?

I have a Linux centos 7 server. On that server, I started one script which should save images into one folder /images and inside the CSV file. Is there any chance that I can make CSV file and folder images accessible through the URL with a password, so the users who have passwords can open the link and see the file and images?

Numerous sources provide instructions for key-based authentication to an SSH server, rather than password based. In some isolated environments, it is preferable for a server to authorize a user without requiring any credentials, only a recognized user name. Is such a case supported by OpenSSH running under Linux? How may a server be configured to authorize a user without requiring credentials?

After system update/upgrade, I cannot escalate with sudo using correct password: user $ sudo -s [sudo] password for user: ******************** Sorry, try again. [sudo] password for user: ******************** Sorry, try again. (It is a VPS, and login is done via *ssh* without password - password is only needed for *sudo*) Group is set correctly. $ groups user user : user sudo docker This line is in */etc/sudoers* : # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL In rescue mode, reset the password, double checked the contents of */etc/shadow* against an independent program: mkpasswd --method=sha-512 --salt=GiHwtvMC Password: ******************** $6$GiHwtvMC$pONfZo5......Vg5c0 The output matches exactly the hash shown in */etc/shadow*. Still *sudo* escalation fails. **Are there other system settings that could prevent *sudo* escalation with a correct password?** (It occurred to me that the upgrade could have contained a targeted deliberate hack to persuade me to allow *sudo* escalation without a password, but that seems most unlikely). ---------- Contents of */etc/sudoers* , comments removed Defaults env_reset,timestamp_timeout=-1 Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:" root ALL=(ALL:ALL) ALL %admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL ----------------- *excerpt from /var/log/auth.log* Jan 31 10:46:48 izu sshd: Accepted publickey for username from 111.111.111.11 port 52768 ssh2: RSA SHA256: Jan 31 10:46:48 izu sshd: pam_unix(sshd:session): session opened for user username by (uid=0) Jan 31 10:46:48 izu systemd-logind: New session 1 of user username. Jan 31 10:46:48 izu systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0) Jan 31 10:46:48 izu sshd: User child is on pid 1150 Jan 31 10:46:48 izu sshd: Starting session: shell on pts/0 for username from 111.111.111.11 port 52768 id 0 Jan 31 10:47:16 izu sudo: pam_unix(sudo:auth): authentication failure; logname=username uid=1000 euid=0 tty=/dev/pts/0 ruser=username rhost= user=username -------------- The problem was in a previously working modification to */etc/pam.d/common-auth* enabling logfile excerpts to be sent by email. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # ADDED HOOK NOW REMOVED auth optional pam_exec.so seteuid /etc/local/lib/pam_auth_fail_notify.sh # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config

I want to authorize (or unauthorise) by adding (or removing) user to a group. Is it possible to have the changes be effective immediately without having to reboot? I just want to give one time access to a folder to a user and revoke it later. Edit ==== Also is it possible without logout?

Let's say I create a user named "bogus" using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via su - bogus, but I do not want it to be accessible via a regular login prompt. Searching around, it seems I need to disable that user's password, but doing passwd -d bogus didn't help. In fact, it made things worse, because I could now login to bogus without even typing a password. Is there a way to disable regular logins for a given a account? *Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I'm looking for a way to disable regular login completely, text-mode included.*

My user user1 is running a graphical X session with pulse configured per-user. I need to run a graphical program that uses audio with user2. - If I do su user2; program program doesn't start and I get no audio neither video - If I do gksu -u user2 program the video is working, but I get no audio. Why there are these problems? What is the right way to start a pulse application that outputs sound on the pulse of my user? What the right way to start an X/audio application from another session(for example an SSH shell)?

I seem to be getting a lot of different connections (ssh) on this Ubuntu server I am sshed into. Are these just brute force attempts? When running

-tnpa | grep 'ESTABLISHED.*sshd'

why do I get at end of each line "root@p" and "[accep" respectively? Furthermore, when running

sshd.\*Failed /var/log/auth.log | tail -20

I seem to get a lot of different "invalid users". Why is that so? Lastly,

auxwww | grep sshd:

outputs two "[accepted]". Why is that so? Thank you Update: Another interesting thing happened now. I ran `netstat -tnpa | grep 'ESTABLISHED.*sshd' again and an IP in the form "103.100.xxxx" from Hong Kong apparently was listed. I had then run cat /var/log/auth.log | tail -100` and gotten the following

Feb 16 17:58:25 838396123831 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.100.210.xxx  user=root
Feb 16 17:58:26 838396123831 sshd: Received disconnect from 103.136.xxxxp ort 33268:11: Bye Bye [preauth]
Feb 16 17:58:26 838396123831 sshd: Disconnected from invalid user hero 103.136.xxxx port 33268 [preauth]
Feb 16 17:58:27 838396123831 sshd: Failed password for root from 103.100.xxxx port 40810 ssh2
Feb 16 17:58:27 838396123831 sshd: Received disconnect from 103.100.xxxx port 40810:11: Bye Bye [preauth]
Feb 16 17:58:27 838396123831 sshd: Disconnected from authenticating user root 103.100.xxxx port 40810 [preauth]

Then I ran `grep sshd.\*Failed /var/log/auth.log | tail -20` and spotted

16 18:00:42 838396123831 sshd: Failed password for invalid user ircbot from 103.136.xxxxx port 47546 ssh2

I then run `grep sshd.\*Failed /var/log/auth.log | tail -100` and see

Feb 16 17:53:24 838396123831 sshd: Failed password for root from 103.136.xxxx port 33470 ssh2
Feb 16 17:55:57 838396123831 sshd: Failed password for root from 103.136.xxxxx port 47406 ssh2

Feb 16 17:58:24 838396123831 sshd: Failed password for invalid user hero from 103.136.xxxxx port 33268 ssh2
Feb 16 18:00:42 838396123831 sshd: Failed password for invalid user ircbot from 103.136.xxxxx port 47546 ssh2

What does this mean? What is happening? Was or is any other person managed to log in to the server via ssh? "Last" command does not list any other Ip addresses except mine so...

I understand that a secure connection (i.e. ssh) is needed to authorize a connection to the remote server. But after that is authorized can the data be transmitted without encryption and compression as well? I am transferring files in the local network and could do without the overhead of compression and encryption, or even the attempt to compress then if they are suitable. Compression may be fine if it speeds things up, but encryption is not. I know of alternatives like FTP, NFS and Samba are available, but I prefer rsync, as the channel is closed once the transfer is complete

I'm working on a piece of automation that generates a list of allowed public keys and overwrites a server's user ~./ssh/authorized_keys. Is there a way to prevent a mistake in the automation to completely block me from accessing the host? I have some limitations, the server itself is from a VM image that gets updates over time, so creating additional users is not something I would like to pursue. So far I've thought of: - Would it be possible to have composition of authorized_keys. If there were 2 files, I could have a dynamic file and one of the files with a static fallback key. - I will still do a testing before the overwrite (like checking for contents and format of keys) to ensure I'm not copying an empty file. But still, something could go wrong. Is composition a possibility? If not do you folks have other ideas? Thank you in advance.

I would like to limit a user to only two commands: cat and exit. I've tried to edit visudo but it does not work. My OS version is CentOS 8.

I have a requirement of generating a SPIFFY Cert from the openssl similar to this here https://unix.stackexchange.com/questions/393601/local-ssl-certificates-in-chrome-ium-63 can any one suggest on what need to be added to generate the spiffe uri to the cert ?