Posts made by 1337

@1337 said in Powershell (or CMD) to print PDF files:

Use mailbox message passing instead.

Basically you make a powershell script that runs in a loop. It looks in a folder for file_to_print. When it finds it it send it to the printer, perhaps generate a response.txt file and then the deletes file_to_print.

Your webserver prints by sending the file_to_print into the right folder using ssh (or smb). Then waits for the response.txt for ok or error. Or polls it on a regular basis.

It's message passing between two different asynchronous processes where both can access a common folder. The common folder is the "mailbox" in the paradigm - and the files are the "messages".

I think I'd lean towards using smb to transfer the files since it would be so very simple to drop the pdf-file directly into the right place from wherever you want - if you set up a file share on the windows PC.

Use mailbox message passing instead.

Basically you make a powershell script that runs in a loop. It looks in a folder for file_to_print. When it finds it it send it to the printer, perhaps generate a response.txt file and then the deletes file_to_print.

Your webserver prints by sending the file_to_print into the right folder using ssh (or smb). Then waits for the response.txt for ok or error. Or polls it on a regular basis.

It's message passing between two different asynchronous processes where both can access a common folder. The common folder is the "mailbox" in the paradigm - and the files are the "messages".

Alternative to manually install 3rd party repositories

There is an alternative to manually manage repositories and keys and that is to use extrepo

extrepo is a curated list of 3rd party repositories and keys and it's a debian package.
It's only been around a couple of years so I don't know how widely used it is yet.

Installation

To install it run

apt install extrepo

Add repository

To add postgreSQL repository for example:

extrepo enable postgresql

Disable repository

To disable a repository, for example:

extrepo disable postgresql

Where do files go?

extrepo puts apt config files in /etc/apt/sources.list.d as you would manually but manages keys in it's own directory /var/lib/extrepo/keys

Repositories available

Currently these repositories are in there:

• anydesk
• apertium-nightly
• apertium-release
• bareos
• belgium_eid_continuous
• brave_beta
• brave_nightly
• brave_release
• caddyserver
• consol
• debian_official
• dns-oarc
• docker-ce
• edge
• elbe
• eturnal
• eyrie
• fai
• feistermops
• gitlab_ce
• gitlab_ee
• gitlab_runner
• google_chrome
• google_cloud
• grafana
• grafana_beta
• grafana_enterprise
• grafana_enterprise_beta
• haproxy-2.8
• i2pd
• janitor
• jellyfin
• jenkins
• jitsi-stable
• kea
• keybase
• kicksecure
• kicksecure_developers
• kicksecure_proposed
• kicksecure_testers
• lihas
• liquorix
• matrix
• mobian
• msteams
• neurodebian_software
• newrelic
• nginx
• node_12.x
• node_14.x
• node_16.x
• node_18.x
• notesalexp
• ooni
• openmodelica-contrib-nightly
• openmodelica-contrib-release
• openmodelica-contrib-stable
• openmodelica-nightly
• openmodelica-release
• openmodelica-stable
• openstack_antelope
• openstack_zed
• openvpn
• opera_stable
• opsi
• passbolt
• postgresql
• prosody
• proxmox-ceph-quincy
• proxmox-pve
• proxmox-pve8
• r-project
• raspberrypi
• raspbian-addons
• realsense
• rspamd
• signal
• skype
• slack
• speedtest-cli
• spotify
• steam
• surface-linux
• sury
• syncevolution
• syncthing
• teamviewer_default
• teamviewer_preview
• torproject
• trinity
• vector
• vscode
• vscodium
• weechat
• whonix
• whonix_developers
• whonix_proposed
• whonix_testers
• winehq
• wire-desktop
• wire-internal-desktop
• wtf
• wtf-lts
• x2go
• x2go-extras
• x2go-lts
• x2go-nightly
• xpra
• xpra-beta
• yarnpkg
• zammad
• zulu-openjdk

How to add 3rd party repositories

There is some confusion how to add 3rd party repositories to Debian based distros. In part because best practice has changed a few times and also because there are lots of incorrect info floating around everywhere and it is copy & pasted over and over.

How does repositories work

A debian package repository is nothing more than straight files on a webserver, layed out in a particular way. To make sure the packages we are downloading and installing haven't been tampered with, debian package system (apt) uses SHA256 file hashes. To make sure the file hashes haven't been tampered with, debian uses cryptographically signed files, aka gpg keys or openpgp keys.

Debian and Ubuntu already comes pre-installed with their own gpg keys but we need to add 3rd party repositories manually or in some case through pre-built packages.

Finding the gpg key

There is no standard location where to find the gpg key needed but usually the file is on the repository website and it's exact URL in the installation instructions.

Let's use postgreSQL as an example.

Looking at their outdated documentation we will find the repositories public key at https://www.postgresql.org/media/keys/ACCC4CF8.asc

Binary and ascii armored gpg keys

Keys can be in binary format or ascii encoded (aka ascii armored). Debian package system can handle both but the files need to have the proper file extension.

• binary files should be *.gpg
• ascii armored should be *.asc

Most package repositories use ascii armored key files but it can have any name regardless. Common examples are:

• *.gpg
• * .asc
• * .key
• *.gpg.key

How to determine what type of key file

If we open the key file we can immediately verify what type of key it is because ascii armored keys start with -----BEGIN PGP PUBLIC KEY BLOCK-----

To show the start of the file straight from the shell run:

curl -sL https://www.postgresql.org/media/keys/ACCC4CF8.asc | head -1

Where to add the key file

To add this key to your system it should be placed in /etc/apt/keyrings/ and nowhere else. For more info run man sources.list on a current debian distro.

Older distros doesn't have that directory but you can just create it it as root with mkdir /etc/apt/keyrings . It should get the right permissions but it's 0755.

So to get the key from PostgreSQL using curl and put it in the right place do this as root:

curl -sL https://www.postgresql.org/media/keys/ACCC4CF8.asc > /etc/apt/keyrings/postgresql.asc

Add repository info

Now we need to add the repository URL and tell the package system which key to use.

3rd party URL should be added in the /etc/apt/sources.list.d directory by creating one config file for every repository with the name *.list

What distro / code name are we running?

Often we need to know what specific distro and version/code name we are using because package repositories can often handles many different ones.

Debian 12 for example is code name bookworm. If you want to script this you can use $(lsb_release -cs) to get the code name (needs to have package lsb-release installed).

Note:
If you find a reference to stable in the package repository documentation, it's probably wrong. Stable is used to refer to the current stable debian distro, but that changes every two years as soon as a new version becomes stable. And that breaks your repository information. Best practice is to use the code name and not stable.

Content of the config files for apt

The config file we are creating for postgreSQL should have the following basic info:
deb http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main

But we also need to add the information about what key to use:
deb [signed-by=/etc/apt/keyrings/postgresql.asc] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main

To create the config file as root do:

echo "deb [signed-by=/etc/apt/keyrings/postgresql.asc] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main" > /etc/apt/sources.list.d/postgresql.list

Run man sources.list for more info on what options are avalable in the apt config files.

Checking that the repository is up

Run apt update and the new repository should appear.

So you see The following signatures couldn't be verified because the public key is not available ?
Then something is wrong with your key file or it's location.

If everything looks good your system is ready to install packages from the new repository with apt install

Check repositories and priority

Run apt policy if you want to check what repositories your system have.
This also show the priorities of the different repositories and tells apt what to do when the same package is available in different repositories. Run man apt_preferences for more info on that.

Misc tools

• To list what packages you have installed on your system run dpkg -l
• To check what version a package is and what repository will be used to install it, run apt info <packagename> - for example apt info postgresql

Uninstall repository

To uninstall a 3rd party repository we just need to:

• remove the config file from /etc/apt/sources.list.d
• remove the key file from /etc/apt/keyrings

And then run apt update to refresh the package list.

In our example:

rm /etc/apt/sources.list.d/postgresql.list
rm /etc/apt/keyrings/postgresql.asc
apt update

Things to look out for

• don't use apt-key, it has been deprecated
• don't put keys anywhere but /etc/apt/keyrings, it's outdated
• no need to convert key types with gpg - if you see gpg used you know it's outdated
• don't run unvetted install scripts as root to install 3rd party packages, it's unsafe. Looks like this: curl unknownscript.sh | bash -
• verify that you actually need the 3rd party repository with your current version - in many cases you don't
• check that you have the packages needed. Debian minimal install doesn't have curl installed by default for example
• you need either curl or wget to download files - when you see both used in a script you know it's a mishmash of multiple sources

@scottalanmiller said in Debian 11 & php8:

Debian 12 "Bookworm" is, in theory, under a month away and is going to PHP 8.2. So that is very good. But the long release cycles are always going to be a challenge that there isn't really a reason for.

Not a challenge at all but the reason to run "stable" is for stability. Meaning an update will never break your system and you get bug fixes and security updates. You won't get new features but you won't get new bugs that breaks your system either or changed functionality.

If you don't want or need that stability and favor new shiny things then you just install debian "testing". It's a rolling release.

Debian is not just one distro. Many companies run "testing" on workstations and "stable" on production servers.

There is a third option and that is Debian "unstable". Then you get new packages as soon as they are available. This is for the enthusiasts and debian developers primarily and not recommended for the general user that just wants something that works.

@IgnaceQ said in Debian 11 & php8:

See this site for instructions : https://php.watch/articles/install-php82-ubuntu-debian

Better to install Debian 12 right now instead.

It's extremely easy and when you run "apt update && apt upgrade" you get new packages.
When Debian 12 becomes the official "stable" version, so will your new install - without you having to do anything.

You just pick it from here:
https://www.debian.org/devel/debian-installer/

Most people will want this:
https://cdimage.debian.org/cdimage/bookworm_di_rc3/amd64/iso-cd/debian-bookworm-DI-rc3-amd64-netinst.iso

@stacksofplates said in sssd and user ID mapping:

@Pete-S said in sssd and user ID mapping:

@Semicolon said in sssd and user ID mapping:

@Pete-S If it is an issue, its trival enough to prevent public key authentication for users or groups of users, even groups of AD users.

Sure, but the problem for developers and admins is that they usually need their keys. That's why I don't think ad/ldap integration with ssh users really works in that use case.

The other solution, which is what I think is more suitable for developers and admins, is to use your SSO/AD solution with MFA to pickup a short-lived ssh certificate. Then you use the ssh certificate to actually access things.
Many companies with huge infrastructures use this method because it's very scalable.

We forced kerberos for SSH auth after wen enabled AD integration. SSH works like keys then but you don't use the keys.

Never used it but it seems to be a good solution if you want AD integration.

I noticed that gitlab also supports kerberos for pushing and pulling. I assume github does too. That's very convenient.

@Semicolon said in sssd and user ID mapping:

@Pete-S That sounds interesting, I'll have to dig into that a little more. In the mean time, we've added the public keys to the user accounts in AD configured openssh to validate the keys against AD instead of the local files.

SSH certificates are great. Since certificates is based on trust you don't need to copy keys anywhere.

Basically you have server certificates and user certificates. The server can authenticate all users by using the users certificate issuer's public key. The user can verify that the server is valid in the same way (no fingerprint questions).

That's the basic authentication. Servers don't need to access any central authentication mechanism to authenticate users.

Using AD or any other identity provider only comes into play when it comes to issuing the ssh certificate to the users.
You simply have to present your credentials to get the new ssh certificate. This can be through a webpage / service or cli interface.

This service connects to the identity provider and also looks up if the user is authorized to get a ssh certificate.

Since certifcates can have a validity period, you can set how long the certificate is valid when it's issued. One day seems to be a common choice.
Using short validity means you don't need to think about revoking certificates and you don't need to think about key rotation. Because you will get that automatically since the certificate expires naturally.

BTW, the ssh certificates looks just like ssh keys (a file). They are not as complicated as ssl certificates.

@Semicolon said in sssd and user ID mapping:

@Pete-S If it is an issue, its trival enough to prevent public key authentication for users or groups of users, even groups of AD users.

Sure, but the problem for developers and admins is that they usually need their keys. That's why I don't think ad/ldap integration with ssh users really works in that use case.

The other solution, which is what I think is more suitable for developers and admins, is to use your SSO/AD solution with MFA to pickup a short-lived ssh certificate. Then you use the ssh certificate to actually access things.
Many companies with huge infrastructures use this method because it's very scalable.

@EddieJennings

I think having uid handled automatically makes sense.

When you talk about developers and admins though, my first thought is that they'll immediately install ssh keys and bypass AD altogether.

@EddieJennings

What type of users / VMs are we talking about? Is it virtual linux workstations or are you talking about admin access to servers or something else?

@WLS-ITGuy said in Debian 11 & php8:

One of the applications we use just released a new version and the update requires php8.0 or above.

So right now the best approach is to wait until Debian 12 is released officially and then install Debian 12 with the new version of the application.
If the application is supported on Debian they have likely tested it with Debian 12.

It might be of interest to know that Debian 12 tentative release date is June 10th.

Debian 12 uses PHP 8.2

You can always find the packages of every release here:
https://www.debian.org/distrib/packages

Look under "stable" packages for the current release and under "testing" for the next upcoming version of debian.

For example this is the upcoming php version in Debian 12 (aka bookworm):
https://packages.debian.org/bookworm/php

@WLS-ITGuy said in Debian 11 & php8:

One of the applications we use just released a new version and the update requires php8.0 or above.

We're using Debian 11 and since 11.7 was just released, which doesn't have php8 in the release. I was wondering how do I find out when things like php. Mariadb, Apache, NGNIX, etc get applied to distros?

You are running debian stable which means that packages have stable versions.

So when Debain 11 was released with php version 7.4.x it will keep having that version forever. It will never become php 8.
It's because php8 is not 100% backward compatible with 7.x so if Debian would automatically upgrade to php8 then applications will break. That is not a stable approach.

This goes for all packages, not just php. Updates will only be minor releases with bugfixes and security issues fixed.

Every 2 years or so you get a new Debian stable version and then you get newer versions of all 50,000+ packages as well.

@melvinsilva

Is having wifi hotspots at local resturants still a thing?

Regardless, is there a bandwidth limiter on the guest network? That is a must IMHO.
As I understand you have a cloud POS, in which case you are completely reliant on your internet bandwidth.

PS. I might be wrong but it doesn't sound like you have identified where the problem actually is. Only that you have tried different things without resolving the problem.

@JasGot said in Project tracking:

@Pete-S Thanks for all the thought you have put into your support. I'll have a look at ZoHo Ent. I did take a look at Monday.Com, I haven't decided if it will work yet.

Hey, no problem, I'm happy to help.

Sadly, I am the biggest problem with our ticketing system, I almost never use it on a daily basis. I wish I had someone following me around for the sole purpose of keeping my tasks updated in our ticketing system!

Honestly, for MY tasks, a Word doc that I print in the morning is perfect.

I firmly believe that any system needs to easen the user's workload to be successful in the long run. It's just not enough that it has other benefits.

So I think you should look into how you can leverage the ticketing system in a better way.

For me, the ticketing system saves me time compared to doing the same thing manually. I keeps me more focused on each issue, a more effective communicator and I get things such as time sheets for billing (paid support) with minimal effort (automatic time tracking).

It's the same with the project management tool. When I'm in project mode it's basically works as my very well organized to-do list. It keeps me on the right track and saves me time.

However, both these systems required a significant amount of time to customize and hash out how to use them effectively for our use case. And as I mentioned earlier also to decide when a ticket actually becomes a project. It was however a worthwhile investment in time.

@Florida_man said in Should I give my SSN to a U.S. Senator?:

I reached out to my both of senators because my passport is taking too long to get and I am coming upon travel. The processing time has exceeded standard processing even though I have paid for expedited.

Long story short, I am almost out of time. Both senators have emailed me back stating that I need to fill out a privacy form before they are able to talk to travel gov people (or whatever) on my behalf.

They sent me a PDF asking for all the standard information, but also my full SSN. I am hesitant to send my entire personal information in a PDF to a senator lol. I am worried that if I dont, I will have delay and have to end up doing it anyway.

The PDF form sent has No government markings of any kind. Just the senator's logo. It is a nice looking pdf, and made to look like a professional form, but it isnt your standard dry gov form I am used to seeing.

(@scottalanmiller feel free to move, I did not know which category this fit.)

You wrote down your SSN on the passport application. What is the difference? Is it email you are worried about?

BTW, all senators have their own privacy form you need to fill out.
For example:

https://www.rubio.senate.gov/public/_cache/files/eb4493a8-20f2-49f5-87e9-244b8bff476d/56F9A1DD9724D855A94CB1263A502EA6.privacy-act-consent-form-orl-fillable-11.14.16-secured-.pdf

https://www.rickscott.senate.gov/services/files/5287D07F-BE6B-4FA3-8C3E-B3B46D101AD4

@JasGot said in Project tracking:

Sometimes we have one-off unique projects that may take months; during planning, we outline everything that needs to be done, and currently, try to remember to do it all!

I honestly think a big whiteboard isn't going to cut it for you.

We have mostly projects that span months and seldom recurring projects that are more than an hour or two of work. Those are usually handled as support tickets with a few subtasks.

I think you could actually use something simplier for the recurring projects than a full-featured project management tool, but you'll benefit from it for longer projects so it makes sense to use that for both types of projects.

If you have a team that is doing both projects and support I think it is wise to be very clear about what is what. So we use the project management tools to plan and execute our projects and then ticketing/helpdesk software to keep track off and handle everything that happens down the line after the project has been "delivered". So for something to be a project for us it has pass a certain criterias.

BTW, if you are going to look at Zoho Project specifically you should look at the Enterprise plan. It has more customization and some features that are essential IMHO. As the other end you have the free plan but it's completely worthless for almost everything.

In the end it will be a major project itself to implement a project management tool into your workflow - especially if you don't use anything today.