Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 02:27:39PM -0800, Adam D. Morley wrote: > MS AD provides MIT-ish KDC support, or so I hear. I've never used it > from the UNIX side, but I do know that Windows clients will willingly > talk to a UNIX KDC, and I'm told the reverse is true. Yes, you can authenticate against Active Directory using Kerberos. There are some minor caveats (mostly regarding encryption algorithms), but as far as the Unix-clients are concerned it's just Kerberos. I've got some AIX boxes authenticating against Active Directory, even password changing from the AIX side works. To get back to OpenBSD: this means that you can authenticate to Active Directory using Kerberos. Services for Unix aren't necessarily needed. -- Jurjen Oskam
Re: RAIDframe partitioning choices...
Joachim Schipper wrote: On Fri, Mar 17, 2006 at 07:36:13PM +0100, Anthony Howe wrote: Joachim Schipper wrote: --wd0a----wd1a-- / (bootable)/ (bootable) /tmp/tmp /usr/usr /var/var --wd0d----wd1d-- raid0(root) raid0 (root) --raid0a- --raid0a- / / /usr/usr Hmm - why include / and /usr again? OpenBSD will boot just fine off a RAID array, even a failed one, provided you can get the kernel read somehow. You have to have a RAID slice with / and /usr. If you mount just wd0a for / and /usr then if the wd0 dies you have to reboot to mount with wd1a. If you happen to be a long way away from the console, then you're toast, unless you went the extra distance and setup the backup fstab on wd1a in advance. If you have them in a RAID and if a disk dies, you can continue to use the system (degraded of course) without having to reboot until the new disk and your are present at the console. Maybe I don't understand, but how does it follow from the above that it is useful to have a third and fourth copy? I see the point in keeping / and /usr on RAID - the system will stay running and come up even if one of the underlying disks fails. How would you reboot a degraded system where wd0 containing your / & /usr is dead? How would you reboot a system in order to reconstruct a replacement? Maybe a full /usr is unnecessary, but what if you had to rebuild the kernel for some reason before you could autoconfigure and transfer to the RAID? If you only have the one machine at hand, which is the one with the RAID. Both disks must be bootable and should have all the necessary tools you deem necessary to recover. Now on smallish disks, installing more than just base system might not be possible (necessary) spacewise and so you have alternative recovery methods ready (if you can remember where you put them), but when you're talking 40G+ disks, then there is ample space. Todays hard disks are so large these days that I worry how SOHO sites can afford suitable backup solutions, but that be another discussion. The point being, if I'm building a RAID, its typically for large disks and I don't want to take any chances being caught short when one of those disks dies, so I burn one or two gigas for bootable self-sufficient rescue slices per disk. -- Anthony C Howe Skype: SirWumpusSnertSoft +33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions http://www.snert.com/ ICQ: 7116561 http://www.snertsoft.com/
Re: Remote syslogging
On Mon, Mar 20, 2006 at 01:00:58AM -0500, Nick Guenther wrote: > Hi list, > > I want to log things remotely (from a consumer-grade router running > linux that keeps dying on me). I think the proper way to do this is to > do "syslogd -u" but I am not sure because the manpage only vaguely > mentions how insecure the -u option is and doesn't really explain it. > I've found a page that describes using -u for OS X, and the linux > manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user > datagram protocol (UDP) [1] as its underlying transport layer > mechanism" so it seems like this is correct, but it seems odd. > > If I just run syslogd like this on my home LAN what are the risks I > need to think about? I can't think of any except maybe that if someone > can get into the LAN then they can fill up my disks. > > What other network logging 'solutions' are there, if any? Google only > seems to know about syslog and IIS. Syslog is nice, but the -u option has the disadvantage that effectively everyone can syslog to you. pf(4) can solve that, but unless you hardcode a MAC address (arp(4), arp(8)) this can be gotten around by spoofing (since UDP does not have a 'handshake', it is possible to let packets pretend to be from whereever you want). Of course, a trusted network path (ipsec(4) and friends, for instance) is also a good way to secure this. There are some syslogd replacements that use TCP, or, even better, some form of authentication. A few are in ports. Joachim
Re: restore question: is my dump hosed?
On Mon, Mar 20, 2006 at 12:35:47AM -0500, Damian Gerow wrote: > Thus spake Joachim Schipper ([EMAIL PROTECTED]) [20/03/06 00:34]: > : Provided that you didn't do something strange when copying the dump, it > : should - at least - be restorable on something that closely resembles > : the platform it was taken on (FreeBSD-6.x). > > I believe the default FS type in FreeBSD 6.x (and even in 5.x) is UFS2. > Which, as I understand it, only has the beginnings of a framework being > developed for OpenBSD. And no, you can't restore a UFS2 dump on a UFS > filesystem: > > $ restore -ivf root.ufs2.dmp > Verify tape and initialize maps > Tape block size is 32 > restore: Tape is not a dump tape > $ Not to be a prick, but that's pretty much what I pointed out in the paragraph you snipped. ;-) Also see undeadly.org for a writeup about UFS2. Joachim
bgpd crash in snapshot of Mar 18 when use as route-reflector
I got bgpd crashing and kill itself in current snapshot of March 18.
Happen twice so far, but I can't see why yet.
Here is the error message I got:
Mar 20 01:34:14 vcnam1 bgpd[18551]: fatal in SE: session_dispatch_imsg:
pipe closed: Operation now in progress
Mar 20 01:34:14 vcnam1 bgpd[20582]: fatal in RDE: pipe write error:
Broken pipe
bgpd.conf :
#macros
peer1="x.x.x.2"
peer2="x.x.x.3"
peer3="x.x.x.4"
peer4="x.x.x.5"
# global configuration
AS
router-id x.x.x.8
listen on x.x.x.8
# neighbors and peers
group "peering AS" {
remote-as
tcp md5sig password
local-address x.x.x.8
announce all
multihop 5
softreconfig out yes
route-reflector
neighbor $peer1 {
descr "iBGP to peer1"
}
neighbor $peer2 {
descr "iBGP to peer2"
}
neighbor $peer3 {
descr "iBGP to peer3"
}
neighbor $peer4 {
descr "iBGP to peer4"
}
}
# filter out prefixes longer than 32 or shorter than 8 bits
deny from any
allow from any prefixlen 8 - 32
# do not accept a default route
# deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
=
OpenBSD 3.9-current (GENERIC.MP) #749: Sat Mar 18 17:13:49 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2146140160 (2095840K)
avail mem = 1834971136 (1791964K)
using 22937 buffers containing 214822912 bytes (209788K) of memory
mainbus0 (root)
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1
mainbus0: Intel MP Specification (Version 1.4) (AMD HAMMER )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 252, 2612.39 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: apic clock running at 200MHz
mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 128 is type PCI
mpbios: bus 129 is type PCI
mpbios: bus 134 is type PCI
mpbios: bus 139 is type ISA
ioapic0 at mainbus0 apid 1 pa 0xfec0, version 11, 24 pins
ioapic1 at mainbus0 apid 2 pa 0xd800, version 11, 7 pins
ioapic2 at mainbus0 apid 3 pa 0xd8001000, version 11, 7 pins
pci0 at mainbus0 bus 0: configuration mode 1
"NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3
nviic0 at pci0 dev 1 function 1 "NVIDIA nForce4 SMBus" rev 0xa2
iic0 at nviic0: disabled to avoid ipmi0 interactions
iic1 at nviic0: disabled to avoid ipmi0 interactions
ohci0 at pci0 dev 2 function 0 "NVIDIA nForce4 USB" rev 0xa2: apic 1 int
10 (irq 10), version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
ehci0 at pci0 dev 2 function 1 "NVIDIA nForce4 USB" rev 0xa3: apic 1 int
11 (irq 11)
ehci0: timed out waiting for BIOS
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 4 ports with 4 removable, self powered
pciide0 at pci0 dev 6 function 0 "NVIDIA nForce4 IDE" rev 0xa2: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 8 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA
pciide1: using apic 1 int 10 (irq 10) for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 9 function 0 "NVIDIA nForce4 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "NVIDIA GeForce2 MX" rev 0xb2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 12 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1
(0x4101): apic 1 int 11 (irq 11), address 00:15:60:96:f3:f5
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev.
Re: USB Scanner question
On Sun, 19 Mar 2006, Navan Carson wrote: Just out of curiosity, which model scanner do you have? I'd never considered looking for one that can scan via the LAN, but now that you mention it, that sounds useful. I own an Epson Perfection 1650. With all supported SANE scanners you should be able to scan via the LAN. Regards, -- Antoine
Remote syslogging
Hi list, I want to log things remotely (from a consumer-grade router running linux that keeps dying on me). I think the proper way to do this is to do "syslogd -u" but I am not sure because the manpage only vaguely mentions how insecure the -u option is and doesn't really explain it. I've found a page that describes using -u for OS X, and the linux manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user datagram protocol (UDP) [1] as its underlying transport layer mechanism" so it seems like this is correct, but it seems odd. If I just run syslogd like this on my home LAN what are the risks I need to think about? I can't think of any except maybe that if someone can get into the LAN then they can fill up my disks. What other network logging 'solutions' are there, if any? Google only seems to know about syslog and IIS. Regards -Nick
Re: restore question: is my dump hosed?
Thus spake Joachim Schipper ([EMAIL PROTECTED]) [20/03/06 00:34]: : Provided that you didn't do something strange when copying the dump, it : should - at least - be restorable on something that closely resembles : the platform it was taken on (FreeBSD-6.x). I believe the default FS type in FreeBSD 6.x (and even in 5.x) is UFS2. Which, as I understand it, only has the beginnings of a framework being developed for OpenBSD. And no, you can't restore a UFS2 dump on a UFS filesystem: $ restore -ivf root.ufs2.dmp Verify tape and initialize maps Tape block size is 32 restore: Tape is not a dump tape $ - Damian
Re: USB
On Monday 20 March 2006 12:13, Dan Smythe wrote: > uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev > 0x01: irq 11 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 > uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered Your machine only has USB 1.0 ports. --- Lars Hansson
Re: USB
On Sun, Mar 19, 2006 at 08:13:33PM -0800, Dan Smythe wrote:
> I have a USB DVD drive and a USB hard drive that are
> running slowly. In my dmesg (attached) it says that I
> am using USB 1.0. Is this a limitation of my hardware,
> or doesn't OpenBSD 3.8 have USB 2.0 support yet?
>
> Thanks
>
> --dmesg---
>
> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT
> 2005
>
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 752
> MHz
Your machine is too old to come standard with USB 2.
If you had a USB 2 capable system you would see ehci(4)
appear in your dmesg.
Re: restore question: is my dump hosed?
On Sun, Mar 19, 2006 at 06:25:28PM -0600, [EMAIL PROTECTED] wrote: > i made what i thought would be a fine backup of a freebsd-6.0 machine > using dump. more specifically i issued a > > # dump -0f - /usr | ssh -o 'EscapeChar none' [EMAIL PROTECTED] "cat > > /usr/dumps/usr.fs" > > this created usr.fs on my openbsd backup host. now that i'm trying to > restore the dump on my backup host, which i now realize i should have > tested prior to wiping the drive of the old machine, i am getting the > following messages: > > # cat usr.fs | restore -rf - > restore: Tape is not a dump tape > # restore -i usr.fs > restore: /dev/rst0: Device not configured > > this is disheartening and makes me worried :(. i hope i have not hosed > my backup, but i am inclined to say that i haven't broken anything > since i've done this before when setting up CGD on netbsd (see > http://www.s-mackie.demon.co.uk/unix-notes/NetBSD-CGD-Setup.html ) and > there were no issues there. could there be some problem with a dump > from freebsd-6.0 not restoring on openbsd-3.7, i.e. if i reinstalled > freebsd-6.0 on another machine, could i restore the dumps? > > thx for reading, quick replies appreciated. While I do not know if Open- and FreeBSD are compatible in this regard - though it makes little sense not to be, *unless* you were using a filesystem that OpenBSD does not understand, it should work. That being said, the proper syntax for restore is restore -rf usr.fs, but while the first is another unnecessary use of cat, only the second is really wrong. So that doesn't help either. Provided that you didn't do something strange when copying the dump, it should - at least - be restorable on something that closely resembles the platform it was taken on (FreeBSD-6.x). And, for the next time: tar is far more portable. Joachim
USB
I have a USB DVD drive and a USB hard drive that are
running slowly. In my dmesg (attached) it says that I
am using USB 1.0. Is this a limitation of my hardware,
or doesn't OpenBSD 3.8 have USB 2.0 support yet?
Thanks
--dmesg---
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT
2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 752
MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 133648384 (130516K)
avail mem = 115331072 (112628K)
using 1657 buffers containing 6787072 bytes (6628K) of
memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 11/07/02,
BIOS32 rev. 0 @ 0xffe90
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 83%
apm0: AC on, battery charge high, charging, estimated
3:28 hours
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbd80/176
(9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel
82371 ISA and IDE" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev
0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev
0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Mobility M3" rev
0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100
emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 3 function 0 "Texas Instruments
PCI1420 CardBus" rev 0x00: irq 11
cbb1 at pci0 dev 3 function 1 "Texas Instruments
PCI1420 CardBus" rev 0x00: irq 11
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4
ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE"
rev 0x01: DMA, channel 0 wired to compatibility,
channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:
SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev
0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x03 at pci0 dev 7 function
3 not configured
esa0 at pci0 dev 8 function 0 "ESS Maestro 3" rev
0x10: irq 5
ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel
3D
audio0 at esa0
xl0 at pci0 dev 16 function 0 "3Com 3c556 100Base-TX"
rev 0x10: irq 11, address 00:04:76:42:21:06
tqphy0 at xl0 phy 0: 78Q2120 10/100 PHY, rev. 11
"3Com V.90 Modem" rev 0x10 at pci0 dev 16 function 1
not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8,
lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 3 device 0 cacheline 0x8,
lattimer 0x20
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte
fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef4d netmask ef4d ttymask ffcf
pctr: 686-class user-level performance counters
enabled
mtrr: Pentium Pro MTRR support
umass0 at uhub0 port 1 configuration 1 interface 0
umass0: Acer Labs USB 2.0 Storage Device, rev
2.00/1.03, addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets
cd1 at scsibus1 targ 1 lun 0:
SCSI0 5/cdrom removable
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: USB Scanner question
Antoine Jacoutot wrote: I, for one, am very happy with my Epson USB scanner. I can scan via USB and via the LAN too. Just out of curiosity, which model scanner do you have? I'd never considered looking for one that can scan via the LAN, but now that you mention it, that sounds useful.
Re: CARP+pf+pfsync redundant firewalls running active/active doable?
Jason Stubbs wrote:
From what I understand of the theory, it should work but I was hoping
to get a "yes, I'm doing it" from somebody. Unless there's a reason it
won't work, I'll be having a go and getting it set up in the first week
of March and will write back with the results.
Ok, I had troubles and then looked at the supported solutions, but am
still having the same problems. For reference, I now have a testing
setup that is the same as the "something bigger" on the following page:
http://www.countersiege.com/doc/pfsync-carp/#big
However, pfsync is syncing too slow causing problems with state
handling. With one client, one server and the two arp-balanced firewalls
in between, essentially what's happening is:
* Client sends SYN packet to server public ip via firewall 1
* Firewall 1 switches the destination to the server's private ip and
forwards the packet
* Server receives the packet and sends a SYN/ACK packet back to the
client via firewall 2
* Firewall 2 forwards the packet as is to the client
* Client sends a RST to the server's private IP (which gets forwarded
elsewhere due to the private ip being unroutable)
* Firewall 2 receives the state update from firewall 1
* Client sends another SYN packet to server public ip via firewall 1
* Firewall 1 NATs it, sends it to the server which replies with a
SYN/ACK going via firewall 2 as before
* Firewall 2 now has the state and so un-NAT's it and sends it back to
the client.
* Client ACK's the SYN/ACK and the connection is set up
I don't fully understand the reasons, but even though the connection is
set up, the state on each firewall is now out of sync. On firewall 1 the
state is CLOSED:SYN_SENT and on firewall 2 the state is
SYN_SENT:ESTABLISHED.
If I turn off arp-balance, only the one firewall is used and the states
are correctly synced on the other firewall. Connections are maintained
when rebooting either firewall and fully synced again after booting.
Configuration on firewall 1 is as follows:
/etc/hostname.carp0
inet 192.168.1.201 255.255.255.0 192.168.1.255 vhid 1 pass carp0dev
carpdev fxp0 advskew 0
/etc/hostname.carp1
inet 192.168.1.201 255.255.255.0 192.168.1.255 vhid 2 pass carp0dev
carpdev fxp0 advskew 50
/etc/hostname.carp2
inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 3 pass carp2dev carpdev em1
advskew 0
/etc/hostname.carp3
inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 4 pass carp2dev carpdev em1
advskew 50
/etc/hostname.em0
inet 10.255.255.2 255.255.255.0 NONE
/etc/hostname.em1
inet 10.0.255.1 255.255.0.0 NONE
/etc/hostname.fxp0
inet 192.168.1.203 255.255.255.0 NONE
/etc/hostname.pfsync0
up syncdev em0
/etc/pf.conf
ext_if="fxp0"
syn_if="em0"
int_if="em1"
srv_ip="192.168.1.201"
table { 192.168.1.201 192.168.1.203 192.168.1.204 10.0.0.1 }
rdr on $ext_if proto tcp from any to 192.168.2.1 port ssh -> 10.0.1.1
pass quick on { $int_if $ext_if } proto carp
pass quick on { $syn_if } proto pfsync
pass in on $ext_if from ! to 10.0.1.1 keep state
/etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.carp.preempt=1
net.inet.carp.arpbalance=1
Configuration on firewall 2 is almost identical. The 0 and 50 are
toggled on the carp devices. em0, em1 and fxp0 have their IPs
incremented by 1. The firewall is wide open for testing. Closing
everything but that which is absolutely necessary produces the same
out-of-sync issue.
While I would ordinarily assume that the above is expected behaviour,
the countersiege example indicates that it should be doable. Is there
some step that I'm missing?
--
Jason Stubbs
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
> On Mon, Mar 20, 2006 at 01:00:57AM +0100, OpenBSD Prospect wrote: > > Hi! > > > > I was wondering, if anybody knows, if / when the embedded fingerprint > > reader > > of certain ThinkPad notebooks (like in my T42p) will be supported in > > OpenBSD, > > since UPEK already officially supports Linux & FreeBSD > > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? > > > > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > > security centered OS, it would make sense to have full use of equipment. ;-) > > > > I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD > > driver is available. If not, is any of the devs in contact with UPEK > > concerning expanding support to OpenBSD? > > The library and PAM module they provide are both binary only > with no hardware documentation. This is of no use to us. Jonathan, I am sure he knew that, because I am sure he downloaded them and at least looked at them. For those people who are happy with binary modules, I urge them to stick to Windows or Linux where they will be far more happy. For those people, being happy is just about accepting the compromises you have made. In that sense I am happy too. I don't accept the compromise of vendor lock-in, so I am totally thrilled with whatever devices manage to we get to work.
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
On Mon, Mar 20, 2006 at 01:00:57AM +0100, OpenBSD Prospect wrote: > Hi! > > I was wondering, if anybody knows, if / when the embedded fingerprint reader > of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, > since UPEK already officially supports Linux & FreeBSD > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? > > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > security centered OS, it would make sense to have full use of equipment. ;-) > > I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD > driver is available. If not, is any of the devs in contact with UPEK > concerning expanding support to OpenBSD? The library and PAM module they provide are both binary only with no hardware documentation. This is of no use to us.
Re: UPEK Fingerprint-Reader (ThinkPad Notebooks)
> I was wondering, if anybody knows, if / when the embedded fingerprint reader > of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, > since UPEK already officially supports Linux & FreeBSD > (http://www.upek.com/support/dl_freeBSD_bsp.asp)? Go ahead, recompile it. And if you can, how can you call what they supply as "official support"? That is not documentation. > I assume, quite some OpenBSD devs are using ThinkPads as well, and being a > security centered OS, it would make sense to have full use of equipment. ;-) We don't have those machines, and there is no documentation. Let me be clear that it really bugs me when the members of our user community send us such mails. It doesn't matter that you can't code. You could be talking to the company in question and requesting documentation. But no. In the end it comes down to us doing all the politics, then all the coding, and all the hardware purchases too, while we get sweet words basically trying to mock us into doing it all for you. I wish I didn't find it so condescending.
restore question: is my dump hosed?
i made what i thought would be a fine backup of a freebsd-6.0 machine using dump. more specifically i issued a # dump -0f - /usr | ssh -o 'EscapeChar none' [EMAIL PROTECTED] "cat > /usr/dumps/usr.fs" this created usr.fs on my openbsd backup host. now that i'm trying to restore the dump on my backup host, which i now realize i should have tested prior to wiping the drive of the old machine, i am getting the following messages: # cat usr.fs | restore -rf - restore: Tape is not a dump tape # restore -i usr.fs restore: /dev/rst0: Device not configured this is disheartening and makes me worried :(. i hope i have not hosed my backup, but i am inclined to say that i haven't broken anything since i've done this before when setting up CGD on netbsd (see http://www.s-mackie.demon.co.uk/unix-notes/NetBSD-CGD-Setup.html ) and there were no issues there. could there be some problem with a dump from freebsd-6.0 not restoring on openbsd-3.7, i.e. if i reinstalled freebsd-6.0 on another machine, could i restore the dumps? thx for reading, quick replies appreciated. jake
Re: CanSecWest/core06 Vancouver April 3-7
>This conference currently costs $1546 USD! :-( > >what moneybags loser is going to pay up so much just to go >to a conference? > >buy yourself a nice computer, or hell, donate the money to >openbsd.org instead! :-D > >drop a zero or two and it would be worth the trip > Clearly you've never been to a "DragosCon". For what you can learn and who you could meet, it's actually a reasonably-priced event. It's even cheaper if you commit early. I've been a couple of times and would definitely go again if there were more talks like Eric Byres' upcoming presentation on SCADA. The stuff that Halvar presents usually just makes my brain hurt. It's a trade-off... I could go to a specialized ISA or IEEE event, spend less money on the conference, more money on travel and accomodations, and get less usable information, but haul in a dozen consulting leads. Or I could go to Core, spend more money on registration, less on travel, have my head blown apart by all the next-gen ideas, and drink beer with a bunch of cyber-nerds at Brandy's. --Jason
UPEK Fingerprint-Reader (ThinkPad Notebooks)
Hi! I was wondering, if anybody knows, if / when the embedded fingerprint reader of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD, since UPEK already officially supports Linux & FreeBSD (http://www.upek.com/support/dl_freeBSD_bsp.asp)? I assume, quite some OpenBSD devs are using ThinkPads as well, and being a security centered OS, it would make sense to have full use of equipment. ;-) I am not a coder, so I have no idea, if it helps in any way, that a FreeBSD driver is available. If not, is any of the devs in contact with UPEK concerning expanding support to OpenBSD? -- Sincerely, Michael An OpenBSD Prospect, who is actually using Gentoo Linux
ReinerSCT cyberjack pinpad USB (0x300) Smartcard-Reader
Hi! I have two of these devices, which work in Gentoo Linux using Harald Welte's open-source driver (http://support.reiner-sct.de/downloads/LINUX/V2.0.9/ctapi-cyberjack-2.0.9.tar.bz2). I have an A-TRUST signature card, and I can login to my bank's online-banking, and I was hoping to use the certificate on that card also for signing / encrypting emails and documents (www.seccommerce.com has some free JAVA utilities on their website to access such a smartcard, and to digitally sign documents, for which the software can also be downloaded for free). This actual GNU/Linux driver is working without a kernel module, accessing the unit over the usbfs in userspace. Therefor I thought, this would make it easier for porting it over to *BSD, but unfortunately I found the following comment on Harald Welte's blog (http://gnumonks.org/~laforge/weblog/linux/cyberjack/index.html): - cut - One minor problem though is that both cyberjacks need asynchronous delivery of interrupt URB's, a feature that is not available by libusb. The libausb wrapper library that I developed for this purpose is specific to linux usbdevio, so the userspace driver won't be working on other libusb supported platforms such as *BSD :( - cut - I am not a coder, so I can not tell, if this makes a *BSD port impossible, or not (maybe Harald just isn't familiar with *BSD enough). Does nobody here have such a smartcard-reader? I think it should be quite popular here in Europe, because it is pretty cheap (I even got my two devices for free from my bank), they have MS Windows and Linux drivers available, and digital signatures will get pretty important in the near future (here in Austria it will be mandatory for invoices sent online with the beginning of next year). -- Sincerely, Michael An OpenBSD Prospect, who is actually using Gentoo Linux
Re: bgpd error: route decision engine terminated; signal 11
On Sunday, March 19, 2006, at 19:22:25, fabioFVZ wrote: > Hello, > i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) ) > After random time...bgpd exit with this error: [..] > Any idea? Many thanks Have similar problems. Try update obgpd to current version via CVS It worked for me, and since then I firstly update to current and then ask questions ;-) regs, -- Sylwester S. Biernacki <[EMAIL PROTECTED]> X-NET, http://www.xnet.com.pl/
Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > Hi misc, > > At work, we are running a Microsoft Active Directory for our Windows > Domain, who mainly provided Windows Desktop for our customers and > centralized authentication. We have also several OpenBSD & Linux boxes > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > centralize these Unix authentication... Is there a way to authenticate > directly over a MS Domain Controller ? How can this be achieved > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > NIS !)) ? MS AD provides MIT-ish KDC support, or so I hear. I've never used it from the UNIX side, but I do know that Windows clients will willingly talk to a UNIX KDC, and I'm told the reverse is true. Authenticating Windows clients from OpenBSD Heimdal works just lovely. Microsoft does provide a services for unix package, but it uses NIS last time I looked at it. Your problems will most likely occur when mapping possibly long principal names on Windows to the UNIX side, or getting the data from LDAP and populating (either using scripts or an nss_ldap module) the user accounts on the client side. If you have simple accont names on Windows, it's fairly straightforward to use PAM or login to authenticate the password. Google will find you many resources on setting this up. -- adam
Re: pppoe (through pcn) stopped working in mid-February
The kernel and the rest were out of sync -
that's why pppoe wasn't working.
Sorry for the wrong report.
On 3/9/06, Alexander Farber <[EMAIL PROTECTED]> wrote:
>
> I was following -current with my home gateway on a dual-CPU HP Kayak XAs
> (full dmesg attached), but since mid-February I'm unable to do it anymore,
> because when I boot a newly compiled kernel, I get these repeating messages:
>
> Mar 9 15:31:59 gate /bsd: pppoe0: phase network
> Mar 9 15:31:59 gate /bsd: pppoe0: phase terminate
> Mar 9 15:32:09 gate /bsd: pppoe0: phase dead
> Mar 9 15:32:09 gate /bsd: pppoe0: phase establish
> Mar 9 15:32:09 gate /bsd: pppoe0: phase dead
> Mar 9 15:32:10 gate /bsd: pppoe0: phase establish
> Mar 9 15:32:10 gate /bsd: pppoe0: up
> Mar 9 15:32:10 gate /bsd: pppoe0: phase network
> Mar 9 15:32:10 gate /bsd: pppoe0: phase terminate
> Mar 9 15:32:20 gate /bsd: pppoe0: phase dead
> Mar 9 15:32:20 gate /bsd: pppoe0: phase establish
> Mar 9 15:32:20 gate /bsd: pppoe0: phase dead
>
> and I just can't get my ADSL connection working
> until I move my old kernel back and reboot.
>
> With the old kernel I also often see theses messages,
> but they don't stop pppoe from working:
>
> Mar 8 15:57:13 gate /bsd: pcn0: framing error
> Mar 8 15:57:13 gate /bsd: pcn0: CRC error
> Mar 8 16:07:09 gate /bsd: pcn0: framing error
> Mar 8 16:07:09 gate /bsd: pcn0: CRC error
> Mar 8 16:42:11 gate /bsd: pcn0: framing error
> Mar 8 16:42:11 gate /bsd: pcn0: CRC error
> Mar 8 16:46:01 gate /bsd: pcn0: CRC error
> Mar 8 16:52:01 gate /bsd: pcn0: CRC error
> Mar 8 17:42:47 gate /bsd: pcn0: CRC error
> Mar 8 17:47:42 gate /bsd: pcn0: CRC error
> ..
> Mar 9 01:30:03 gate /bsd: Data modified on freelist: word 4 of object
> 0xd114090
> 0 size 0xc0 previous type devbuf (0xdeadbeee != 0xdeadbeef)
> Mar 9 01:30:03 gate /bsd: Data modified on freelist: word 4 of object
> 0xd0f5610
> 0 size 0xc0 previous type devbuf (0xdeadbeed != 0xdeadbeef)
> ...
> Mar 8 13:52:53 gate /bsd: piixpm0: timeout, status 0x1
> Mar 8 13:52:56 gate /bsd: piixpm0: timeout, status 0x1
>
>
> Here is my /etc/hostname.pppoe0:
>
> pppoedev pcn0
> !/sbin/ifconfig pcn0 up
> !/usr/sbin/spppcontrol \$if myauthproto=pap \
> [EMAIL PROTECTED] myauthkey=XX
> !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x
> !/sbin/route add default 0.0.0.1
> up
>
> And my ifconfig with the new (not-working) kernel:
>
> lo0: flags=8049 mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff00
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
> pcn0: flags=8843 mtu 1500
> lladdr 00:10:83:34:8d:a6
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::210:83ff:fe34:8da6%pcn0 prefixlen 64 scopeid 0x1
> re0: flags=8843 mtu 1500
> lladdr 00:c0:49:fa:2b:c4
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
> inet6 fe80::2c0:49ff:fefa:2bc4%re0 prefixlen 64 scopeid 0x2
> ral0: flags=8843 mtu 1500
> lladdr 00:0e:2e:57:84:de
> media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
> status: active
> ieee80211: nwid OPENBSD chan 4 bssid 00:0e:2e:57:84:de 100dBm
> inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255
> inet6 fe80::20e:2eff:fe57:84de%ral0 prefixlen 64 scopeid 0x3
> pflog0: flags=141 mtu 33224
> pfsync0: flags=0<> mtu 1460
> enc0: flags=0<> mtu 1536
> pppoe0: flags=8851 mtu 1492
> dev: pcn0 state: session
> sid: 0x1ba8 PADI retries: 0 PADR retries: 0 time: 00:00:05
> groups: pppoe egress
> inet 0.0.0.0 --> 0.0.0.1 netmask 0x
> inet6 fe80::210:83ff:fe34:8da6%pppoe0 -> prefixlen 64 scopeid 0x8
>
> Does anybody please have any suggestions?
>
> Regards
> Alex
>
> PS: My /etc/pf.conf:
>
> ext_if="pppoe0"
> wlan_if="ral0"
> lan_if="re0"
> int_ports = "{ domain bootps 445 137 138 139 }"
> int_tcp_ports = "{ 8080 4000 www https smtp 995 587 }"
> ext_tcp_ports = "{ www https }"
> priv_nets = "{ 127/8 192.168/16 172.16/12 10/8 }"
>
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>
> scrub in
> scrub out on pppoe0 random-id max-mss 1440
>
> # transparent squid cache
> rdr on $wlan_if inet proto tcp from $wlan_if:network \
> to ! $wlan_if port www -> 127.0.0.1 port 8080
> rdr on $lan_if inet proto tcp from $lan_if:network \
> to ! $lan_if port www -> 127.0.0.1 port 8080
>
> nat on $ext_if inet from $wlan_if:network to any -> ($ext_if)
> nat on $ext_if inet from $lan_if:network to any -> ($ext_if)
>
> block in log
> pass out keep state
>
> pass in quick on $ext_if proto { tcp udp } \
> from any to ($ext_if) user samba keep state
>
> block out quick log on $ext_if proto { tcp, udp } all user www
>
> block quick log on $ext_if to $priv_nets
> block drop quick on $ext_
Re: bgpd Error: route decision engine terminated; signal 11
On Sun, Mar 19, 2006 at 07:07:28PM +0100, fabioFVZ wrote:
> Hello,
> i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) )
>
> After random time...bgpd exit with this error:
>
> Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine
> terminated;
> signal 11
> Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe
> closed: No route to host
> Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled
> Mar 19 16:57:12 bgp bgpd[27773]: Terminating
>
> My conf is:
>
> #macros
> peer1="xxx.xxx.xxx.xxx"
>
> # global configuration
> AS X
> router-id yyy.yyy.yyy.yyy
>
> network yyy.yyy.yyy.yyy/zz
>
> neighbor $peer1 {
> remote-as 12345
> descr "net"
> multihop 4
> }
>
> deny from any
> allow from any prefixlen 8 - 24
>
> deny from any prefix 0.0.0.0/0
> deny from any prefix 10.0.0.0/8 prefixlen >= 8
> deny from any prefix 172.16.0.0/12 prefixlen >= 12
> deny from any prefix 192.168.0.0/16 prefixlen >= 16
> deny from any prefix 169.254.0.0/16 prefixlen >= 16
> deny from any prefix 192.0.2.0/24 prefixlen >= 24
> deny from any prefix 224.0.0.0/4 prefixlen >= 4
> deny from any prefix 240.0.0.0/4 prefixlen >= 4
> ---
>
> Any idea? Many thanks
>
There were many changes in the RDE in the last six month. Could you try a
-current bgpd and see if it is happening again?
--
:wq Claudio
bgpd Error: route decision engine terminated; signal 11
Hello,
i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) )
After random time...bgpd exit with this error:
Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine terminated;
signal 11
Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe
closed: No route to host
Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled
Mar 19 16:57:12 bgp bgpd[27773]: Terminating
My conf is:
#macros
peer1="xxx.xxx.xxx.xxx"
# global configuration
AS X
router-id yyy.yyy.yyy.yyy
network yyy.yyy.yyy.yyy/zz
neighbor $peer1 {
remote-as 12345
descr "net"
multihop 4
}
deny from any
allow from any prefixlen 8 - 24
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
---
Any idea? Many thanks
FabioFVZ
Re: CanSecWest/core06 Vancouver April 3-7
People that work for large enterprises, that's who. Besides I believe it includes the cost of tutorials if I'm not mistaken. I know conferences that cost more. diana On Sun, 19 Mar 2006, paul dansing wrote: > This conference currently costs $1546 USD! :-( > > what moneybags loser is going to pay up so much just to go > to a conference? > > buy yourself a nice computer, or hell, donate the money to > openbsd.org instead! :-D > > drop a zero or two and it would be worth the trip
Strange CPU load with rpldev/openbsd
Hello,
a user has reported high CPU usage in `top` when running rpld from
ttyrpld 2.12. It is repeatable with the current one (2.15), and it
seems to boil down to the read() function of the rpldev device, as I
have found out by placing getrusage() before and after the main read()
call in rpld. However, I cannot find anything that looks like a busy
wait in the kernel part (copy below), especially since the kernel code
is essentially the same for other BSDs, but neither FreeBSD or NetBSD
show high CPU usage.
Does anyone have an idea where it might be coming from? Is tsleep()
running a busywait?
Jan Engelhardt
--- ttyrpld-2.15/k_openbsd-3.8/rpldev.c ---
// return number of available bytes to read
static inline size_t avail_R(void);
// return minimum of the two
static inline unsigned int min_uint(unsigned int, unsigned int);
// circular buffer, read ptr and write ptr
static char *Buffer, *BufRP, *BufWP;
static int urpl_read(dev_t dev, struct uio *uio, int flags) {
size_t count;
int ret;
mtx_enter(&Buffer_lock);
if(Buffer == NULL)
goto out;
while(BufRP == BufWP) {
mtx_leave(&Buffer_lock);
if(flags & IO_NDELAY)
return EWOULDBLOCK;
if((ret = tsleep(&Buffer, PCATCH, "rpldev", 0)) != 0)
return ret;
ret = 0;
mtx_enter(&Buffer_lock);
if(Buffer == NULL)
goto out;
}
count = min_uint(uio->uio_resid, avail_R());
ret = circular_get(uio, count);
out:
mtx_leave(&Buffer_lock);
return ret;
}
--- end excerpt ---
bgpd error: route decision engine terminated; signal 11
Hello,
i have a problem with my openbgpd (OpenBSD 3.8 from Original CD :) )
After random time...bgpd exit with this error:
Mar 19 16:57:10 bgp bgpd[27773]: Lost child: route decision engine terminated;
signal 11
Mar 19 16:57:10 bgp bgpd[5216]: fatal in SE: session_dispatch_imsg: pipe
closed: No route to host
Mar 19 16:57:12 bgp bgpd[27773]: kernel routing table decoupled
Mar 19 16:57:12 bgp bgpd[27773]: Terminating
My conf is:
#macros
peer1="xxx.xxx.xxx.xxx"
# global configuration
AS X
router-id yyy.yyy.yyy.yyy
network yyy.yyy.yyy.yyy/zz
neighbor $peer1 {
remote-as 12345
descr "net"
multihop 4
}
deny from any
allow from any prefixlen 8 - 24
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
---
Any idea? Many thanks
--
fabioFVZ
Re: RAIDframe parity errors and rebuild
"David Wilk" writes: > this was exactly my thought. I was hoping someone would have some > 'official' knowledge, or opinion. I still can't get over having to > wait several hours for my root partition to become available after an > improper shutdown. > > On 3/18/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > On Sat, Mar 18, 2006 at 12:59:30PM +0200, Antonios Anastasiadis wrote: > > > I had the same question, and just changed the relevant line in /etc/rc > > > adding '&' in the end: > > > > > > raidctl -P all & > > > > Then again, why is this not the default? Are you certain this actually > > works? > > > > Joachim If you want to be 100% paranoid, then you want to wait for the 'raidctl -P all' to update all parity before starting even fsck's. There *is* a non-zero chance that the parity might be out-of-sync with the data, and should a component die before that parity has been updated, then you could end up reading bad data. This can happen even if the filesystem has been checked. What are the odds of this happening? Pretty small. If 'raidctl -P all &' is run, then the larger problem is both fsck and raidctl will be fighting for disk cycles -- i.e. the fsck will take longer to complete. On more "critical" systems, this is how I typically have things setup (I'm willing to risk it that I'm not going to have a disk die during the minutes that it takes to do the fsck). On less critical boxes, I've got a "sleep 3600" before the 'raidctl -P', so that the parity check doesn't get in the way of the fsck or the system coming up... about an hour after it comes up, the disks are then checked... It's one of those "what are the odds" games... allowing the raidctl to run in the background seems to have the right mix of paranoia and practicality... Later... Greg Oster
Re: tcpdump needs no root privileges
On Sun, 19 Mar 2006, eric wrote: > On Sun, 2006-03-19 at 20:18:11 +0300, Alex B proclaimed... > > > Hello. > > > > Yes, I'm certain. It is the first check after start. So, it doesn't > > depend on my > > command line. > > > > Take a look on "Privelege sepation", > > http://undeadly.org/cgi?action=article&sid=20040220120426 > > > > It worked till 3.7. > > $ id > uid=1002(eric) gid=20(staff) groups=20(staff), 0(wheel), > > $ tcpdump -nr foo.cap | wc -l > 124 > > $ uname -a > OpenBSD foo 3.7 GENERIC#50 i386 This has been changed for a good reason. To provide maximum protection, the unprvivileged process of tcpdump needs to run in a chroot. To be able to chroot, it needs root. Many people believe reading a packet dump is less dangerous than reading from a network interface. This is a myth. -Otto
Re: tcpdump needs no root privileges
On Sun, 2006-03-19 at 20:18:11 +0300, Alex B proclaimed... > Hello. > > Yes, I'm certain. It is the first check after start. So, it doesn't > depend on my > command line. > > Take a look on "Privelege sepation", > http://undeadly.org/cgi?action=article&sid=20040220120426 > It worked till 3.7. $ id uid=1002(eric) gid=20(staff) groups=20(staff), 0(wheel), $ tcpdump -nr foo.cap | wc -l 124 $ uname -a OpenBSD foo 3.7 GENERIC#50 i386
Re: tcpdump needs no root privileges
Hello. Yes, I'm certain. It is the first check after start. So, it doesn't depend on my command line. Take a look on "Privelege sepation", http://undeadly.org/cgi?action=article&sid=20040220120426 I've found commit: revision 1.22 date: 2005/09/23 15:42:51; author: otto; state: Exp; lines: +24 -30 Only allow root to run tcpdump. It's needed for the chroot security. ok moritz@ deraadt@ On 3/19/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > > Hello. > > > > When started from user, tcpdump complains: "need root privileges", even > > if I want it to read packets from regular file. > > Error is located in privsep.c. > > It may be more secure to start tcpdump from user to decode packets. > > Are you really certain? I've used tcpdump as non-root and ISTR it working > fine. > What was the command line you used? > > Joachim > > -- WBR, Alex V Breger
Re: tcpdump needs no root privileges
Joachim Schipper wrote: On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: Hello. When started from user, tcpdump complains: "need root privileges", even if I want it to read packets from regular file. Error is located in privsep.c. It may be more secure to start tcpdump from user to decode packets. Are you really certain? I've used tcpdump as non-root and ISTR it working fine. What was the command line you used? Joachim On tech@ there is thread "non-root tcpdump filtering broken?" dated end of september last year about this. /Sigfred
Re: tcpdump needs no root privileges
On Sun, Mar 19, 2006 at 05:59:23PM +0100, Joachim Schipper wrote: > On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > > Hello. > > > > When started from user, tcpdump complains: "need root privileges", even if I > > want it to read packets from regular file. > > Error is located in privsep.c. > > It may be more secure to start tcpdump from user to decode packets. > > Are you really certain? I've used tcpdump as non-root and ISTR it working > fine. What was the command line you used? maybe this thread is still relevant to this: http://marc.theaimsgroup.com/?t=10798040483&r=1&w=2 -- jared [ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]
Re: tcpdump needs no root privileges
On Sun, Mar 19, 2006 at 07:43:46PM +0300, Alex B wrote: > Hello. > > When started from user, tcpdump complains: "need root privileges", even if I > want it to read packets from regular file. > Error is located in privsep.c. > It may be more secure to start tcpdump from user to decode packets. Are you really certain? I've used tcpdump as non-root and ISTR it working fine. What was the command line you used? Joachim
tcpdump needs no root privileges
Hello. When started from user, tcpdump complains: "need root privileges", even if I want it to read packets from regular file. Error is located in privsep.c. It may be more secure to start tcpdump from user to decode packets. -- WBR, Alex V Breger
Re: RAIDframe parity errors and rebuild
this was exactly my thought. I was hoping someone would have some 'official' knowledge, or opinion. I still can't get over having to wait several hours for my root partition to become available after an improper shutdown. On 3/18/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sat, Mar 18, 2006 at 12:59:30PM +0200, Antonios Anastasiadis wrote: > > I had the same question, and just changed the relevant line in /etc/rc > > adding '&' in the end: > > > > raidctl -P all & > > Then again, why is this not the default? Are you certain this actually > works? > > Joachim
Re: OpenBSD/Linux centralized authentication
On 3/19/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > > Hi misc, > > > > At work, we are running a Microsoft Active Directory for our Windows > > Domain, who mainly provided Windows Desktop for our customers and > > centralized authentication. We have also several OpenBSD & Linux boxes > > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > > centralize these Unix authentication... Is there a way to authenticate > > directly over a MS Domain Controller ? How can this be achieved > > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > > NIS !)) ? > > > > Hope somebody has some advice to share, > > There are many, many solutions. If it's just servers with a limited > number of accounts, rdist(8) works just fine, and saves a lot of > complicated stuff that takes time to set up and breaks occasionally. It > could be scripted if you want to fully automate something. > > For a more complete solution, I am pretty sure there is a Linux PAM > module to authenticate against their AD implementation (it's part of > SAMBA, IIRC). Not sure about OpenBSD. > > Also, once the user accounts are synchronized, you'd probably be able to > tell a Kerberos client to talk to the AD server. I've never tried it, > but it should work - more or less. See the info pages for heimdal on > OpenBSD. > >Joachim > > Active Directory has an LDAP interface on the domain controllers. You could opt to authenticate directory against the AD tree or replicate the tree entirely or partially to openldap and manage/use that tree. Seems that some LDAP implementations have problem replicating password information, though I can't remember the specifics. This page a little info that may help: http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes Axton Grams
Re: CanSecWest/core06 Vancouver April 3-7
This conference currently costs $1546 USD! :-( what moneybags loser is going to pay up so much just to go to a conference? buy yourself a nice computer, or hell, donate the money to openbsd.org instead! :-D drop a zero or two and it would be worth the trip Tuesday, March 7, 2006, 8:45:30 PM, you wrote: > The call for papers is now closed and the proposals have been reviewed > for the CanSecWest/core06 Applied Technical Security Conference held > on April 5-7 2006 at the Mariott Renaissance Harbourside in Vancouver, > B.C. Canada. > The selected submissions are : >An hour of Rap and Comedy about SAP - Steve Lord >Next Generation Sebek - Edward Balas - Indiana University >RF Bugsweeping - Tim Johnson - Technical Security Consultants Inc. >Magstripe Madness - Major Malfunction >Metasploitation (and a dash of IPS) - HD Moore - BreakingPoint >Carrier VoIP Security - Nico Fischbach - COLT >Attacking VoIP Networks - Hendrik Scholz - Freenet Cityline GmbH >Security Issues Related to Pentium System Management Mode - Looc Duflot >Advancements in Anonymous eAnnoyance - Christopher Abad - Cloudmark >Real Time Threat Mitigation Techniques - Josh Ryder - University of Alberta >Stunt Profiling: Securing a System While You Wait - Crispin Cowan - Novell >Visualizing Source Code for Auditing - Lisa Thalheim >Attacking Web Services - Alex Stamos, Scott Stender - iSEC Partners >Reverse Engineering Microsoft Binaries - Alexander Sotirov - Determina >Zen and the art of collecting and analyzing Malware - Fred Arbogast and > Sascha Rommelfangen - S.E.S. Astra >How to test an IPS - Renaud Bidou - RADWare >Insiders View: Network Security Devices - Dennis Cox - BreakingPoint >More on Uninitialized Variables - Halvar Flake >Eric Byres - SCADA - BCIT >Panel Discussion - Vulnerability Commercialization >Terri Forslof, 3Com, Manager of Security Response >Michael Sutton iDefense Labs, Director of iDEFENSE Labs >Others TBA >Vendor Elevator Focus Groups > David Meltzer, Cambia > Ofir Arkin, Insightix > Others TBA >Lightning Talks > Some talks from the PacSec/core05 conference in Tokyo in November and > the EUSecWest/core06 conference in London during February were highly > rated and have been invited for encore presentations at CanSecWest: >Attacking the IPv6 protocol suite - van Hauser - THC / n.runs GmbH >Protecting the Infrastructure - Jim DeLeskie & Danny McPherson - Teleglobe, > Arbor Networks > Security Masters Dojo Courses > April 3-5 Vancouver >Network Reconnaissance with Nmap 4 - Fyodor & Doug Hoyte >Network Vulnerability Scanning: Turning Nessus into Metasploit - Renaud > Deraison & Nicolas Pouvesle >Reverse Engineering: Rapid Bug Discovery and Input Crafting - Halvar >Assembly for Exploit Writing - Gerardo Richarte >Advanced IDS Deployment and Optimization - Marty Roesch >Advanced Honeypot Tactics - Thorsten Holz >Mastering the network with Scapy - Philippe Biondi >Securing your critical Cisco network infrastructure - Nico Fischbach >Practical 802.11 WiFi (In)Security - Cidric Blancher >Bluetooth Auditing and Technology - Martin Herfurt, Adam Laurie, Marcel > Holtmann > Conference registration on line can be found at: > http://cansecwest.com/register.html > Security Masters Dojo Vancouver registration can be found at > http://cansecwest.com/dojo.html > cheers, > --dr
Queueing + load balancing for multiple outside connections
Hi all, I have a machine that has 4 NICs, one to an ISP, one to a router that connects to another ISP, one for LAN, one for DMZ. I did host-based traffic rate limiting in both directions, which worked fine with 1 external NIC. Recently a second line was bought because it was cheaper than additional bandwidth on the other line. How can I make the two lines 'act as one' so I can maintain rate restrictions and meanwhile balance traffic? Looked at trunk, pf load balancing, and the likes. Peter
Access to serial port under linux emulation
Hi misc@,
I need to run flip[1], which is written in tcl/tk and only available as
binary for linux. I need it to program Atmel 8051 micro controllers.
Flip runs fine under linux emulation (after copying the included libs to
/emul/linux/lib), but I get an error message when trying to access the
serial ports (to which the mc board is connected).
I already created a horde of symlinks (after reading compat_linux(8))
and googled for about 3h now, but I can't get it to work:
NOTE: I'm using a (working) usb->serial adapter
#ls -l /emul/linux/dev | grep tty[A-Z]
lrwxr-xr-x 1 root wheel10B Mar 19 11:23 ttyS0@ -> /dev/ttyU0
lrwxr-xr-x 1 root wheel10B Mar 19 14:00 ttyS1@ -> /dev/ttyU0
lrwxr-xr-x 1 root wheel10B Mar 19 11:23 ttyU0@ -> /dev/ttyU0
#ls -l /dev/{cua,tty}[US]0
crwxrwxrwx 1 ahbabe ahbabe 66, 128 Mar 15 08:44 /dev/cuaU0*
lrwxr-xr-x 1 rootwheel 10 Jul 2 1987 /dev/ttyS0@ -> /dev/ttyU0
crwxrwxrwx 1 ahbabe ahbabe 66, 0 Jul 2 1987 /dev/ttyU0*
Error message in flip:
can't read "flipStates(comList)": no such element in array
while executing
"if { $flipStates(comList) == "" } {
tk_messageBox -message "There is no available serial port\n on your platform.
Please fix the problem then\n resta..."
(procedure "initProtocol" line 15)
invoked from within
"initProtocol "RS232Standard""
invoked from within
".menubar.settings.comm invoke active"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w invoke active]"
(procedure "tkMenuInvoke" line 31)
invoked from within
"tkMenuInvoke .menubar.settings.comm 1
I would appreciate any help because I need to get this to work for
school.
Btw: I tried to use qemu with "-serial /dev/ttyU0", but this always
results in (also as almighty root):
qemu: could not open serial device '/dev/ttyS0'
[1] http://www.atmel.com/dyn/products/tools_card.asp?tool_id=2767
Thanks,
ahb
p.s. Did I include all necessary information?
Re: problem compiling ports, 3.8 stable
expat-1.95.6.tar.gz doesn't seem to exist on this system. Attempting to fetch /usr/ports/distfiles/expat-1.95.6.tar.gz from http://ovh.dl.sourceforge.net/sourceforge/expat/. Size does not match for /usr/ports/distfiles/expat-1.95.6.tar.gz *** Error code 2 Hello, the same ocurred here yesterday. I solved it installing the expat package with pkg_add. Regards. Ramiro.
Re: OpenBSD/Linux centralized authentication
On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > Hi misc, > > At work, we are running a Microsoft Active Directory for our Windows > Domain, who mainly provided Windows Desktop for our customers and > centralized authentication. We have also several OpenBSD & Linux boxes > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > centralize these Unix authentication... Is there a way to authenticate > directly over a MS Domain Controller ? How can this be achieved > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > NIS !)) ? > > Hope somebody has some advice to share, There are many, many solutions. If it's just servers with a limited number of accounts, rdist(8) works just fine, and saves a lot of complicated stuff that takes time to set up and breaks occasionally. It could be scripted if you want to fully automate something. For a more complete solution, I am pretty sure there is a Linux PAM module to authenticate against their AD implementation (it's part of SAMBA, IIRC). Not sure about OpenBSD. Also, once the user accounts are synchronized, you'd probably be able to tell a Kerberos client to talk to the AD server. I've never tried it, but it should work - more or less. See the info pages for heimdal on OpenBSD. Joachim
Re: OpenBSD/Linux centralized authentication
Hi, mh I havent tested it yet, but ive heard, that ms provides a kind of authentication service for unix. but I recomme a centralzed authentication with openldap. I'm using it for openbsd and linux. On Mar 19, 2006, at 7:42 AM, Bruno Carnazzi wrote: Hi misc, At work, we are running a Microsoft Active Directory for our Windows Domain, who mainly provided Windows Desktop for our customers and centralized authentication. We have also several OpenBSD & Linux boxes for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to centralize these Unix authentication... Is there a way to authenticate directly over a MS Domain Controller ? How can this be achieved (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the alternatives (building an OpenLDAP server, Kerberos, (we don't wan't NIS !)) ? Hope somebody has some advice to share, Best regards, Bruno.
