Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 02:27:39PM -0800, Adam D. Morley wrote: > MS AD provides MIT-ish KDC support, or so I hear. I've never used it > from the UNIX side, but I do know that Windows clients will willingly > talk to a UNIX KDC, and I'm told the reverse is true. Yes, you can authenticate against Active Directory using Kerberos. There are some minor caveats (mostly regarding encryption algorithms), but as far as the Unix-clients are concerned it's just Kerberos. I've got some AIX boxes authenticating against Active Directory, even password changing from the AIX side works. To get back to OpenBSD: this means that you can authenticate to Active Directory using Kerberos. Services for Unix aren't necessarily needed. -- Jurjen Oskam
Re: RAIDframe partitioning choices...
Joachim Schipper wrote: On Fri, Mar 17, 2006 at 07:36:13PM +0100, Anthony Howe wrote: Joachim Schipper wrote: --wd0a----wd1a-- / (bootable)/ (bootable) /tmp/tmp /usr/usr /var/var --wd0d----wd1d-- raid0(root) raid0 (root) --raid0a- --raid0a- / / /usr/usr Hmm - why include / and /usr again? OpenBSD will boot just fine off a RAID array, even a failed one, provided you can get the kernel read somehow. You have to have a RAID slice with / and /usr. If you mount just wd0a for / and /usr then if the wd0 dies you have to reboot to mount with wd1a. If you happen to be a long way away from the console, then you're toast, unless you went the extra distance and setup the backup fstab on wd1a in advance. If you have them in a RAID and if a disk dies, you can continue to use the system (degraded of course) without having to reboot until the new disk and your are present at the console. Maybe I don't understand, but how does it follow from the above that it is useful to have a third and fourth copy? I see the point in keeping / and /usr on RAID - the system will stay running and come up even if one of the underlying disks fails. How would you reboot a degraded system where wd0 containing your / & /usr is dead? How would you reboot a system in order to reconstruct a replacement? Maybe a full /usr is unnecessary, but what if you had to rebuild the kernel for some reason before you could autoconfigure and transfer to the RAID? If you only have the one machine at hand, which is the one with the RAID. Both disks must be bootable and should have all the necessary tools you deem necessary to recover. Now on smallish disks, installing more than just base system might not be possible (necessary) spacewise and so you have alternative recovery methods ready (if you can remember where you put them), but when you're talking 40G+ disks, then there is ample space. Todays hard disks are so large these days that I worry how SOHO sites can afford suitable backup solutions, but that be another discussion. The point being, if I'm building a RAID, its typically for large disks and I don't want to take any chances being caught short when one of those disks dies, so I burn one or two gigas for bootable self-sufficient rescue slices per disk. -- Anthony C Howe Skype: SirWumpusSnertSoft +33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions http://www.snert.com/ ICQ: 7116561 http://www.snertsoft.com/
Re: Remote syslogging
On Mon, Mar 20, 2006 at 01:00:58AM -0500, Nick Guenther wrote: > Hi list, > > I want to log things remotely (from a consumer-grade router running > linux that keeps dying on me). I think the proper way to do this is to > do "syslogd -u" but I am not sure because the manpage only vaguely > mentions how insecure the -u option is and doesn't really explain it. > I've found a page that describes using -u for OS X, and the linux > manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user > datagram protocol (UDP) [1] as its underlying transport layer > mechanism" so it seems like this is correct, but it seems odd. > > If I just run syslogd like this on my home LAN what are the risks I > need to think about? I can't think of any except maybe that if someone > can get into the LAN then they can fill up my disks. > > What other network logging 'solutions' are there, if any? Google only > seems to know about syslog and IIS. Syslog is nice, but the -u option has the disadvantage that effectively everyone can syslog to you. pf(4) can solve that, but unless you hardcode a MAC address (arp(4), arp(8)) this can be gotten around by spoofing (since UDP does not have a 'handshake', it is possible to let packets pretend to be from whereever you want). Of course, a trusted network path (ipsec(4) and friends, for instance) is also a good way to secure this. There are some syslogd replacements that use TCP, or, even better, some form of authentication. A few are in ports. Joachim
Re: restore question: is my dump hosed?
On Mon, Mar 20, 2006 at 12:35:47AM -0500, Damian Gerow wrote: > Thus spake Joachim Schipper ([EMAIL PROTECTED]) [20/03/06 00:34]: > : Provided that you didn't do something strange when copying the dump, it > : should - at least - be restorable on something that closely resembles > : the platform it was taken on (FreeBSD-6.x). > > I believe the default FS type in FreeBSD 6.x (and even in 5.x) is UFS2. > Which, as I understand it, only has the beginnings of a framework being > developed for OpenBSD. And no, you can't restore a UFS2 dump on a UFS > filesystem: > > $ restore -ivf root.ufs2.dmp > Verify tape and initialize maps > Tape block size is 32 > restore: Tape is not a dump tape > $ Not to be a prick, but that's pretty much what I pointed out in the paragraph you snipped. ;-) Also see undeadly.org for a writeup about UFS2. Joachim
bgpd crash in snapshot of Mar 18 when use as route-reflector
I got bgpd crashing and kill itself in current snapshot of March 18. Happen twice so far, but I can't see why yet. Here is the error message I got: Mar 20 01:34:14 vcnam1 bgpd[18551]: fatal in SE: session_dispatch_imsg: pipe closed: Operation now in progress Mar 20 01:34:14 vcnam1 bgpd[20582]: fatal in RDE: pipe write error: Broken pipe bgpd.conf : #macros peer1="x.x.x.2" peer2="x.x.x.3" peer3="x.x.x.4" peer4="x.x.x.5" # global configuration AS router-id x.x.x.8 listen on x.x.x.8 # neighbors and peers group "peering AS" { remote-as tcp md5sig password local-address x.x.x.8 announce all multihop 5 softreconfig out yes route-reflector neighbor $peer1 { descr "iBGP to peer1" } neighbor $peer2 { descr "iBGP to peer2" } neighbor $peer3 { descr "iBGP to peer3" } neighbor $peer4 { descr "iBGP to peer4" } } # filter out prefixes longer than 32 or shorter than 8 bits deny from any allow from any prefixlen 8 - 32 # do not accept a default route # deny from any prefix 0.0.0.0/0 # filter bogus networks deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 = OpenBSD 3.9-current (GENERIC.MP) #749: Sat Mar 18 17:13:49 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2146140160 (2095840K) avail mem = 1834971136 (1791964K) using 22937 buffers containing 214822912 bytes (209788K) of memory mainbus0 (root) ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1 mainbus0: Intel MP Specification (Version 1.4) (AMD HAMMER ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 252, 2612.39 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 128 is type PCI mpbios: bus 129 is type PCI mpbios: bus 134 is type PCI mpbios: bus 139 is type ISA ioapic0 at mainbus0 apid 1 pa 0xfec0, version 11, 24 pins ioapic1 at mainbus0 apid 2 pa 0xd800, version 11, 7 pins ioapic2 at mainbus0 apid 3 pa 0xd8001000, version 11, 7 pins pci0 at mainbus0 bus 0: configuration mode 1 "NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3 nviic0 at pci0 dev 1 function 1 "NVIDIA nForce4 SMBus" rev 0xa2 iic0 at nviic0: disabled to avoid ipmi0 interactions iic1 at nviic0: disabled to avoid ipmi0 interactions ohci0 at pci0 dev 2 function 0 "NVIDIA nForce4 USB" rev 0xa2: apic 1 int 10 (irq 10), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ehci0 at pci0 dev 2 function 1 "NVIDIA nForce4 USB" rev 0xa3: apic 1 int 11 (irq 11) ehci0: timed out waiting for BIOS usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered pciide0 at pci0 dev 6 function 0 "NVIDIA nForce4 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 8 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA pciide1: using apic 1 int 10 (irq 10) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ppb0 at pci0 dev 9 function 0 "NVIDIA nForce4 PCI-PCI" rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "NVIDIA GeForce2 MX" rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 12 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): apic 1 int 11 (irq 11), address 00:15:60:96:f3:f5 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev.
Re: USB Scanner question
On Sun, 19 Mar 2006, Navan Carson wrote: Just out of curiosity, which model scanner do you have? I'd never considered looking for one that can scan via the LAN, but now that you mention it, that sounds useful. I own an Epson Perfection 1650. With all supported SANE scanners you should be able to scan via the LAN. Regards, -- Antoine
Remote syslogging
Hi list, I want to log things remotely (from a consumer-grade router running linux that keeps dying on me). I think the proper way to do this is to do "syslogd -u" but I am not sure because the manpage only vaguely mentions how insecure the -u option is and doesn't really explain it. I've found a page that describes using -u for OS X, and the linux manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user datagram protocol (UDP) [1] as its underlying transport layer mechanism" so it seems like this is correct, but it seems odd. If I just run syslogd like this on my home LAN what are the risks I need to think about? I can't think of any except maybe that if someone can get into the LAN then they can fill up my disks. What other network logging 'solutions' are there, if any? Google only seems to know about syslog and IIS. Regards -Nick
Re: restore question: is my dump hosed?
Thus spake Joachim Schipper ([EMAIL PROTECTED]) [20/03/06 00:34]: : Provided that you didn't do something strange when copying the dump, it : should - at least - be restorable on something that closely resembles : the platform it was taken on (FreeBSD-6.x). I believe the default FS type in FreeBSD 6.x (and even in 5.x) is UFS2. Which, as I understand it, only has the beginnings of a framework being developed for OpenBSD. And no, you can't restore a UFS2 dump on a UFS filesystem: $ restore -ivf root.ufs2.dmp Verify tape and initialize maps Tape block size is 32 restore: Tape is not a dump tape $ - Damian
Re: USB
On Monday 20 March 2006 12:13, Dan Smythe wrote: > uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev > 0x01: irq 11 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 > uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered Your machine only has USB 1.0 ports. --- Lars Hansson
Re: USB
On Sun, Mar 19, 2006 at 08:13:33PM -0800, Dan Smythe wrote: > I have a USB DVD drive and a USB hard drive that are > running slowly. In my dmesg (attached) it says that I > am using USB 1.0. Is this a limitation of my hardware, > or doesn't OpenBSD 3.8 have USB 2.0 support yet? > > Thanks > > --dmesg--- > > OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT > 2005 > > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Intel Pentium III ("GenuineIntel" 686-class) 752 > MHz Your machine is too old to come standard with USB 2. If you had a USB 2 capable system you would see ehci(4) appear in your dmesg.
Re: restore question: is my dump hosed?
On Sun, Mar 19, 2006 at 06:25:28PM -0600, [EMAIL PROTECTED] wrote: > i made what i thought would be a fine backup of a freebsd-6.0 machine > using dump. more specifically i issued a > > # dump -0f - /usr | ssh -o 'EscapeChar none' [EMAIL PROTECTED] "cat > > /usr/dumps/usr.fs" > > this created usr.fs on my openbsd backup host. now that i'm trying to > restore the dump on my backup host, which i now realize i should have > tested prior to wiping the drive of the old machine, i am getting the > following messages: > > # cat usr.fs | restore -rf - > restore: Tape is not a dump tape > # restore -i usr.fs > restore: /dev/rst0: Device not configured > > this is disheartening and makes me worried :(. i hope i have not hosed > my backup, but i am inclined to say that i haven't broken anything > since i've done this before when setting up CGD on netbsd (see > http://www.s-mackie.demon.co.uk/unix-notes/NetBSD-CGD-Setup.html ) and > there were no issues there. could there be some problem with a dump > from freebsd-6.0 not restoring on openbsd-3.7, i.e. if i reinstalled > freebsd-6.0 on another machine, could i restore the dumps? > > thx for reading, quick replies appreciated. While I do not know if Open- and FreeBSD are compatible in this regard - though it makes little sense not to be, *unless* you were using a filesystem that OpenBSD does not understand, it should work. That being said, the proper syntax for restore is restore -rf usr.fs, but while the first is another unnecessary use of cat, only the second is really wrong. So that doesn't help either. Provided that you didn't do something strange when copying the dump, it should - at least - be restorable on something that closely resembles the platform it was taken on (FreeBSD-6.x). And, for the next time: tar is far more portable. Joachim
USB
I have a USB DVD drive and a USB hard drive that are running slowly. In my dmesg (attached) it says that I am using USB 1.0. Is this a limitation of my hardware, or doesn't OpenBSD 3.8 have USB 2.0 support yet? Thanks --dmesg--- OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class) 752 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133648384 (130516K) avail mem = 115331072 (112628K) using 1657 buffers containing 6787072 bytes (6628K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/07/02, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 83% apm0: AC on, battery charge high, charging, estimated 3:28 hours apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbd80/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371 ISA and IDE" rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Mobility M3" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cbb0 at pci0 dev 3 function 0 "Texas Instruments PCI1420 CardBus" rev 0x00: irq 11 cbb1 at pci0 dev 3 function 1 "Texas Instruments PCI1420 CardBus" rev 0x00: irq 11 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered "Intel 82371AB Power" rev 0x03 at pci0 dev 7 function 3 not configured esa0 at pci0 dev 8 function 0 "ESS Maestro 3" rev 0x10: irq 5 ac97: codec id 0x83847609 (SigmaTel STAC9721/23) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at esa0 xl0 at pci0 dev 16 function 0 "3Com 3c556 100Base-TX" rev 0x10: irq 11, address 00:04:76:42:21:06 tqphy0 at xl0 phy 0: 78Q2120 10/100 PHY, rev. 11 "3Com V.90 Modem" rev 0x10 at pci0 dev 16 function 1 not configured cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 3 device 0 cacheline 0x8, lattimer 0x20 pcmcia1 at cardslot1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ef4d netmask ef4d ttymask ffcf pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support umass0 at uhub0 port 1 configuration 1 interface 0 umass0: Acer Labs USB 2.0 Storage Device, rev 2.00/1.03, addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets cd1 at scsibus1 targ 1 lun 0: SCSI0 5/cdrom removable dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: USB Scanner question
Antoine Jacoutot wrote: I, for one, am very happy with my Epson USB scanner. I can scan via USB and via the LAN too. Just out of curiosity, which model scanner do you have? I'd never considered looking for one that can scan via the LAN, but now that you mention it, that sounds useful.
Re: CARP+pf+pfsync redundant firewalls running active/active doable?
Jason Stubbs wrote: From what I understand of the theory, it should work but I was hoping to get a "yes, I'm doing it" from somebody. Unless there's a reason it won't work, I'll be having a go and getting it set up in the first week of March and will write back with the results. Ok, I had troubles and then looked at the supported solutions, but am still having the same problems. For reference, I now have a testing setup that is the same as the "something bigger" on the following page: http://www.countersiege.com/doc/pfsync-carp/#big However, pfsync is syncing too slow causing problems with state handling. With one client, one server and the two arp-balanced firewalls in between, essentially what's happening is: * Client sends SYN packet to server public ip via firewall 1 * Firewall 1 switches the destination to the server's private ip and forwards the packet * Server receives the packet and sends a SYN/ACK packet back to the client via firewall 2 * Firewall 2 forwards the packet as is to the client * Client sends a RST to the server's private IP (which gets forwarded elsewhere due to the private ip being unroutable) * Firewall 2 receives the state update from firewall 1 * Client sends another SYN packet to server public ip via firewall 1 * Firewall 1 NATs it, sends it to the server which replies with a SYN/ACK going via firewall 2 as before * Firewall 2 now has the state and so un-NAT's it and sends it back to the client. * Client ACK's the SYN/ACK and the connection is set up I don't fully understand the reasons, but even though the connection is set up, the state on each firewall is now out of sync. On firewall 1 the state is CLOSED:SYN_SENT and on firewall 2 the state is SYN_SENT:ESTABLISHED. If I turn off arp-balance, only the one firewall is used and the states are correctly synced on the other firewall. Connections are maintained when rebooting either firewall and fully synced again after booting. Configuration on firewall 1 is as follows: /etc/hostname.carp0 inet 192.168.1.201 255.255.255.0 192.168.1.255 vhid 1 pass carp0dev carpdev fxp0 advskew 0 /etc/hostname.carp1 inet 192.168.1.201 255.255.255.0 192.168.1.255 vhid 2 pass carp0dev carpdev fxp0 advskew 50 /etc/hostname.carp2 inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 3 pass carp2dev carpdev em1 advskew 0 /etc/hostname.carp3 inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 4 pass carp2dev carpdev em1 advskew 50 /etc/hostname.em0 inet 10.255.255.2 255.255.255.0 NONE /etc/hostname.em1 inet 10.0.255.1 255.255.0.0 NONE /etc/hostname.fxp0 inet 192.168.1.203 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev em0 /etc/pf.conf ext_if="fxp0" syn_if="em0" int_if="em1" srv_ip="192.168.1.201" table { 192.168.1.201 192.168.1.203 192.168.1.204 10.0.0.1 } rdr on $ext_if proto tcp from any to 192.168.2.1 port ssh -> 10.0.1.1 pass quick on { $int_if $ext_if } proto carp pass quick on { $syn_if } proto pfsync pass in on $ext_if from ! to 10.0.1.1 keep state /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.carp.preempt=1 net.inet.carp.arpbalance=1 Configuration on firewall 2 is almost identical. The 0 and 50 are toggled on the carp devices. em0, em1 and fxp0 have their IPs incremented by 1. The firewall is wide open for testing. Closing everything but that which is absolutely necessary produces the same out-of-sync issue. While I would ordinarily assume that the above is expected behaviour, the countersiege example indicates that it should be doable. Is there some step that I'm missing? -- Jason Stubbs
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
> On Mon, Mar 20, 2006 at 01:00:57AM +0100, OpenBSD Prospect wrote: > > Hi! > > > > I was wondering, if anybody knows, if / when the embedded fingerprint > > reader > > of certain ThinkPad notebooks (like in my T42p) will be supported in > > OpenBSD, > > since UPEK already officially supports Linux & FreeBSD > > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? > > > > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > > security centered OS, it would make sense to have full use of equipment. ;-) > > > > I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD > > driver is available. If not, is any of the devs in contact with UPEK > > concerning expanding support to OpenBSD? > > The library and PAM module they provide are both binary only > with no hardware documentation. This is of no use to us. Jonathan, I am sure he knew that, because I am sure he downloaded them and at least looked at them. For those people who are happy with binary modules, I urge them to stick to Windows or Linux where they will be far more happy. For those people, being happy is just about accepting the compromises you have made. In that sense I am happy too. I don't accept the compromise of vendor lock-in, so I am totally thrilled with whatever devices manage to we get to work.
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
On Mon, Mar 20, 2006 at 01:00:57AM +0100, OpenBSD Prospect wrote: > Hi! > > I was wondering, if anybody knows, if / when the embedded fingerprint reader > of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, > since UPEK already officially supports Linux & FreeBSD > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? > > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > security centered OS, it would make sense to have full use of equipment. ;-) > > I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD > driver is available. If not, is any of the devs in contact with UPEK > concerning expanding support to OpenBSD? The library and PAM module they provide are both binary only with no hardware documentation. This is of no use to us.
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
> I was wondering, if anybody knows, if / when the embedded fingerprint reader > of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, > since UPEK already officially supports Linux & FreeBSD > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? Go ahead, recompile it. And if you can, how can you call what they supply as "official support"? That is not documentation. > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > security centered OS, it would make sense to have full use of equipment. ;-) We don't have those machines, and there is no documentation. Let me be clear that it really bugs me when the members of our user community send us such mails. It doesn't matter that you can't code. You could be talking to the company in question and requesting documentation. But no. In the end it comes down to us doing all the politics, then all the coding, and all the hardware purchases too, while we get sweet words basically trying to mock us into doing it all for you. I wish I didn't find it so condescending.
restore question: is my dump hosed?
i made what i thought would be a fine backup of a freebsd-6.0 machine using dump. more specifically i issued a # dump -0f - /usr | ssh -o 'EscapeChar none' [EMAIL PROTECTED] "cat > /usr/dumps/usr.fs" this created usr.fs on my openbsd backup host. now that i'm trying to restore the dump on my backup host, which i now realize i should have tested prior to wiping the drive of the old machine, i am getting the following messages: # cat usr.fs | restore -rf - restore: Tape is not a dump tape # restore -i usr.fs restore: /dev/rst0: Device not configured this is disheartening and makes me worried :(. i hope i have not hosed my backup, but i am inclined to say that i haven't broken anything since i've done this before when setting up CGD on netbsd (see http://www.s-mackie.demon.co.uk/unix-notes/NetBSD-CGD-Setup.html ) and there were no issues there. could there be some problem with a dump from freebsd-6.0 not restoring on openbsd-3.7, i.e. if i reinstalled freebsd-6.0 on another machine, could i restore the dumps? thx for reading, quick replies appreciated. jake
Re: CanSecWest/core06 Vancouver April 3-7
>This conference currently costs $1546 USD! :-( > >what moneybags loser is going to pay up so much just to go >to a conference? > >buy yourself a nice computer, or hell, donate the money to >openbsd.org instead! :-D > >drop a zero or two and it would be worth the trip > Clearly you've never been to a "DragosCon". For what you can learn and who you could meet, it's actually a reasonably-priced event. It's even cheaper if you commit early. I've been a couple of times and would definitely go again if there were more talks like Eric Byres' upcoming presentation on SCADA. The stuff that Halvar presents usually just makes my brain hurt. It's a trade-off... I could go to a specialized ISA or IEEE event, spend less money on the conference, more money on travel and accomodations, and get less usable information, but haul in a dozen consulting leads. Or I could go to Core, spend more money on registration, less on travel, have my head blown apart by all the next-gen ideas, and drink beer with a bunch of cyber-nerds at Brandy's. --Jason
UPEK Fingerprint-Reader (ThinkPad Notebooks)
Hi! I was wondering, if anybody knows, if / when the embedded fingerprint reader of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, since UPEK already officially supports Linux & FreeBSD (http://www.upek.com/support/dl_freeBSD_bsp.asp)? I assume, quite some OpenBSD devs are using ThinkPads as well, and being a security centered OS, it would make sense to have full use of equipment. ;-) I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD driver is available. If not, is any of the devs in contact with UPEK concerning expanding support to OpenBSD? -- Sincerely, Michael An OpenBSD Prospect, who is actually using Gentoo Linux
ReinerSCT cyberjack pinpad USB (0x300) Smartcard-Reader
Hi! I have two of these devices, which work in Gentoo Linux using Harald Welte's open-source driver (http://support.reiner-sct.de/downloads/LINUX/V2.0.9/ctapi-cyberjack-2.0.9.tar.bz2). I have an A-TRUST signature card, and I can login to my bank's online-banking, and I was hoping to use the certificate on that card also for signing / encrypting emails and documents (www.seccommerce.com has some free JAVA utilities on their website to access such a smartcard, and to digitally sign documents, for which the software can also be downloaded for free). This actual GNU/Linux driver is working without a kernel module, accessing the unit over the usbfs in userspace. Therefor I thought, this would make it easier for porting it over to *BSD, but unfortunately I found the following comment on Harald Welte's blog (http://gnumonks.org/~laforge/weblog/linux/cyberjack/index.html): - cut - One minor problem though is that both cyberjacks need asynchronous delivery of interrupt URB's, a feature that is not available by libusb. The libausb wrapper library that I developed for this purpose is specific to linux usbdevio, so the userspace driver won't be working on other libusb supported platforms such as *BSD :( - cut - I am not a coder, so I can not tell, if this makes a *BSD port impossible, or not (maybe Harald just isn't familiar with *BSD enough). Does nobody here have such a smartcard-reader? I think it should be quite popular here in Europe, because it is pretty cheap (I even got my two devices for free from my bank), they have MS Windows and Linux drivers available, and digital signatures will get pretty important in the near future (here in Austria it will be mandatory for invoices sent online with the beginning of next year). -- Sincerely, Michael An OpenBSD Prospect, who is actually using Gentoo Linux
Re: bgpd error: route decision engine terminated; signal 11
On Sunday, March 19, 2006, at 19:22:25, fabioFVZ wrote: > Hello, > i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) ) > After random time...bgpd exit with this error: [..] > Any idea? Many thanks Have similar problems. Try update obgpd to current version via CVS It worked for me, and since then I firstly update to current and then ask questions ;-) regs, -- Sylwester S. Biernacki <[EMAIL PROTECTED]> X-NET, http://www.xnet.com.pl/
Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > Hi misc, > > At work, we are running a Microsoft Active Directory for our Windows > Domain, who mainly provided Windows Desktop for our customers and > centralized authentication. We have also several OpenBSD & Linux boxes > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > centralize these Unix authentication... Is there a way to authenticate > directly over a MS Domain Controller ? How can this be achieved > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > NIS !)) ? MS AD provides MIT-ish KDC support, or so I hear. I've never used it from the UNIX side, but I do know that Windows clients will willingly talk to a UNIX KDC, and I'm told the reverse is true. Authenticating Windows clients from OpenBSD Heimdal works just lovely. Microsoft does provide a services for unix package, but it uses NIS last time I looked at it. Your problems will most likely occur when mapping possibly long principal names on Windows to the UNIX side, or getting the data from LDAP and populating (either using scripts or an nss_ldap module) the user accounts on the client side. If you have simple accont names on Windows, it's fairly straightforward to use PAM or login to authenticate the password. Google will find you many resources on setting this up. -- adam
Re: pppoe (through pcn) stopped working in mid-February
The kernel and the rest were out of sync - that's why pppoe wasn't working. Sorry for the wrong report. On 3/9/06, Alexander Farber <[EMAIL PROTECTED]> wrote: > > I was following -current with my home gateway on a dual-CPU HP Kayak XAs > (full dmesg attached), but since mid-February I'm unable to do it anymore, > because when I boot a newly compiled kernel, I get these repeating messages: > > Mar 9 15:31:59 gate /bsd: pppoe0: phase network > Mar 9 15:31:59 gate /bsd: pppoe0: phase terminate > Mar 9 15:32:09 gate /bsd: pppoe0: phase dead > Mar 9 15:32:09 gate /bsd: pppoe0: phase establish > Mar 9 15:32:09 gate /bsd: pppoe0: phase dead > Mar 9 15:32:10 gate /bsd: pppoe0: phase establish > Mar 9 15:32:10 gate /bsd: pppoe0: up > Mar 9 15:32:10 gate /bsd: pppoe0: phase network > Mar 9 15:32:10 gate /bsd: pppoe0: phase terminate > Mar 9 15:32:20 gate /bsd: pppoe0: phase dead > Mar 9 15:32:20 gate /bsd: pppoe0: phase establish > Mar 9 15:32:20 gate /bsd: pppoe0: phase dead > > and I just can't get my ADSL connection working > until I move my old kernel back and reboot. > > With the old kernel I also often see theses messages, > but they don't stop pppoe from working: > > Mar 8 15:57:13 gate /bsd: pcn0: framing error > Mar 8 15:57:13 gate /bsd: pcn0: CRC error > Mar 8 16:07:09 gate /bsd: pcn0: framing error > Mar 8 16:07:09 gate /bsd: pcn0: CRC error > Mar 8 16:42:11 gate /bsd: pcn0: framing error > Mar 8 16:42:11 gate /bsd: pcn0: CRC error > Mar 8 16:46:01 gate /bsd: pcn0: CRC error > Mar 8 16:52:01 gate /bsd: pcn0: CRC error > Mar 8 17:42:47 gate /bsd: pcn0: CRC error > Mar 8 17:47:42 gate /bsd: pcn0: CRC error > .. > Mar 9 01:30:03 gate /bsd: Data modified on freelist: word 4 of object > 0xd114090 > 0 size 0xc0 previous type devbuf (0xdeadbeee != 0xdeadbeef) > Mar 9 01:30:03 gate /bsd: Data modified on freelist: word 4 of object > 0xd0f5610 > 0 size 0xc0 previous type devbuf (0xdeadbeed != 0xdeadbeef) > ... > Mar 8 13:52:53 gate /bsd: piixpm0: timeout, status 0x1 > Mar 8 13:52:56 gate /bsd: piixpm0: timeout, status 0x1 > > > Here is my /etc/hostname.pppoe0: > > pppoedev pcn0 > !/sbin/ifconfig pcn0 up > !/usr/sbin/spppcontrol \$if myauthproto=pap \ > [EMAIL PROTECTED] myauthkey=XX > !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x > !/sbin/route add default 0.0.0.1 > up > > And my ifconfig with the new (not-working) kernel: > > lo0: flags=8049 mtu 33224 > groups: lo > inet 127.0.0.1 netmask 0xff00 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > pcn0: flags=8843 mtu 1500 > lladdr 00:10:83:34:8d:a6 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::210:83ff:fe34:8da6%pcn0 prefixlen 64 scopeid 0x1 > re0: flags=8843 mtu 1500 > lladdr 00:c0:49:fa:2b:c4 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::2c0:49ff:fefa:2bc4%re0 prefixlen 64 scopeid 0x2 > ral0: flags=8843 mtu 1500 > lladdr 00:0e:2e:57:84:de > media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap) > status: active > ieee80211: nwid OPENBSD chan 4 bssid 00:0e:2e:57:84:de 100dBm > inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 > inet6 fe80::20e:2eff:fe57:84de%ral0 prefixlen 64 scopeid 0x3 > pflog0: flags=141 mtu 33224 > pfsync0: flags=0<> mtu 1460 > enc0: flags=0<> mtu 1536 > pppoe0: flags=8851 mtu 1492 > dev: pcn0 state: session > sid: 0x1ba8 PADI retries: 0 PADR retries: 0 time: 00:00:05 > groups: pppoe egress > inet 0.0.0.0 --> 0.0.0.1 netmask 0x > inet6 fe80::210:83ff:fe34:8da6%pppoe0 -> prefixlen 64 scopeid 0x8 > > Does anybody please have any suggestions? > > Regards > Alex > > PS: My /etc/pf.conf: > > ext_if="pppoe0" > wlan_if="ral0" > lan_if="re0" > int_ports = "{ domain bootps 445 137 138 139 }" > int_tcp_ports = "{ 8080 4000 www https smtp 995 587 }" > ext_tcp_ports = "{ www https }" > priv_nets = "{ 127/8 192.168/16 172.16/12 10/8 }" > > set block-policy return > set loginterface $ext_if > set skip on lo > > scrub in > scrub out on pppoe0 random-id max-mss 1440 > > # transparent squid cache > rdr on $wlan_if inet proto tcp from $wlan_if:network \ > to ! $wlan_if port www -> 127.0.0.1 port 8080 > rdr on $lan_if inet proto tcp from $lan_if:network \ > to ! $lan_if port www -> 127.0.0.1 port 8080 > > nat on $ext_if inet from $wlan_if:network to any -> ($ext_if) > nat on $ext_if inet from $lan_if:network to any -> ($ext_if) > > block in log > pass out keep state > > pass in quick on $ext_if proto { tcp udp } \ > from any to ($ext_if) user samba keep state > > block out quick log on $ext_if proto { tcp, udp } all user www > > block quick log on $ext_if to $priv_nets > block drop quick on $ext_
Re: bgpd Error: route decision engine terminated; signal 11
On Sun, Mar 19, 2006 at 07:07:28PM +0100, fabioFVZ wrote: > Hello, > i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) ) > > After random time...bgpd exit with this error: > > Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine > terminated; > signal 11 > Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe > closed: No route to host > Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled > Mar 19 16:57:12 bgp bgpd[27773]: Terminating > > My conf is: > > #macros > peer1="xxx.xxx.xxx.xxx" > > # global configuration > AS X > router-id yyy.yyy.yyy.yyy > > network yyy.yyy.yyy.yyy/zz > > neighbor $peer1 { > remote-as 12345 > descr "net" > multihop 4 > } > > deny from any > allow from any prefixlen 8 - 24 > > deny from any prefix 0.0.0.0/0 > deny from any prefix 10.0.0.0/8 prefixlen >= 8 > deny from any prefix 172.16.0.0/12 prefixlen >= 12 > deny from any prefix 192.168.0.0/16 prefixlen >= 16 > deny from any prefix 169.254.0.0/16 prefixlen >= 16 > deny from any prefix 192.0.2.0/24 prefixlen >= 24 > deny from any prefix 224.0.0.0/4 prefixlen >= 4 > deny from any prefix 240.0.0.0/4 prefixlen >= 4 > --- > > Any idea? Many thanks > There were many changes in the RDE in the last six month. Could you try a -current bgpd and see if it is happening again? -- :wq Claudio
bgpd Error: route decision engine terminated; signal 11
Hello, i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) ) After random time...bgpd exit with this error: Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine terminated; signal 11 Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe closed: No route to host Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled Mar 19 16:57:12 bgp bgpd[27773]: Terminating My conf is: #macros peer1="xxx.xxx.xxx.xxx" # global configuration AS X router-id yyy.yyy.yyy.yyy network yyy.yyy.yyy.yyy/zz neighbor $peer1 { remote-as 12345 descr "net" multihop 4 } deny from any allow from any prefixlen 8 - 24 deny from any prefix 0.0.0.0/0 deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 --- Any idea? Many thanks FabioFVZ
Re: CanSecWest/core06 Vancouver April 3-7
People that work for large enterprises, that's who. Besides I believe it includes the cost of tutorials if I'm not mistaken. I know conferences that cost more. diana On Sun, 19 Mar 2006, paul dansing wrote: > This conference currently costs $1546 USD! :-( > > what moneybags loser is going to pay up so much just to go > to a conference? > > buy yourself a nice computer, or hell, donate the money to > openbsd.org instead! :-D > > drop a zero or two and it would be worth the trip
Strange CPU load with rpldev/openbsd
Hello, a user has reported high CPU usage in `top` when running rpld from ttyrpld 2.12. It is repeatable with the current one (2.15), and it seems to boil down to the read() function of the rpldev device, as I have found out by placing getrusage() before and after the main read() call in rpld. However, I cannot find anything that looks like a busy wait in the kernel part (copy below), especially since the kernel code is essentially the same for other BSDs, but neither FreeBSD or NetBSD show high CPU usage. Does anyone have an idea where it might be coming from? Is tsleep() running a busywait? Jan Engelhardt --- ttyrpld-2.15/k_openbsd-3.8/rpldev.c --- // return number of available bytes to read static inline size_t avail_R(void); // return minimum of the two static inline unsigned int min_uint(unsigned int, unsigned int); // circular buffer, read ptr and write ptr static char *Buffer, *BufRP, *BufWP; static int urpl_read(dev_t dev, struct uio *uio, int flags) { size_t count; int ret; mtx_enter(&Buffer_lock); if(Buffer == NULL) goto out; while(BufRP == BufWP) { mtx_leave(&Buffer_lock); if(flags & IO_NDELAY) return EWOULDBLOCK; if((ret = tsleep(&Buffer, PCATCH, "rpldev", 0)) != 0) return ret; ret = 0; mtx_enter(&Buffer_lock); if(Buffer == NULL) goto out; } count = min_uint(uio->uio_resid, avail_R()); ret = circular_get(uio, count); out: mtx_leave(&Buffer_lock); return ret; } --- end excerpt ---
bgpd error: route decision engine terminated; signal 11
Hello, i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) ) After random time...bgpd exit with this error: Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine terminated; signal 11 Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe closed: No route to host Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled Mar 19 16:57:12 bgp bgpd[27773]: Terminating My conf is: #macros peer1="xxx.xxx.xxx.xxx" # global configuration AS X router-id yyy.yyy.yyy.yyy network yyy.yyy.yyy.yyy/zz neighbor $peer1 { remote-as 12345 descr "net" multihop 4 } deny from any allow from any prefixlen 8 - 24 deny from any prefix 0.0.0.0/0 deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 --- Any idea? Many thanks -- fabioFVZ
Re: RAIDframe parity errors and rebuild
"David Wilk" writes: > this was exactly my thought. I was hoping someone would have some > 'official' knowledge, or opinion. I still can't get over having to > wait several hours for my root partition to become available after an > improper shutdown. > > On 3/18/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > On Sat, Mar 18, 2006 at 12:59:30PM +0200, Antonios Anastasiadis wrote: > > > I had the same question, and just changed the relevant line in /etc/rc > > > adding '&' in the end: > > > > > > raidctl -P all & > > > > Then again, why is this not the default? Are you certain this actually > > works? > > > > Joachim If you want to be 100% paranoid, then you want to wait for the 'raidctl -P all' to update all parity before starting even fsck's. There *is* a non-zero chance that the parity might be out-of-sync with the data, and should a component die before that parity has been updated, then you could end up reading bad data. This can happen even if the filesystem has been checked. What are the odds of this happening? Pretty small. If 'raidctl -P all &' is run, then the larger problem is both fsck and raidctl will be fighting for disk cycles -- i.e. the fsck will take longer to complete. On more "critical" systems, this is how I typically have things setup (I'm willing to risk it that I'm not going to have a disk die during the minutes that it takes to do the fsck). On less critical boxes, I've got a "sleep 3600" before the 'raidctl -P', so that the parity check doesn't get in the way of the fsck or the system coming up... about an hour after it comes up, the disks are then checked... It's one of those "what are the odds" games... allowing the raidctl to run in the background seems to have the right mix of paranoia and practicality... Later... Greg Oster
Re: tcpdump needs no root privileges
On Sun, 19 Mar 2006, eric wrote: > On Sun, 2006-03-19 at 20:18:11 +0300, Alex B proclaimed... > > > Hello. > > > > Yes, I'm certain. It is the first check after start. So, it doesn't > > depend on my > > command line. > > > > Take a look on "Privelege sepation", > > http://undeadly.org/cgi?action=article&sid=20040220120426 > > > > It worked till 3.7. > > $ id > uid=1002(eric) gid=20(staff) groups=20(staff), 0(wheel), > > $ tcpdump -nr foo.cap | wc -l > 124 > > $ uname -a > OpenBSD foo 3.7 GENERIC#50 i386 This has been changed for a good reason. To provide maximum protection, the unprvivileged process of tcpdump needs to run in a chroot. To be able to chroot, it needs root. Many people believe reading a packet dump is less dangerous than reading from a network interface. This is a myth. -Otto
Re: tcpdump needs no root privileges
On Sun, 2006-03-19 at 20:18:11 +0300, Alex B proclaimed... > Hello. > > Yes, I'm certain. It is the first check after start. So, it doesn't > depend on my > command line. > > Take a look on "Privelege sepation", > http://undeadly.org/cgi?action=article&sid=20040220120426 > It worked till 3.7. $ id uid=1002(eric) gid=20(staff) groups=20(staff), 0(wheel), $ tcpdump -nr foo.cap | wc -l 124 $ uname -a OpenBSD foo 3.7 GENERIC#50 i386
Re: tcpdump needs no root privileges
Hello. Yes, I'm certain. It is the first check after start. So, it doesn't depend on my command line. Take a look on "Privelege sepation", http://undeadly.org/cgi?action=article&sid=20040220120426 I've found commit: revision 1.22 date: 2005/09/23 15:42:51; author: otto; state: Exp; lines: +24 -30 Only allow root to run tcpdump. It's needed for the chroot security. ok moritz@ deraadt@ On 3/19/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > > Hello. > > > > When started from user, tcpdump complains: "need root privileges", even > > if I want it to read packets from regular file. > > Error is located in privsep.c. > > It may be more secure to start tcpdump from user to decode packets. > > Are you really certain? I've used tcpdump as non-root and ISTR it working > fine. > What was the command line you used? > > Joachim > > -- WBR, Alex V Breger
Re: tcpdump needs no root privileges
Joachim Schipper wrote: On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: Hello. When started from user, tcpdump complains: "need root privileges", even if I want it to read packets from regular file. Error is located in privsep.c. It may be more secure to start tcpdump from user to decode packets. Are you really certain? I've used tcpdump as non-root and ISTR it working fine. What was the command line you used? Joachim On tech@ there is thread "non-root tcpdump filtering broken?" dated end of september last year about this. /Sigfred
Re: tcpdump needs no root privileges
On Sun, Mar 19, 2006 at 05:59:23PM +0100, Joachim Schipper wrote: > On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > > Hello. > > > > When started from user, tcpdump complains: "need root privileges", even if I > > want it to read packets from regular file. > > Error is located in privsep.c. > > It may be more secure to start tcpdump from user to decode packets. > > Are you really certain? I've used tcpdump as non-root and ISTR it working > fine. What was the command line you used? maybe this thread is still relevant to this: http://marc.theaimsgroup.com/?t=10798040483&r=1&w=2 -- jared [ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]
Re: tcpdump needs no root privileges
On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > Hello. > > When started from user, tcpdump complains: "need root privileges", even if I > want it to read packets from regular file. > Error is located in privsep.c. > It may be more secure to start tcpdump from user to decode packets. Are you really certain? I've used tcpdump as non-root and ISTR it working fine. What was the command line you used? Joachim
tcpdump needs no root privileges
Hello. When started from user, tcpdump complains: "need root privileges", even if I want it to read packets from regular file. Error is located in privsep.c. It may be more secure to start tcpdump from user to decode packets. -- WBR, Alex V Breger
Re: RAIDframe parity errors and rebuild
this was exactly my thought. I was hoping someone would have some 'official' knowledge, or opinion. I still can't get over having to wait several hours for my root partition to become available after an improper shutdown. On 3/18/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sat, Mar 18, 2006 at 12:59:30PM +0200, Antonios Anastasiadis wrote: > > I had the same question, and just changed the relevant line in /etc/rc > > adding '&' in the end: > > > > raidctl -P all & > > Then again, why is this not the default? Are you certain this actually > works? > > Joachim
Re: OpenBSD/Linux centralized authentication
On 3/19/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > > Hi misc, > > > > At work, we are running a Microsoft Active Directory for our Windows > > Domain, who mainly provided Windows Desktop for our customers and > > centralized authentication. We have also several OpenBSD & Linux boxes > > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > > centralize these Unix authentication... Is there a way to authenticate > > directly over a MS Domain Controller ? How can this be achieved > > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > > NIS !)) ? > > > > Hope somebody has some advice to share, > > There are many, many solutions. If it's just servers with a limited > number of accounts, rdist(8) works just fine, and saves a lot of > complicated stuff that takes time to set up and breaks occasionally. It > could be scripted if you want to fully automate something. > > For a more complete solution, I am pretty sure there is a Linux PAM > module to authenticate against their AD implementation (it's part of > SAMBA, IIRC). Not sure about OpenBSD. > > Also, once the user accounts are synchronized, you'd probably be able to > tell a Kerberos client to talk to the AD server. I've never tried it, > but it should work - more or less. See the info pages for heimdal on > OpenBSD. > >Joachim > > Active Directory has an LDAP interface on the domain controllers. You could opt to authenticate directory against the AD tree or replicate the tree entirely or partially to openldap and manage/use that tree. Seems that some LDAP implementations have problem replicating password information, though I can't remember the specifics. This page a little info that may help: http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes Axton Grams
Re: CanSecWest/core06 Vancouver April 3-7
This conference currently costs $1546 USD! :-( what moneybags loser is going to pay up so much just to go to a conference? buy yourself a nice computer, or hell, donate the money to openbsd.org instead! :-D drop a zero or two and it would be worth the trip Tuesday, March 7, 2006, 8:45:30 PM, you wrote: > The call for papers is now closed and the proposals have been reviewed > for the CanSecWest/core06 Applied Technical Security Conference held > on April 5-7 2006 at the Mariott Renaissance Harbourside in Vancouver, > B.C. Canada. > The selected submissions are : >An hour of Rap and Comedy about SAP - Steve Lord >Next Generation Sebek - Edward Balas - Indiana University >RF Bugsweeping - Tim Johnson - Technical Security Consultants Inc. >Magstripe Madness - Major Malfunction >Metasploitation (and a dash of IPS) - HD Moore - BreakingPoint >Carrier VoIP Security - Nico Fischbach - COLT >Attacking VoIP Networks - Hendrik Scholz - Freenet Cityline GmbH >Security Issues Related to Pentium System Management Mode - Looc Duflot >Advancements in Anonymous eAnnoyance - Christopher Abad - Cloudmark >Real Time Threat Mitigation Techniques - Josh Ryder - University of Alberta >Stunt Profiling: Securing a System While You Wait - Crispin Cowan - Novell >Visualizing Source Code for Auditing - Lisa Thalheim >Attacking Web Services - Alex Stamos, Scott Stender - iSEC Partners >Reverse Engineering Microsoft Binaries - Alexander Sotirov - Determina >Zen and the art of collecting and analyzing Malware - Fred Arbogast and > Sascha Rommelfangen - S.E.S. Astra >How to test an IPS - Renaud Bidou - RADWare >Insiders View: Network Security Devices - Dennis Cox - BreakingPoint >More on Uninitialized Variables - Halvar Flake >Eric Byres - SCADA - BCIT >Panel Discussion - Vulnerability Commercialization >Terri Forslof, 3Com, Manager of Security Response >Michael Sutton iDefense Labs, Director of iDEFENSE Labs >Others TBA >Vendor Elevator Focus Groups > David Meltzer, Cambia > Ofir Arkin, Insightix > Others TBA >Lightning Talks > Some talks from the PacSec/core05 conference in Tokyo in November and > the EUSecWest/core06 conference in London during February were highly > rated and have been invited for encore presentations at CanSecWest: >Attacking the IPv6 protocol suite - van Hauser - THC / n.runs GmbH >Protecting the Infrastructure - Jim DeLeskie & Danny McPherson - Teleglobe, > Arbor Networks > Security Masters Dojo Courses > April 3-5 Vancouver >Network Reconnaissance with Nmap 4 - Fyodor & Doug Hoyte >Network Vulnerability Scanning: Turning Nessus into Metasploit - Renaud > Deraison & Nicolas Pouvesle >Reverse Engineering: Rapid Bug Discovery and Input Crafting - Halvar >Assembly for Exploit Writing - Gerardo Richarte >Advanced IDS Deployment and Optimization - Marty Roesch >Advanced Honeypot Tactics - Thorsten Holz >Mastering the network with Scapy - Philippe Biondi >Securing your critical Cisco network infrastructure - Nico Fischbach >Practical 802.11 WiFi (In)Security - Cidric Blancher >Bluetooth Auditing and Technology - Martin Herfurt, Adam Laurie, Marcel > Holtmann > Conference registration on line can be found at: > http://cansecwest.com/register.html > Security Masters Dojo Vancouver registration can be found at > http://cansecwest.com/dojo.html > cheers, > --dr
Queueing + load balancing for multiple outside connections
Hi all, I have a machine that has 4 NICs, one to an ISP, one to a router that connects to another ISP, one for LAN, one for DMZ. I did host-based traffic rate limiting in both directions, which worked fine with 1 external NIC. Recently a second line was bought because it was cheaper than additional bandwidth on the other line. How can I make the two lines 'act as one' so I can maintain rate restrictions and meanwhile balance traffic? Looked at trunk, pf load balancing, and the likes. Peter
Access to serial port under linux emulation
Hi misc@, I need to run flip[1], which is written in tcl/tk and only available as binary for linux. I need it to program Atmel 8051 micro controllers. Flip runs fine under linux emulation (after copying the included libs to /emul/linux/lib), but I get an error message when trying to access the serial ports (to which the mc board is connected). I already created a horde of symlinks (after reading compat_linux(8)) and googled for about 3h now, but I can't get it to work: NOTE: I'm using a (working) usb->serial adapter #ls -l /emul/linux/dev | grep tty[A-Z] lrwxr-xr-x 1 root wheel10B Mar 19 11:23 ttyS0@ -> /dev/ttyU0 lrwxr-xr-x 1 root wheel10B Mar 19 14:00 ttyS1@ -> /dev/ttyU0 lrwxr-xr-x 1 root wheel10B Mar 19 11:23 ttyU0@ -> /dev/ttyU0 #ls -l /dev/{cua,tty}[US]0 crwxrwxrwx 1 ahbabe ahbabe 66, 128 Mar 15 08:44 /dev/cuaU0* lrwxr-xr-x 1 rootwheel 10 Jul 2 1987 /dev/ttyS0@ -> /dev/ttyU0 crwxrwxrwx 1 ahbabe ahbabe 66, 0 Jul 2 1987 /dev/ttyU0* Error message in flip: can't read "flipStates(comList)": no such element in array while executing "if { $flipStates(comList) == "" } { tk_messageBox -message "There is no available serial port\n on your platform. Please fix the problem then\n resta..." (procedure "initProtocol" line 15) invoked from within "initProtocol "RS232Standard"" invoked from within ".menubar.settings.comm invoke active" ("uplevel" body line 1) invoked from within "uplevel #0 [list $w invoke active]" (procedure "tkMenuInvoke" line 31) invoked from within "tkMenuInvoke .menubar.settings.comm 1 I would appreciate any help because I need to get this to work for school. Btw: I tried to use qemu with "-serial /dev/ttyU0", but this always results in (also as almighty root): qemu: could not open serial device '/dev/ttyS0' [1] http://www.atmel.com/dyn/products/tools_card.asp?tool_id=2767 Thanks, ahb p.s. Did I include all necessary information?
Re: problem compiling ports, 3.8 stable
expat-1.95.6.tar.gz doesn't seem to exist on this system. Attempting to fetch /usr/ports/distfiles/expat-1.95.6.tar.gz from http://ovh.dl.sourceforge.net/sourceforge/expat/. Size does not match for /usr/ports/distfiles/expat-1.95.6.tar.gz *** Error code 2 Hello, the same ocurred here yesterday. I solved it installing the expat package with pkg_add. Regards. Ramiro.
Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > Hi misc, > > At work, we are running a Microsoft Active Directory for our Windows > Domain, who mainly provided Windows Desktop for our customers and > centralized authentication. We have also several OpenBSD & Linux boxes > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > centralize these Unix authentication... Is there a way to authenticate > directly over a MS Domain Controller ? How can this be achieved > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > NIS !)) ? > > Hope somebody has some advice to share, There are many, many solutions. If it's just servers with a limited number of accounts, rdist(8) works just fine, and saves a lot of complicated stuff that takes time to set up and breaks occasionally. It could be scripted if you want to fully automate something. For a more complete solution, I am pretty sure there is a Linux PAM module to authenticate against their AD implementation (it's part of SAMBA, IIRC). Not sure about OpenBSD. Also, once the user accounts are synchronized, you'd probably be able to tell a Kerberos client to talk to the AD server. I've never tried it, but it should work - more or less. See the info pages for heimdal on OpenBSD. Joachim
Re: OpenBSD/Linux centralized authentication
Hi, mh I havent tested it yet, but ive heard, that ms provides a kind of authentication service for unix. but I recomme a centralzed authentication with openldap. I'm using it for openbsd and linux. On Mar 19, 2006, at 7:42 AM, Bruno Carnazzi wrote: Hi misc, At work, we are running a Microsoft Active Directory for our Windows Domain, who mainly provided Windows Desktop for our customers and centralized authentication. We have also several OpenBSD & Linux boxes for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to centralize these Unix authentication... Is there a way to authenticate directly over a MS Domain Controller ? How can this be achieved (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the alternatives (building an OpenLDAP server, Kerberos, (we don't wan't NIS !)) ? Hope somebody has some advice to share, Best regards, Bruno.