Re: HTTPD and php-cgi
> On 5 May 2018, at 03:23, Duncan Patton a Campbell wrote: > > > I am looking for documentation on running php-cgi-5.6 under the bsd httpd > server. > > From what I can tell, the function of php-fastcgi has been subsumed to > php-cgi-5.6, > but further than that I can find little or no salient documentation. Any > pointers > would be appreciated. Hi Duncan, Everything you need to know is in a README when you install the pkg. $ less /usr/local/share/doc/pkg-readmes/php-7.0.28 Unfortunately the php example has been removed from /etc/examples/httpd.conf But you need something like the following in your httpd.conf: server "default" { listen on $ext_addr port 80 location "/.well-known/acme-challenge/*" { root { "/acme", strip 2 } } location "*.php" { fastcgi socket "/run/php-fpm.sock" } root "/htdocs/default" } Mischa
HTTPD and php-cgi
I am looking for documentation on running php-cgi-5.6 under the bsd httpd server. >From what I can tell, the function of php-fastcgi has been subsumed to >php-cgi-5.6, but further than that I can find little or no salient documentation. Any pointers would be appreciated. Thanks, Dhu -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt
Re: Can SSH report successful connections to pf?
If you want to open gate for those, who authenticated using ssh, you may need authpf(8) (known as Authentication Gateway) https://www.openbsd.org/faq/pf/authpf.html
Re: Can SSH report successful connections to pf?
You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz for successful and unsuccessful logins and then add the unsuccessful logins with pfctl to a blocked table. To have it permanent after a reboot you can write with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. Like table persist file "/etc/pf.bruteforce" block in quick proto tcp from to any Stefan  Van: owner-m...@openbsd.org namens Luke Small Verzonden: zaterdag 5 mei 2018 00:16 Aan: openbsd-misc Onderwerp: Can SSH report successful connections to pf? Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?
Re: Can SSH report successful connections to pf?
On 05/05/18 00:16, Luke Small wrote: > Can SSH and possibly other programs more easily able to report successful > connections so pf can make stricter bruteforce connection rejecting even > better? > Hi, could be just me but I didn't get what you want to achieve really. Could you be more specific here? -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 signature.asc Description: OpenPGP digital signature
Re: mail sign/encrypt
On 05/05/18 08:31, Tony Boston wrote: > On 05/03/18 10:30, Rudolf Sykora wrote: >> Hello misc, >> >> I'd like to be able to optionally >> - sign my email, >> - encrypt the email. >> >> I have a certificate in the .p12 form, >> containing my private key and two certificates, >> one of them mine. >> >> I want to prepare mail locally, i.e. to use >> some simple locally installed MUA. >> >> Is there a way with the default "mail" program, >> or do I have to install some more powerful MUA? >> >> Thanks >> Ruda >> > > I'd suggest Thunderbird + Enigmail for that but that really depends on > what machine you're running on or if you want to go for CLI only > > just my 2 cents It's also worth noting that this would encrypt/sign using the OpenPGP standard. The discussion of .p12 certificates makes me suspicious the author is after S/MIME, which Thunderbird can do without any extensions. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: mail sign/encrypt
On 05/03/18 10:30, Rudolf Sykora wrote: > Hello misc, > > I'd like to be able to optionally > - sign my email, > - encrypt the email. > > I have a certificate in the .p12 form, > containing my private key and two certificates, > one of them mine. > > I want to prepare mail locally, i.e. to use > some simple locally installed MUA. > > Is there a way with the default "mail" program, > or do I have to install some more powerful MUA? > > Thanks > Ruda > I'd suggest Thunderbird + Enigmail for that but that really depends on what machine you're running on or if you want to go for CLI only just my 2 cents -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 signature.asc Description: OpenPGP digital signature
Can SSH report successful connections to pf?
Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?
Re: bioctl, encryption, and keydisk
On 04/05/18 17:40, Marcus MERIGHI wrote: I'm currently reading https://marc.info/?l=openbsd-misc&m=141435482820277 "crypto softraid and keydisk on same harddrive", 2014-10-26. jsing@ had this patch, which was tested and worked for the OP - but was not commited: https://marc.info/?l=openbsd-misc&m=141450636905550 Nice! Thanks for that, I'll try. -- Étienne
Re: bioctl, encryption, and keydisk
etienne.m...@magickarpet.org (Etienne), 2018.05.04 (Fri) 14:03 (CEST): > Hello list, > > What I'm going to describe will most probably sound very silly, but I > believe I have a reasonable use case. I'm trying to setup a machine with > full disk encryption using a partition of the same disk as a keydisk. (take > all the time you want to laugh, then carry on reading). > > So I'm creating two RAID partitions "a" and "p", then run: > > bioctl -c C -l sd0a -k sd0p softraid0 > > and this succeed. I'm then proceeding to a normal installation on sd1, then > reboot, and I'm greeted with the message `ERR M`. > > I have tried this with the p partition at the beginning or at the end of the > disk, tried to change sizes,... no effect. I'm wondering if what I'm trying > is actually supported? Any idea? > > > For those who wonder, my use case is installing 100+ virtual machines in the > cloud with full disk encryption, rebooting them, and using rc.firsttime to > overwrite the key so if the machine is powered down, it can't be booted > anymore. I'm also aware that this is still vulnerable to an attack from > someone who's in control of the host machine. I'm currently reading https://marc.info/?l=openbsd-misc&m=141435482820277 "crypto softraid and keydisk on same harddrive", 2014-10-26. jsing@ had this patch, which was tested and worked for the OP - but was not commited: https://marc.info/?l=openbsd-misc&m=141450636905550 Index: i386_softraid.c === RCS file: /cvs/src/usr.sbin/installboot/i386_softraid.c,v retrieving revision 1.2 diff -u -p -r1.2 i386_softraid.c --- i386_softraid.c 9 Jun 2014 13:13:48 - 1.2 +++ i386_softraid.c 28 Oct 2014 14:21:27 - @@ -42,6 +42,7 @@ void sr_install_bootldr(int, char *); void sr_install_bootblk(int devfd, int vol, int disk) { + struct bioc_vol bv; struct bioc_disk bd; struct disklabel dl; struct partition *pp; @@ -56,6 +57,15 @@ sr_install_bootblk(int devfd, int vol, i bd.bd_diskid = disk; if (ioctl(devfd, BIOCDISK, &bd) == -1) err(1, "BIOCDISK"); + + /* Skip CRYPTO key disks. */ + /* XXX - pass volume in rather than volume ID. */ + memset(&bv, 0, sizeof(bv)); + bv.bv_volid = vol; + if (ioctl(devfd, BIOCVOL, &bv) == -1) + err(1, "BIOCVOL"); + if (bv.bv_level == 'C' && bd.bd_size == 0) + return; /* Check disk status. */ if (bd.bd_status != BIOC_SDONLINE && bd.bd_status != BIOC_SDREBUILD) { Marcus
bioctl, encryption, and keydisk
Hello list, What I'm going to describe will most probably sound very silly, but I believe I have a reasonable use case. I'm trying to setup a machine with full disk encryption using a partition of the same disk as a keydisk. (take all the time you want to laugh, then carry on reading). So I'm creating two RAID partitions "a" and "p", then run: bioctl -c C -l sd0a -k sd0p softraid0 and this succeed. I'm then proceeding to a normal installation on sd1, then reboot, and I'm greeted with the message `ERR M`. I have tried this with the p partition at the beginning or at the end of the disk, tried to change sizes,... no effect. I'm wondering if what I'm trying is actually supported? Any idea? For those who wonder, my use case is installing 100+ virtual machines in the cloud with full disk encryption, rebooting them, and using rc.firsttime to overwrite the key so if the machine is powered down, it can't be booted anymore. I'm also aware that this is still vulnerable to an attack from someone who's in control of the host machine. -- Étienne
Re: Machine won't boot - softraid metadata version mismatch
On 04 May 2018, Stuart Henderson wrote: (snip) > I'd start with an install to a new main disk, with the other drives > unplugged for safety. Once it's installed and booted, connect the > softraid drives and you'll be able to mount them. > > To figure out what needs transferring from the 5.4 install, it may > help to use find(1) to look for files newer than the base OS install > files, or compare a file listing (including timestamps) with one from > a fresh 5.4 install (maybe some variant of "find / -newer /some/file -ls"). (snip) Further, I'd add: take good notes about what you needed to transfer or otherwise adjust and why. Those notes may be enormously helpful for the future where you need to quickly provision another fresh system according to your needs. -- Mark
Re: Machine won't boot - softraid metadata version mismatch
On 2018-05-03, Erling Westenvik wrote: > On Thu, May 03, 2018 at 10:51:12AM -0500, Brandon Tanner wrote: >> I haven't posted here in years, and OpenBSD has been rock solid for a home >> file server. However recently I somehow made the machine un-bootable and >> I'm kicking myself for it now. I've tried to google my heart out to fix >> this issue, but I doubt it is very common based on my searches. > > Don't panic. > >> My machine is OpenBSD 5.4, and has 2 x raid1 softraid with 4 disks, and a >> 5th disc for the OS only. >> >> So I was wanting to try out the latest kernel to see if sysctl hw.sensors >> would report my motherboard fan sensors since 5.4 does not, so I made a >> bootable USB live-stick using 6.3, based on this article ( >> http://astro-gr.org/openbsd-live-usb-stick/) which says to prepare the >> machine in QEMU and then dd it to a usb flash drive. I was able to boot the >> USB stick fine, and run sysctl, and nope, my fan sensors are not there in >> 6.3 either. >> >> Now, when I removed the stick and booted the old system (5.4), it now won't >> boot. The complaint is that my softraid volumes have a metadata version >> that is newer than it should be. I guess the live-USB stick actually >> upgraded them somehow. > > Quoting https://www.openbsd.org/faq/upgrade60.html: > > "softraid(4) metadata version changed. The current softraid metadata > version has been incremented as part of implementing support for sector > sizes other than 512 bytes. Since on-disk metadata is automatically > updated every time a softraid volume is mounted, once you mount a > softraid volume on a new kernel (including bsd.rd) that volume will no > longer be recognized by older kernels." > > As I see it, you have two options: > > 1. Upgrade your system to at least 6.0, carefully upgrading version by >version and following the steps for each upgrade guide: > > 5.4 -> 5.5 > 5.5 -> 5.6 > 5.6 -> 5.7 > 5.7 -> 5.8 > 5.8 -> 5.9 > 5.9 -> 6.0 > 6.0 -> 6.1 > 6.1 -> 6.2 > 6.2 -> 6.3 > > 2. Do a fresh install of 6.3. > > I would go for option 1. It takes time but you'll learn a lot during the > process, and in the end it may take you just as long to fine tune a > fresh install. There are multiple flag days in that upgrade process. Coming from 5.4, unless it's a remote machine without console access, I would advise a fresh install of 6.3 instead. (And even with console access, there are some gotchas along the way). Upgrading step by step is a long slog. You'll learn a lot from a fresh install approach too and I'd argue those things are practically more useful. I'd start with an install to a new main disk, with the other drives unplugged for safety. Once it's installed and booted, connect the softraid drives and you'll be able to mount them. To figure out what needs transferring from the 5.4 install, it may help to use find(1) to look for files newer than the base OS install files, or compare a file listing (including timestamps) with one from a fresh 5.4 install (maybe some variant of "find / -newer /some/file -ls"). If you don't have time for that, boot from a live USB or similar and backup the softraid partition/s elsewhere (unless of course you already have a backup). Then you could go back to 5.4, wipe and re-create the softraid, then restore. >> It looks like this person has a similar experience: >> http://openbsd-archive.7691.n7.nabble.com/softraid-not-bootable-in-5-4-after-visiting-5-5-td253121.html#a253330 In that case it was not bootable but the metadata was still of the same version. In your case running a post-6.0 version upgraded the metadata making it unreadable by older versions. You won't be able to fix your case just by using installboot/reattaching.