Re: aliases with carp

[Falk Brockerhoff]

Am 11.04.2006 um 13:19 schrieb Henning Brauer:


this is not a freebsd ist.


Yes, I know. But as I read the mail from Gustava I thought this may  
be a general carp issue and not a freebsd specific one. This is why I  
wrote to the list.



they are, for their specific addresses. They do not match.


Sorry, my fault: I did a typo in my mail:

"Master":
ifconfig_carp0="vhid 1 pass secretpassword 192.168.0.2 netmask  
255.255.255.128"

ifconfig_carp0_alias0="inet 192.168.0.10 netmask 255.255.255.128"
ifconfig_carp0_alias1="inet 192.168.0.11 netmask 255.255.255.128"

"Backup":
ifconfig_carp0="vhid 1 advskew 100 pass secretpasswort 192.168.0.2  
netmask 255.255.255.128"

ifconfig_carp0_alias0="inet 192.168.0.10 netmask 255.255.255.128"
ifconfig_carp0_alias1="inet 192.168.0.11 netmask 255.255.255.128"

Regards,

Falk Brockerhoff

Assembly Language Programs

[Alessandro Coppelli]

Hi to all.
I am interested to developing a little
assembly language programs.

I rode the article written by Thomas Sommers
( http://user.nj.net/~tms/hello.html )
I followed author's instructions but at the end of compilation

  as -o .o .s
  ld -o  .o

what I have is

 #./
 #ksh: Operation not permitted


 Someone knows what is happenig ?

Ale

Re: Assembly Language Programs

[Julien Cabillot]

chmod +x  ?

On 4/12/06, Alessandro Coppelli <[EMAIL PROTECTED]> wrote:
>
> Hi to all.
> I am interested to developing a little
> assembly language programs.
>
> I rode the article written by Thomas Sommers
> ( http://user.nj.net/~tms/hello.html )
> I followed author's instructions but at the end of compilation
>
>as -o .o .s
>ld -o  .o
>
> what I have is
>
>   #./
>   #ksh: Operation not permitted
>
>
>   Someone knows what is happenig ?
>
> Ale
>
>


--
Julien Cabillot

Re: Assembly Language Programs

[Ash Williams]

On 12/04/06, Alessandro Coppelli <[EMAIL PROTECTED]> wrote:
> Hi to all.
> I am interested to developing a little
> assembly language programs.
>
> I rode the article written by Thomas Sommers
> ( http://user.nj.net/~tms/hello.html )
> I followed author's instructions but at the end of compilation
>
>as -o .o .s
>ld -o  .o
>
> what I have is
>
>   #./
>   #ksh: Operation not permitted
>
>
>   Someone knows what is happenig ?

I've not done any ASM on OpenBSD although i have a bit of experience
with FreeBSD. Have you looked at the syscalls located in
/usr/src/sys/kern/syscalls.master - these may differ from the syscalls
FreeBSD uses.

> Ale

Re: Assembly Language Programs

[Nick Guenther]

On 4/12/06, Alessandro Coppelli <[EMAIL PROTECTED]> wrote:
> Hi to all.
> I am interested to developing a little
> assembly language programs.
>
> I rode the article written by Thomas Sommers
> ( http://user.nj.net/~tms/hello.html )
> I followed author's instructions but at the end of compilation
>
>as -o .o .s
>ld -o  .o
>
> what I have is
>
>   #./
>   #ksh: Operation not permitted

One guess is that it's trying to call something besides write().
Another is that perhaps you are giving it the wrong file descriptor to
write() to.

Try disassembling the program to see if it matches what you typed in.

If using the # is just for show and it's actually $, then try sudo
./ and see if it was a permissions problem.

-Nick

Re: Assembly Language Programs

[Janne Johansson]

Alessandro Coppelli wrote:

Hi to all.
I am interested to developing a little
assembly language programs.

I rode the article written by Thomas Sommers
( http://user.nj.net/~tms/hello.html )
I followed author's instructions but at the end of compilation

  as -o .o .s
  ld -o  .o

what I have is

 #./
 #ksh: Operation not permitted


 Someone knows what is happenig ?

Ale



Either you haven't set the x-flag on the binary, or the partition
where you are is mounted with noexec, is my guess.

Re: Assembly Language Programs

[David Terrell]

On Wed, Apr 12, 2006 at 05:45:30PM +1000, Ash Williams wrote:
> > what I have is
> >
> >   #./
> >   #ksh: Operation not permitted
> >
> >
> >   Someone knows what is happenig ?
> 
> I've not done any ASM on OpenBSD although i have a bit of experience
> with FreeBSD. Have you looked at the syscalls located in
> /usr/src/sys/kern/syscalls.master - these may differ from the syscalls
> FreeBSD uses.

You're correct.  If you really feel like continuing to waste your time
with this nonsense, skip to step two which uses the C library to call
functions instead of hardcoded sytem call numbers.

Re: amd64 support for D-Link DFE-580TX Quad Port Ethernet Card

[Siju George]

On 4/10/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2006/04/10 15:48, Siju George wrote:
> > D-Link DFE-570TX Quad port
>
>Incidentally D-Link are in the doghouse at the moment for selling
>consumer routers configured to query a number of stratum-1 NTP
>timeservers intended for restricted use:   (not just phk's).
>
> (Routerboard list a distributor in Hyderabad - wispindia.com -
> looking at posts to soekris-tech certainly some Soekris products
> are available in India too).
>

Thankyou so much Stuart for your detailed info :-)

Good luck

Kind Regards

Siju

Re: Assembly Language Programs

[Stefan Kell]

> --- Urspr|ngliche Nachricht ---
> Von: David Terrell <[EMAIL PROTECTED]>
> An: Ash Williams <[EMAIL PROTECTED]>
> Kopie: misc@openbsd.org
> Betreff: Re: Assembly Language Programs
> Datum: Wed, 12 Apr 2006 03:14:33 -0500
> 
> On Wed, Apr 12, 2006 at 05:45:30PM +1000, Ash Williams wrote:
> > > what I have is
> > >
> > >   #./
> > >   #ksh: Operation not permitted
> > >
> > >
> > >   Someone knows what is happenig ?
> > 
> > I've not done any ASM on OpenBSD although i have a bit of experience
> > with FreeBSD. Have you looked at the syscalls located in
> > /usr/src/sys/kern/syscalls.master - these may differ from the syscalls
> > FreeBSD uses.
> 
> You're correct.  If you really feel like continuing to waste your time
> with this nonsense, skip to step two which uses the C library to call
> functions instead of hardcoded sytem call numbers.
> 


Hi,

and most likely cause of ksh-error message is that the current directory is
mounted with noexec option. Thus you cannot start the executable.

Regards

Stefan Kell

Re: X11 Issue - Integrated Intel Media Accelerator 900 Graphics (Intel 915GM)

[Ramiro Aceves]

"Intel 915GM/GMS Video" rev 0x03 at pci0 dev 2 function 1 not configured


Hello,

I have the same card and same dmesg line. I have Xorg working on my 
Compal laptop using "vesa" driver at 1024x768. Not too good but works ;-)



If you need my xorg config file please let me know.

Ramiro.

ath and available channels

[Antonios Anastasiadis]

Hello. I have 2 atheros cm9's in a box and the only channels I can set
are 36,40 and 44.
How can I "unlock" all the channels the card supports? I'm interested
in channels 100-140.
Man ath didn't say anything about it.

Re: ath and available channels

[Antonios Anastasiadis]

forgot dmesg just in case


OpenBSD 3.9-current (GENERIC) #672: Mon Apr  3 16:15:29 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 401 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
R
real mem  = 66613248 (65052K)
avail mem = 53145600 (51900K)
using 838 buffers containing 3432448 bytes (3352K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(92) BIOS, date 03/04/99, BIOS32 rev. 0 @ 0xfbc00
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xc07c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired t
o compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 3079MB, 6306048 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x02: polling
iic0 at piixpm0
xl0 at pci0 dev 14 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq
11, address 00:5
0:04:34:3b:2d
exphy0 at xl0 phy 24: 3Com internal media interface
ppb1 at pci0 dev 16 function 0 vendor "Hint", unknown product 0x0021 rev 0x15
pci2 at ppb1 bus 2
ath0 at pci2 dev 8 function 0 "Atheros AR5212" rev 0x01: irq 12
ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:4d:58:60
ath1 at pci2 dev 9 function 0 "Atheros AR5212" rev 0x01: irq 5
ath1: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:35:e3:5a
eap0 at pci0 dev 20 function 0 "Ensoniq AudioPCI97" rev 0x06: irq 5
ac97: codec id 0x54524103 (TriTech Microelectronics TR28023)
audio0 at eap0
midi0 at eap0: 
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: 
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e74d netmask ff6d ttymask ffef
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

Re: aliases with carp

[Johan Fredin]

Gustavo A. Baratto wrote:

[.. snip ..]


FW2 hostname.carpX (3.8)
---
fw2# cat /etc/hostname.carp0
inet 1.2.3.2 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0 advskew 127
inet alias 1.2.3.6 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0
advskew 127
inet alias 1.2.3.7 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0
advskew 127
inet alias 1.2.3.8 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0
advskew 127
inet alias 1.2.3.9 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0
advskew 127
--
fw2# /etc/hostname.carp1
inet 10.10.0.1 255.255.0.0 10.10.255.255 vhid 2 pass foo carpdev em1
advskew 127
-


This works for me:

carpdev sk0 vhid 100 advskew 10 pass foo
inet 212.xxx.78.161 255.255.255.192 NONE
inet alias 212.xxx.78.162 255.255.255.255 NONE
inet alias 212.xxx.78.166 255.255.255.255 NONE

You need to use a /32 netmask on aliases that are on the same subnet as 
the "master" address.


/Johan

OpenVPN on OpenBSD with hw crypto acceleration

[Marek Nixworx]

Hi,

I have an OpenVPN server interconnecting 5 networks with data center using
permanent PtP links - each network has about 30 PCs. Also there is about 30
road-warrior OpenVPN clients. Average traffic on each PtP link is 1-2Mbit/s.
The server and end-points of permanent PtP links are currently running on
Linux.
I've read about OpenBSD's ability to use hardware crypto acceleration card
to transparently accelerate OpenSSL calls.
Is it possible to use this ability to hw accelerate OpenVPN's SSL calls ?
Any suggestions for a hw crypto card for this usage ?
I want to replace Linux with OpenBSD on the server and permanent end-points
and hw acceleration could be internesting improvement.


Thanx
Marek

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Stuart Henderson]

On 2006/04/12 11:27, Marek Nixworx wrote:
> I've read about OpenBSD's ability to use hardware crypto acceleration card
> to transparently accelerate OpenSSL calls.

In general, don't bother with PCI cards, if you want accelerated
crypto use AES with one of the newer VIA CPUs with on-chip AES support.

> Is it possible to use this ability to hw accelerate OpenVPN's SSL calls ?

Yes.

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Marek Nixworx]

Thank you,
can you explain me please, why aren't PCI/miniPCI cards sufficient ? I'd
like to use same hardware and only add PCI card on server and end-points..

Thanx
Marek

2006/4/12, Stuart Henderson <[EMAIL PROTECTED]>:
>
> On 2006/04/12 11:27, Marek Nixworx wrote:
> > I've read about OpenBSD's ability to use hardware crypto acceleration
> card
> > to transparently accelerate OpenSSL calls.
>
> In general, don't bother with PCI cards, if you want accelerated
> crypto use AES with one of the newer VIA CPUs with on-chip AES support.
>
> > Is it possible to use this ability to hw accelerate OpenVPN's SSL calls
> ?
>
> Yes.

OpenBGP nexthop

[Sylvain Coutant]

Hi,

OpenBSD-current amd64 from around march, 20th.

Next to a reboot, OpenBGP had a problem validating NextHops :

Nexthop  State
x.x.x.105   invalid   vlan97  UP, Ethernet, no carrier, 100 MBit/s

I had about 30 addresses on different vlans in this case. This resulted in the 
BGP session being up but routes were not valid, thus not installed.
I tried to "ifconfig down" one vlan and it crashed the whole box. Once 
rebooted, everything was fine.


There is two points about this :

- Why is this happening ? What can I do to avoid this and/or get back into 
business without crashing the system ? Could this have to do with the 
OpenBGP/kroute.c patch sent yesterday ?

- Shouldn't OpenBGP drop the session if the nexthop is not valid ? In our case, 
we do announce another AS behind us. Sessions were up, so I believe routes were 
announced to everybody. But as nexthop was declared invalid, routes to this AS 
were not installed. I think this could have created a loop : our upstream 
provider was sending packets for this customer's routes. As we hadn't routes 
installed for customer's prefix, we were sending back the packets to upstream 
...


BR,

--
Sylvain COUTANT

ADVISEO
http://www.adviseo.fr/
http://www.open-sp.fr/

Re: gcc miscompiles ntohs16() inline assembly in OpenBSD 3.8

[Dimitry Andric]

Otto Moerbeek wrote:
>> We notice that the upcoming OpenBSD 3.9 still uses gcc 3.3.5.
>>
>> Is the gcc 3.3 branch still a supported product for the gcc people, and this 
>> a
>> fix that "slipped through the cracks" in their usual maintenance process?
> 
> I have no idea if the 3.3 branch is actively maintained by the gcc people.

http://gcc.gnu.org/gcc-3.3/ says 3.3.6, released 2005-05-03, is the last
3.3.x version.

postfix issue

[yo2lux]

I have a postfix server on OpenBSD. The mail server work great.
I use the following configurations in "main.cf":

myhostname = home.wplink.net
mydomain = wplink.net
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain

I send an get e-mails without problems. My e-mail client is Mozilla 
Thunderbird.


My e-mail account not work at some mailing lists, like sourceforge. The 
problem appear at message reply. So.. I click on message and "Reply All" 
in Thunderbird, I get the following error:


An error occured while sending mail. The mail server responded: mail 
server permanently rejected message (#5.3.0). Please check the message 
and try again.


I don't see this error with openbsd-misc mailing list. Any idea that 
help me?


Sorry because I sent this message to openbsd-misc instead of postfix 
mailing list.


Thank you !

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Siegbert Marschall]

Hi,

> I have an OpenVPN server interconnecting 5 networks with data center using
> permanent PtP links - each network has about 30 PCs. Also there is about
> 30
> road-warrior OpenVPN clients. Average traffic on each PtP link is
> 1-2Mbit/s.
> The server and end-points of permanent PtP links are currently running on
> Linux.
> I've read about OpenBSD's ability to use hardware crypto acceleration card
> to transparently accelerate OpenSSL calls.
> Is it possible to use this ability to hw accelerate OpenVPN's SSL calls ?
> Any suggestions for a hw crypto card for this usage ?
> I want to replace Linux with OpenBSD on the server and permanent
> end-points
> and hw acceleration could be internesting improvement.
what for ? unless you have something small like a soekris there is no need
for it, even an old PIII should handle this amount of traffic easily.


-sm

Re: OpenBGP nexthop

[tony sarendal]

On 12/04/06, Sylvain Coutant <[EMAIL PROTECTED]> wrote:
>
>
> - Shouldn't OpenBGP drop the session if the nexthop is not valid ?


Next hop and peer address does not have to be the same thing.

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Stuart Henderson]

On 2006/04/12 11:57, Marek Nixworx wrote:
> can you explain me please, why aren't PCI/miniPCI cards sufficient ? I'd
> like to use same hardware and only add PCI card on server and end-points..

There's a lot more overhead involved with the PCI cards which are
serviced by interrupt-handlers (rather than just issuing an instruction
to the CPU as is the case with the VIA chips).

Since you mention miniPCI I'll take a wild guess at low-power hardware
where this is common (e.g. Soekris, WRAP etc) - the PCI on these is not
high-performance: particularly on this type of hardware, you're only
likely to see much (if any) benefit with larger packet sizes.

Perhaps changing server to EPIA SP or MII 12000 or something with a
C7 cpu, while keeping endpoints as they are (or perhaps adding hw cards
if you find they help for your mix of packet sizes) would give a
useful performance boost.

You might also find that under OpenBSD, ipsec is simple enough
(http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf#EXAMPLES)
that you want to use it, at least on permanent links, and could
improve performance that way (in-kernel -> fewer context switches).

Re: OpenBGP nexthop

[Claudio Jeker]

On Wed, Apr 12, 2006 at 12:18:07PM +0200, Sylvain Coutant wrote:
> Hi,
> 
> OpenBSD-current amd64 from around march, 20th.
> 
> Next to a reboot, OpenBGP had a problem validating NextHops :
> 
> Nexthop  State
> x.x.x.105   invalid   vlan97  UP, Ethernet, no carrier, 100 MBit/s
> 

What was the state of the parent interface and what kind of interface is
it?

> I had about 30 addresses on different vlans in this case. This resulted
> in the BGP session being up but routes were not valid, thus not
> installed.  I tried to "ifconfig down" one vlan and it crashed the whole
> box. Once rebooted, everything was fine.
> 

ifconfig down should not crash the box. Panic message and trace would be
interesting.

> 
> There is two points about this :
> 
> - Why is this happening ? What can I do to avoid this and/or get back
> into business without crashing the system ? Could this have to do with
> the OpenBGP/kroute.c patch sent yesterday ?
> 

This could fix your problem. The Henning's kroute.c diff fixes problem
with interface state change messages. Running without it may result in
wrong reported link states.

> - Shouldn't OpenBGP drop the session if the nexthop is not valid ? In
> our case, we do announce another AS behind us. Sessions were up, so I
> believe routes were announced to everybody. But as nexthop was declared
> invalid, routes to this AS were not installed. I think this could have
> created a loop : our upstream provider was sending packets for this
> customer's routes. As we hadn't routes installed for customer's prefix,
> we were sending back the packets to upstream ...
> 

No, the session and the nexthop are two different things. The prefix is
just marked as invalid and not considered for routing.

-- 
:wq Claudio

Re: OpenBGP nexthop

[Sylvain Coutant]

> What was the state of the parent interface and what kind of interface is
> it?

Bge driver. It was up and running : BGP sessions were established through the 
vlans reported as invalid by OpenBGP.


> ifconfig down should not crash the box. Panic message and trace would be
> interesting.

It was remote and we did a hard reboot without console access. Log files were 
empty.


> No, the session and the nexthop are two different things.

I agree. My point is : how to prevent routing loops in such cases ? Whatever 
triggered the case (a link down for any reason or a bug) is not so important. 
Announcing routes over the Internet and creating a routing loop for those 
routes is important.

It could be one more setting that, if set to yes, would drop the session if it 
receives an unreachable nexthop ... just an idea. It could default to yes for 
eBGP session and no for iBGP sessions. Would that fit most of "usual" cases ?


BR,

--
Sylvain COUTANT

ADVISEO
http://www.adviseo.fr/
http://www.open-sp.fr/

Re: OpenBGP nexthop

[tony sarendal]

On 12/04/06, Sylvain Coutant <[EMAIL PROTECTED]> wrote:
>
> > What was the state of the parent interface and what kind of interface is
> > it?
>
> Bge driver. It was up and running : BGP sessions were established through
> the vlans reported as invalid by OpenBGP.
>
>
> > ifconfig down should not crash the box. Panic message and trace would be
> > interesting.
>
> It was remote and we did a hard reboot without console access. Log files
> were empty.
>
>
> > No, the session and the nexthop are two different things.
>
> I agree. My point is : how to prevent routing loops in such cases ?
> Whatever triggered the case (a link down for any reason or a bug) is not so
> important. Announcing routes over the Internet and creating a routing loop
> for those routes is important.
>
> It could be one more setting that, if set to yes, would drop the session
> if it receives an unreachable nexthop ... just an idea. It could default to
> yes for eBGP session and no for iBGP sessions. Would that fit most of
> "usual" cases ?


That sounds like fixing a bug with an option.
In your case the problem is that a connected next-hop is considered invalid,
right ?

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

Powering down computer

[zoraya]

Using OpenBSD3.8 as a desktop on a laptop, default settings (nothing added  
or changed) when I do:


halt -p

I get:

/etc/rc.shutdown in progress
/etc/rc.shutdown complete
Attempting to power down
apm0:APM set power state: unable to enter requested state (96)
apm0:APM set power state: unable to enter requested state (96)


It ends up shutting down gently and everything seems fine but the last  
lines obviously do not look good, should I worry about what it says?

Re: OpenBGP nexthop

['Claudio Jeker']

On Wed, Apr 12, 2006 at 01:36:46PM +0200, Sylvain Coutant wrote:
> > What was the state of the parent interface and what kind of interface is
> > it?
> 
> Bge driver. It was up and running : BGP sessions were established
> through the vlans reported as invalid by OpenBGP.
> 

I bet Henning's diff will fix this.

> 
> > ifconfig down should not crash the box. Panic message and trace would be
> > interesting.
> 
> It was remote and we did a hard reboot without console access. Log files
> were empty.
> 

Bummer.

> 
> > No, the session and the nexthop are two different things.
> 
> I agree. My point is : how to prevent routing loops in such cases ?

How should routing loops happen if you do not announce those invalid
routes? Prefixes with an invalid netxhop are not used and are not
redistributed.

> Whatever triggered the case (a link down for any reason or a bug) is not
> so important. Announcing routes over the Internet and creating a routing
> loop for those routes is important.
> 
> It could be one more setting that, if set to yes, would drop the session
> if it receives an unreachable nexthop ... just an idea. It could default
> to yes for eBGP session and no for iBGP sessions. Would that fit most of
> "usual" cases ?
> 

No way. This is not how BGP works and will break in many cases.

-- 
:wq Claudio

Re: OpenBGP nexthop

[tony sarendal]

On 12/04/06, tony sarendal <[EMAIL PROTECTED]> wrote:
>
>
>
>  On 12/04/06, Sylvain Coutant <[EMAIL PROTECTED]> wrote:
>
> > > What was the state of the parent interface and what kind of interface
> > is
> > > it?
> >
> > Bge driver. It was up and running : BGP sessions were established
> > through the vlans reported as invalid by OpenBGP.
> >
> >
> > > ifconfig down should not crash the box. Panic message and trace would
> > be
> > > interesting.
> >
> > It was remote and we did a hard reboot without console access. Log files
> > were empty.
> >
> >
> > > No, the session and the nexthop are two different things.
> >
> > I agree. My point is : how to prevent routing loops in such cases ?
> > Whatever triggered the case (a link down for any reason or a bug) is not
so
> > important. Announcing routes over the Internet and creating a routing
loop
> > for those routes is important.
> >
> > It could be one more setting that, if set to yes, would drop the session
> > if it receives an unreachable nexthop ... just an idea. It could default
to
> > yes for eBGP session and no for iBGP sessions. Would that fit most of
> > "usual" cases ?
>
>
>  That sounds like fixing a  bug with an option.
> In your case the problem is that a connected next-hop is considered
> invalid, right ?
>

Sorry, cut that a bit short.

If you your router receives a prefix with a next-hop it can't resolv then
that
prefix isn't valid and will not be used and not be advertised to other
peers,
so the option of dropping the session serves no purpose.

If your network receives the same prefix or superblock from another path
then that path will be used.

/Tony

Re: postfix issue

[josen]

Hi misc!
> I don't see this error with openbsd-misc mailing list. Any idea that
> help me?

Your mailservers hostname ist not reverse resolveable. Means you get the
IP from the name, but no name from that ip.


Try yourself: dig -x 82.79.81.6



-Falk

Re: OpenBGP nexthop

[tony sarendal]

On 12/04/06, Claudio Jeker <[EMAIL PROTECTED]> wrote:
>
> On Wed, Apr 12, 2006 at 01:36:46PM +0200, Sylvain Coutant wrote:
> > > What was the state of the parent interface and what kind of interface
> is
> > > it?
> >
> > Bge driver. It was up and running : BGP sessions were established
> > through the vlans reported as invalid by OpenBGP.
> >
>
> I bet Henning's diff will fix this.
>
> >
> > > ifconfig down should not crash the box. Panic message and trace would
> be
> > > interesting.
> >
> > It was remote and we did a hard reboot without console access. Log files
> > were empty.
> >
>
> Bummer.
>
> >
> > > No, the session and the nexthop are two different things.
> >
> > I agree. My point is : how to prevent routing loops in such cases ?
>
> How should routing loops happen if you do not announce those invalid
> routes? Prefixes with an invalid netxhop are not used and are not
> redistributed.
>
> > Whatever triggered the case (a link down for any reason or a bug) is not
> > so important. Announcing routes over the Internet and creating a routing
> > loop for those routes is important.
> >
> > It could be one more setting that, if set to yes, would drop the session
> > if it receives an unreachable nexthop ... just an idea. It could default
> > to yes for eBGP session and no for iBGP sessions. Would that fit most of
> > "usual" cases ?
> >
>
> No way. This is not how BGP works and will break in many cases.
>
> --
> :wq Claudio
>
>
But speaking of routing loops, I suspect that there is something wrong with
the
route-reflector part. I can introduce routing loops into my test network by
flapping
prefixes. Before I wrote this I flapped 13.0.0.0/8 just once in my test
network:

View from the route-server which peers with all routers:

quagga-bgpd# sh ip bgp 13.0.0.0
BGP routing table entry for 13.0.0.0/8
Paths: (7 available, best #7, table Default-IP-Routing-Table)
  Not advertised to any peer
  Local
10.1.1.22 from 10.0.0.5 (10.0.0.2)
  Origin IGP, metric 900, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 10.0.0.5 10.0.0.6 10.0.0.8
172.16.0.3 10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
10.1.1.26 from 10.0.0.4 (10.0.0.2)
  Origin IGP, metric 700, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 10.0.0.4 10.0.0.7 10.0.0.8
10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
172.16.1.13 from 172.16.0.2 (10.0.0.2)
  Origin IGP, metric 800, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 172.16.0.2 10.0.0.4 10.0.0.7
10.0.0.8 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
10.1.1.34 from 10.0.0.6 (10.0.0.2)
  Origin IGP, metric 800, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 10.0.0.6 10.0.0.8 172.16.0.3
10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
172.16.1.21 from 10.0.0.8 (10.0.0.2)
  Origin IGP, metric 700, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 10.0.0.8 172.16.0.3 10.0.0.7
10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
172.16.1.18 from 172.16.0.3 (10.0.0.2)
  Origin IGP, metric 700, localpref 100, valid, internal
  Originator: 10.0.0.2, Cluster list: 172.16.0.3 10.0.0.7 10.0.0.8
10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

  Local
10.1.1.30 from 10.0.0.7 (10.0.0.2)
  Origin IGP, metric 600, localpref 100, valid, internal, best
  Originator: 10.0.0.2, Cluster list: 10.0.0.7 10.0.0.8 10.0.0.6
10.0.0.5 10.0.0.3 10.0.0.1
  Last update: Wed Apr 12 14:11:25 2006

quagga-bgpd#

The loop does not occur at the same place everytime.

Do you have a setup with route-reflectors ?

Claudio, could my problem have to do with the problem in rde_reflector()
which you mentioned in another thread ? The cluster-list seems a bit
screwed up when I trace the prefix from the router with the lowest metric.

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

Re: OpenBGP nexthop

[Henning Brauer]

* Sylvain Coutant <[EMAIL PROTECTED]> [2006-04-12 12:21]:
> Hi,
> 
> OpenBSD-current amd64 from around march, 20th.
> 
> Next to a reboot, OpenBGP had a problem validating NextHops :
> 
> Nexthop  State
> x.x.x.105   invalid   vlan97  UP, Ethernet, no carrier, 100 MBit/s

the reason is that the interface reports explicitly that is has no link.
eitehr it really has not, or you ran into the bug fixed by the diff at 
the end.

> I tried to "ifconfig down" one vlan and it crashed the whole box.

that, of course, is not supposed to happen. the usual way to report 
issues required...

> - Shouldn't OpenBGP drop the session if the nexthop is not valid ?

huh? no, of course not. see RFC

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Multi-user Password Manager

[Bruno Carnazzi]

   Hi misc,

I'm looking for an open-source software solution for a multi-user
password management. Ideally, it's a webapp running on OpenBSD,
allowing multiple user, each can only see a subpart of the password
database (ACL or things like that). I've found a lots of such project
on sf.net but only for single user... Somebody got an idea ?

Thank you,

Bruno.

Re: OpenBGP nexthop

[Henning Brauer]

* Claudio Jeker <[EMAIL PROTECTED]> [2006-04-12 14:21]:
> On Wed, Apr 12, 2006 at 01:36:46PM +0200, Sylvain Coutant wrote:
> > > What was the state of the parent interface and what kind of interface is
> > > it?
> > Bge driver. It was up and running : BGP sessions were established
> > through the vlans reported as invalid by OpenBGP.
> I bet Henning's diff will fix this.

chances are good, at least.

Index: kroute.c
===
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.145
diff -u -p -r1.145 kroute.c
--- kroute.c22 Mar 2006 13:30:35 -  1.145
+++ kroute.c11 Apr 2006 11:07:27 -
@@ -2123,21 +2123,23 @@ dispatch_rtmsg(void)
lim = buf + n;
for (next = buf; next < lim; next += rtm->rtm_msglen) {
rtm = (struct rt_msghdr *)next;
-   sa = (struct sockaddr *)(rtm + 1);
-   get_rtaddrs(rtm->rtm_addrs, sa, rti_info);
-
-   if (rtm->rtm_pid == kr_state.pid)   /* cause by us */
-   continue;
-
-   if (rtm->rtm_errno) /* failed attempts... */
-   continue;
 
switch (rtm->rtm_type) {
case RTM_ADD:
case RTM_CHANGE:
case RTM_DELETE:
+   sa = (struct sockaddr *)(rtm + 1);
+   get_rtaddrs(rtm->rtm_addrs, sa, rti_info);
+
+   if (rtm->rtm_pid == kr_state.pid)   /* cause by us 
*/
+   continue;
+
+   if (rtm->rtm_errno) /* failed 
attempts... */
+   continue;
+
if (rtm->rtm_flags & RTF_LLINFO)/* arp cache */
continue;
+
if (dispatch_rtmsg_addr(rtm, rti_info) == -1)
return (-1);
break;



-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: OpenBGP nexthop

[Claudio Jeker]

On Wed, Apr 12, 2006 at 01:58:24PM +0100, tony sarendal wrote:
> On 12/04/06, Claudio Jeker <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, Apr 12, 2006 at 01:36:46PM +0200, Sylvain Coutant wrote:
> > > > What was the state of the parent interface and what kind of interface
> > is
> > > > it?
> > >
> > > Bge driver. It was up and running : BGP sessions were established
> > > through the vlans reported as invalid by OpenBGP.
> > >
> >
> > I bet Henning's diff will fix this.
> >
> > >
> > > > ifconfig down should not crash the box. Panic message and trace would
> > be
> > > > interesting.
> > >
> > > It was remote and we did a hard reboot without console access. Log files
> > > were empty.
> > >
> >
> > Bummer.
> >
> > >
> > > > No, the session and the nexthop are two different things.
> > >
> > > I agree. My point is : how to prevent routing loops in such cases ?
> >
> > How should routing loops happen if you do not announce those invalid
> > routes? Prefixes with an invalid netxhop are not used and are not
> > redistributed.
> >
> > > Whatever triggered the case (a link down for any reason or a bug) is not
> > > so important. Announcing routes over the Internet and creating a routing
> > > loop for those routes is important.
> > >
> > > It could be one more setting that, if set to yes, would drop the session
> > > if it receives an unreachable nexthop ... just an idea. It could default
> > > to yes for eBGP session and no for iBGP sessions. Would that fit most of
> > > "usual" cases ?
> > >
> >
> > No way. This is not how BGP works and will break in many cases.
> >
> > --
> > :wq Claudio
> >
> >
> But speaking of routing loops, I suspect that there is something wrong with
> the
> route-reflector part. I can introduce routing loops into my test network by
> flapping
> prefixes. Before I wrote this I flapped 13.0.0.0/8 just once in my test
> network:
> 
> View from the route-server which peers with all routers:
> 
> quagga-bgpd# sh ip bgp 13.0.0.0
> BGP routing table entry for 13.0.0.0/8
> Paths: (7 available, best #7, table Default-IP-Routing-Table)
>   Not advertised to any peer
>   Local
> 10.1.1.22 from 10.0.0.5 (10.0.0.2)
>   Origin IGP, metric 900, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 10.0.0.5 10.0.0.6 10.0.0.8
> 172.16.0.3 10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 10.1.1.26 from 10.0.0.4 (10.0.0.2)
>   Origin IGP, metric 700, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 10.0.0.4 10.0.0.7 10.0.0.8
> 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 172.16.1.13 from 172.16.0.2 (10.0.0.2)
>   Origin IGP, metric 800, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 172.16.0.2 10.0.0.4 10.0.0.7
> 10.0.0.8 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 10.1.1.34 from 10.0.0.6 (10.0.0.2)
>   Origin IGP, metric 800, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 10.0.0.6 10.0.0.8 172.16.0.3
> 10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 172.16.1.21 from 10.0.0.8 (10.0.0.2)
>   Origin IGP, metric 700, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 10.0.0.8 172.16.0.3 10.0.0.7
> 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 172.16.1.18 from 172.16.0.3 (10.0.0.2)
>   Origin IGP, metric 700, localpref 100, valid, internal
>   Originator: 10.0.0.2, Cluster list: 172.16.0.3 10.0.0.7 10.0.0.8
> 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
>   Local
> 10.1.1.30 from 10.0.0.7 (10.0.0.2)
>   Origin IGP, metric 600, localpref 100, valid, internal, best
>   Originator: 10.0.0.2, Cluster list: 10.0.0.7 10.0.0.8 10.0.0.6
> 10.0.0.5 10.0.0.3 10.0.0.1
>   Last update: Wed Apr 12 14:11:25 2006
> 
> quagga-bgpd#
> 
> The loop does not occur at the same place everytime.
> 
> Do you have a setup with route-reflectors ?
> 

No but I can reconfigure my lab network.

> Claudio, could my problem have to do with the problem in rde_reflector()
> which you mentioned in another thread ? The cluster-list seems a bit
> screwed up when I trace the prefix from the router with the lowest metric.
> 

Oh yes. The diff that fixes the attr_compare fatals may help here because
it may have influence on loop detection because attributes are modified
which are referenced by multiple prefixes.

Sorry I did not have time to actually commit it.
-- 
:wq Claudio

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Marek Nixworx]

End-points are running on ibase's network security appliance hardware:

http://www.ibasetechnology.net/EN/fwa7204.html

- the only way to put some hw accel to this is miniPCI - that's why I've
asked about it before..

The central server is some Fujitsu-Siemens server with free PCI slot

You mentioned packet sizes - the traffic there is very mixed, for example in
average about 300kbit/s from every end-point to server are VoIP calls -
SIP/RTP (G.729), so there is big amount of small packets mixed with common
services' packets (HTTP, SQL, RDP etc..)

Switchover to some VIA C7 CPU's would be great, but I don't think my manager
will accept it..

Thank you very much

Marek

2006/4/12, Stuart Henderson <[EMAIL PROTECTED]>:
>
> There's a lot more overhead involved with the PCI cards which are
> serviced by interrupt-handlers (rather than just issuing an instruction
> to the CPU as is the case with the VIA chips).
>
> Since you mention miniPCI I'll take a wild guess at low-power hardware
> where this is common (e.g. Soekris, WRAP etc) - the PCI on these is not
> high-performance: particularly on this type of hardware, you're only
> likely to see much (if any) benefit with larger packet sizes.
>
> Perhaps changing server to EPIA SP or MII 12000 or something with a
> C7 cpu, while keeping endpoints as they are (or perhaps adding hw cards
> if you find they help for your mix of packet sizes) would give a
> useful performance boost.
>
> You might also find that under OpenBSD, ipsec is simple enough
> (http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf#EXAMPLES)
> that you want to use it, at least on permanent links, and could
> improve performance that way (in-kernel -> fewer context switches).

OpenBGP crashes

[Sylvain Coutant]

Funny, I also have this :

Apr 12 16:48:29 x bgpd[10601]: Lost child: session engine terminated; signal 11
Apr 12 16:48:29 x bgpd[31105]: fatal in RDE: rde_dispatch_imsg_session: pipe 
closed
Apr 12 16:48:29 x bgpd[10601]: Lost child: route decision engine exited


Once every two or three weeks. Usually where bgpd has some work to do or when 
the box has more traffic ...

Any idea ?


BR,

--
Sylvain COUTANT

ADVISEO
http://www.adviseo.fr/
http://www.open-sp.fr/

[Update] OpenBGP crashes

[Sylvain Coutant]

> Funny, I also have this :
> 
> Apr 12 16:48:29 x bgpd[10601]: Lost child: session engine terminated;
> signal 11
> Apr 12 16:48:29 x bgpd[31105]: fatal in RDE: rde_dispatch_imsg_session:
> pipe closed
> Apr 12 16:48:29 x bgpd[10601]: Lost child: route decision engine exited


I forgot to see it but just before, there is also :

Apr 12 16:48:29 x bgpd[31105]: neighbor x.x.x.x (x): prefix limit reached


--
Sylvain COUTANT

ADVISEO
http://www.adviseo.fr/
http://www.open-sp.fr/

Re: Powering down computer

[mickey]

On Wed, Apr 12, 2006 at 12:56:42PM +0100, [EMAIL PROTECTED] wrote:
> Using OpenBSD3.8 as a desktop on a laptop, default settings (nothing added  
> or changed) when I do:
> 
> halt -p
> 
> I get:
> 
> /etc/rc.shutdown in progress
> /etc/rc.shutdown complete
> Attempting to power down
> apm0:APM set power state: unable to enter requested state (96)
> apm0:APM set power state: unable to enter requested state (96)
> 
> 
> It ends up shutting down gently and everything seems fine but the last  
> lines obviously do not look good, should I worry about what it says?

you should chill.
if it be a problem you'd be notified (:

cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: OpenVPN on OpenBSD with hw crypto acceleration

[Stuart Henderson]

On 2006/04/12 15:30, Marek Nixworx wrote:
> End-points are running on ibase's network security appliance hardware:
> http://www.ibasetechnology.net/EN/fwa7204.html

More powerful than Geode-based boards then - you probably need to
try it for yourself on the hardware with your packet mix, then, and
see whether it improves or degrades performance.

why is 'passwd' located in /usr/bin instead of /bin?

[João Salvatti]

Hi all,

I'd like to know why 'passwd' is located in /usr/bin, since this
command is very important for system maintenance purposes. Wouldn't it
be better 'passwd' being located in /bin? Because generally /usr has
its own partition, and then, when entering in single user mode for any
reason or even to recover root password we are to mount /usr partition
in order to run 'passwd'. I'm asking it because I've faced this
problem sometime ago. An OpenBSD server was installed by a sysadmin
that travelled as he had quit the job. Then when I assumed this
responsability (being a sysadmin) no one could tell me the superuser
password, because no one knew that information, thus I had to enter in
single user mode, but in order to run 'passwd' I had to mount /usr.

Thanks

--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://www.openbsd-pa.org
e-mail: [EMAIL PROTECTED]

Re: OpenBGP crashes

[Henning Brauer]

* Sylvain Coutant <[EMAIL PROTECTED]> [2006-04-12 15:58]:
> Funny, I also have this :
> 
> Apr 12 16:48:29 x bgpd[10601]: Lost child: session engine terminated; signal 
> 11
> Apr 12 16:48:29 x bgpd[31105]: fatal in RDE: rde_dispatch_imsg_session: pipe 
> closed
> Apr 12 16:48:29 x bgpd[10601]: Lost child: route decision engine exited
> 
> 
> Once every two or three weeks. Usually where bgpd has some work to do or when 
> the box has more traffic ...
> 
> Any idea ?

sig11 can be about anything, from bad hardware to memory corruption 
because of software bugs. try to rulke out bad hardware first ;(

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

On Wed, Apr 12, 2006 at 01:03:58PM +0200, Piotrek Kapczuk wrote:
> Hi
> 
>   I have a new server to deploy and I don't want to wait unlit official
>   release. So I'd like to compile 3.9 stable from source and I've faced a
>   problem.
> 
>   I have a machine which runs 3.8-stable
>   I've wiped out /usr/src
>   then, as http://www.openbsd.org/faq/faq5.html says I did

No, you completely ignored the "Install or upgrade to closest available 
binary" step.  You can't do that.

If you had started from a 3.9-beta, you might have got lucky.  But
jumping from 3.8 to 3.9 is NOT an easy process, and is completely
unsupported.  This looks like it will be a particularly difficult
jump to make this release (though, as I recall, that's been true for
a LOT of releases lately).  You can't just download a new release's 
source and build on an old release.

Further, what happens if there is a critical security issue in 3.9-rel
before 3.9 is officially released?  -stable commits do NOT get made 
until 3.9 is official (hint: sendmail bug).

Your choices:
1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).
2) start with 3.9-current, and then jump to 4.0-stable in about
seven months or so, when it becomes available.  This could be either
very easy or a pain in the butt, depending on how many additional
packages you end up installing after first install.

Nick.

Re: why is 'passwd' located in /usr/bin instead of /bin?

[Bob Beck]

Because passwd is actually a big old command that uses
lots of shared libraries. - and may use other network
calls, such as yp or kerberos.  commands in /bin are staticly
linked.

The short answer is if you want to do things like
vi or passwd in single user mode - mount /usr - it's not that
hard. 

having said that I never run passwd to recover a root
password, I just use ed on /etc/master.passwd, paste in a copy
of a blowfish password I know and run pwd_mkdb

-Bob

* Joco Salvatti <[EMAIL PROTECTED]> [2006-04-12 08:37]:
> Hi all,
> 
> I'd like to know why 'passwd' is located in /usr/bin, since this
> command is very important for system maintenance purposes. Wouldn't it
> be better 'passwd' being located in /bin? Because generally /usr has
> its own partition, and then, when entering in single user mode for any
> reason or even to recover root password we are to mount /usr partition
> in order to run 'passwd'. I'm asking it because I've faced this
> problem sometime ago. An OpenBSD server was installed by a sysadmin
> that travelled as he had quit the job. Then when I assumed this
> responsability (being a sysadmin) no one could tell me the superuser
> password, because no one knew that information, thus I had to enter in
> single user mode, but in order to run 'passwd' I had to mount /usr.
> 
> Thanks
> 
> --
> Joco Salvatti
> Undergraduating in Computer Science
> Federal University of Para - UFPA
> web: http://www.openbsd-pa.org
> e-mail: [EMAIL PROTECTED]
> 

-- 
| | | The ASCII Fork Campaign
 \|/   against gratuitous use of threads.
  |

Re: heads up about filesystem troubles

[Jonathan Thornburg]

Hi,


The window of danger was booting a kernel from any time _after_ 2
weeks ago and running a fsck from any time _before_ 4 days ago.  If
you have booted a new kernel, do not use the old fsck.


Do I infer correctly from the following paragraph

I have backed out the new superblock changes.  The next snapshot will
not upgrade the superblock and will simply use the old format.  You
are encouraged to move away from any snapshot installed in the last 2
weeks.

that these changes *only* went into -current, and did *not* go into
-stable?

thanks, ciao,

--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

Re: OpenBGP nexthop

[tony sarendal]

On 12/04/06, Claudio Jeker <[EMAIL PROTECTED]> wrote:
>
> On Wed, Apr 12, 2006 at 01:58:24PM +0100, tony sarendal wrote:
> > On 12/04/06, Claudio Jeker <[EMAIL PROTECTED]> wrote:
> > >
> > > On Wed, Apr 12, 2006 at 01:36:46PM +0200, Sylvain Coutant wrote:
> > > > > What was the state of the parent interface and what kind of
> interface
> > > is
> > > > > it?
> > > >
> > > > Bge driver. It was up and running : BGP sessions were established
> > > > through the vlans reported as invalid by OpenBGP.
> > > >
> > >
> > > I bet Henning's diff will fix this.
> > >
> > > >
> > > > > ifconfig down should not crash the box. Panic message and trace
> would
> > > be
> > > > > interesting.
> > > >
> > > > It was remote and we did a hard reboot without console access. Log
> files
> > > > were empty.
> > > >
> > >
> > > Bummer.
> > >
> > > >
> > > > > No, the session and the nexthop are two different things.
> > > >
> > > > I agree. My point is : how to prevent routing loops in such cases ?
> > >
> > > How should routing loops happen if you do not announce those invalid
> > > routes? Prefixes with an invalid netxhop are not used and are not
> > > redistributed.
> > >
> > > > Whatever triggered the case (a link down for any reason or a bug) is
> not
> > > > so important. Announcing routes over the Internet and creating a
> routing
> > > > loop for those routes is important.
> > > >
> > > > It could be one more setting that, if set to yes, would drop the
> session
> > > > if it receives an unreachable nexthop ... just an idea. It could
> default
> > > > to yes for eBGP session and no for iBGP sessions. Would that fit
> most of
> > > > "usual" cases ?
> > > >
> > >
> > > No way. This is not how BGP works and will break in many cases.
> > >
> > > --
> > > :wq Claudio
> > >
> > >
> > But speaking of routing loops, I suspect that there is something wrong
> with
> > the
> > route-reflector part. I can introduce routing loops into my test network
> by
> > flapping
> > prefixes. Before I wrote this I flapped 13.0.0.0/8 just once in my test
> > network:
> >
> > View from the route-server which peers with all routers:
> >
> > quagga-bgpd# sh ip bgp 13.0.0.0
> > BGP routing table entry for 13.0.0.0/8
> > Paths: (7 available, best #7, table Default-IP-Routing-Table)
> >   Not advertised to any peer
> >   Local
> > 10.1.1.22 from 10.0.0.5 (10.0.0.2)
> >   Origin IGP, metric 900, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 10.0.0.5 10.0.0.6 10.0.0.8
> > 172.16.0.3 10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 10.1.1.26 from 10.0.0.4 (10.0.0.2)
> >   Origin IGP, metric 700, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 10.0.0.4 10.0.0.7 10.0.0.8
> > 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 172.16.1.13 from 172.16.0.2 (10.0.0.2)
> >   Origin IGP, metric 800, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 172.16.0.2 10.0.0.4 10.0.0.7
> > 10.0.0.8 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 10.1.1.34 from 10.0.0.6 (10.0.0.2)
> >   Origin IGP, metric 800, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 10.0.0.6 10.0.0.8 172.16.0.3
> > 10.0.0.7 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 172.16.1.21 from 10.0.0.8 (10.0.0.2)
> >   Origin IGP, metric 700, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 10.0.0.8 172.16.0.3 10.0.0.7
> > 10.0.0.4 172.16.0.2 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 172.16.1.18 from 172.16.0.3 (10.0.0.2)
> >   Origin IGP, metric 700, localpref 100, valid, internal
> >   Originator: 10.0.0.2, Cluster list: 172.16.0.3 10.0.0.7 10.0.0.8
> > 10.0.0.6 10.0.0.5 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> >   Local
> > 10.1.1.30 from 10.0.0.7 (10.0.0.2)
> >   Origin IGP, metric 600, localpref 100, valid, internal, best
> >   Originator: 10.0.0.2, Cluster list: 10.0.0.7 10.0.0.8 10.0.0.6
> > 10.0.0.5 10.0.0.3 10.0.0.1
> >   Last update: Wed Apr 12 14:11:25 2006
> >
> > quagga-bgpd#
> >
> > The loop does not occur at the same place everytime.
> >
> > Do you have a setup with route-reflectors ?
> >
>
> No but I can reconfigure my lab network.
>
> > Claudio, could my problem have to do with the problem in rde_reflector()
> > which you mentioned in another thread ? The cluster-list seems a bit
> > screwed up when I trace the prefix from the router with the lowest
> metric.
> >
>
> Oh yes. The diff that fixes the attr_compare fatals may help here because
> it may have influence on loop detection because attributes are modified
> which are referenced by multiple prefixes.
>
> Sorry I did not h

Re: heads up about filesystem troubles

[Ray Lai]

On Wed, Apr 12, 2006 at 04:49:29PM +0200, Jonathan Thornburg wrote:
> Hi,
> 
> >The window of danger was booting a kernel from any time _after_ 2
> >weeks ago and running a fsck from any time _before_ 4 days ago.  If
> >you have booted a new kernel, do not use the old fsck.
> 
> Do I infer correctly from the following paragraph
> >I have backed out the new superblock changes.  The next snapshot will
> >not upgrade the superblock and will simply use the old format.  You
> >are encouraged to move away from any snapshot installed in the last 2
> >weeks.
> that these changes *only* went into -current, and did *not* go into
> -stable?

Yes.

-Ray-

Will BGP be obsolete soon?

[Siju George]

Hi,

I was trying to get wet with BGP, OpenBGPD, AS nos. etc so that I can
Implement them in my network. Going through the print out of RFC 1930.

http://www.faqs.org/rfcs/rfc1930.html

I read

---
BGP (Border Gateway
   Protocol, the current de facto standard for inter-AS routing; see
   [BGP-4]), and IDRP (The OSI Inter-Domain Routing Protocol, which the
   Internet is expected to adopt when BGP becomes obsolete; see [IDRP]).
   It should be noted that the IDRP equivalent of an AS is the RDI, or
   Routing Domain Identifier.
-

under the abstract.

It would be very helpful if someone can help me solve the confusion.

1) Will BGP get obsolete soon? if so in what time frame? ( Just
wondering if Henning's, Claudio's and Esben's work on OpenBGPD will be
of little value in the comming years)

2) Henning used say about Theo motivating hime to write OpenBGPD, so I
wonder why Theo did not ask them to write OpenIRDPD instead since the
RFC is already predicting that BGP is going to be obsolete. or is it
going to take some time for BGP to become obsolete?

Again folks this is not a TROLL ( People do mistake me as a troll
often here at misc )
Just want to get a little learning on things thats all :-)

Thankyou all so much

Kind Regards

Siju

Re: Multi-user Password Manager

[Joachim Schipper]

On Wed, Apr 12, 2006 at 05:20:31PM +0400, Bruno Carnazzi wrote:
>Hi misc,
> 
> I'm looking for an open-source software solution for a multi-user
> password management. Ideally, it's a webapp running on OpenBSD,
> allowing multiple user, each can only see a subpart of the password
> database (ACL or things like that). I've found a lots of such project
> on sf.net but only for single user... Somebody got an idea ?

Actually, I don't even know what you want to achieve.

Should each user have access to his/her own passwords, and nothing else?
Which user can change which password(s)?

I have a feeling some parts of Horde could be used to make do, but it
will be hackish. And still a webapp - not my first choice for storing
critical information.

Joachim

Re: why is 'passwd' located in /usr/bin instead of /bin?

[João Salvatti]

Thanks Bob!

On 4/12/06, Bob Beck <[EMAIL PROTECTED]> wrote:
>
> Because passwd is actually a big old command that uses
> lots of shared libraries. - and may use other network
> calls, such as yp or kerberos.  commands in /bin are staticly
> linked.
>
> The short answer is if you want to do things like
> vi or passwd in single user mode - mount /usr - it's not that
> hard.
>
> having said that I never run passwd to recover a root
> password, I just use ed on /etc/master.passwd, paste in a copy
> of a blowfish password I know and run pwd_mkdb
>
> -Bob
>
> * Joco Salvatti <[EMAIL PROTECTED]> [2006-04-12 08:37]:
> > Hi all,
> >
> > I'd like to know why 'passwd' is located in /usr/bin, since this
> > command is very important for system maintenance purposes. Wouldn't it
> > be better 'passwd' being located in /bin? Because generally /usr has
> > its own partition, and then, when entering in single user mode for any
> > reason or even to recover root password we are to mount /usr partition
> > in order to run 'passwd'. I'm asking it because I've faced this
> > problem sometime ago. An OpenBSD server was installed by a sysadmin
> > that travelled as he had quit the job. Then when I assumed this
> > responsability (being a sysadmin) no one could tell me the superuser
> > password, because no one knew that information, thus I had to enter in
> > single user mode, but in order to run 'passwd' I had to mount /usr.
> >
> > Thanks
> >
> > --
> > Joco Salvatti
> > Undergraduating in Computer Science
> > Federal University of Para - UFPA
> > web: http://www.openbsd-pa.org
> > e-mail: [EMAIL PROTECTED]
> >
>
> --
> | | | The ASCII Fork Campaign
>  \|/   against gratuitous use of threads.
>   |
>


--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://www.openbsd-pa.org
e-mail: [EMAIL PROTECTED]

Re: Will BGP be obsolete soon?

[Lars Hansson]

On Wednesday 12 April 2006 23:04, Siju George wrote:

> 1) Will BGP get obsolete soon? if so in what time frame?

No, obsoleting BGP would require major changes to the internet infrastructure 
that would probably be both timeconsuming and errorprone.  The RFC you quoted 
is dated 1996 and 10 years later BGP is nowhere near being obsolete.
No doubt it will be obsolete one day but that day wont happen anytime soon

> 2) Henning used say about Theo motivating hime to write OpenBGPD, so I
> wonder why Theo did not ask them to write OpenIRDPD instead since the
> RFC is already predicting that BGP is going to be obsolete. or is it
> going to take some time for BGP to become obsolete?

I'd guess because noone is using IDRP.

---
Lars Hansson

Openvpn plugin for passwd authentication

[Giancarlo Razzolini]

Hi all,

I wrote a plugin for Openvpn that does authentication using the passwd
or the shadow files. I wrote it cause the only authentication plugin for
openvpn is the auth-pam, and i needed to do authentication using the
shadow suite. I then wrote a small C program that did this, and used the
--auth-user-pass-verify directive from the openvpn. But in this setup,
you can't drop the privileges nor chroot the openvpn process.

So, i wrote the plugin. As there isn't an easy way to check if the
system is using shadow passwords or not, you must alter a compiler
directive in the makefile. On BSD systems, the getpwnam(3) is a wrapper
function that does authentication from the file that have the user
passwords, in the OpenBSD, master.passwd. So, to make it work in
OpenBSD, you have to set the compiler directive USE_SHADOW to 0. I've
tested it in OpenBSD 3.8, and it works, but more testing is needed. I
would appreciate any suggestions, reports and comments.

AFAIK i cant attach the plugin on this list, cause the demime will get
rid of it, so if someone want the plugin, mail me directly, and i would
be very pleased to send a copy of it.

Thanks in advance,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Will BGP be obsolete soon?

[Claudio Jeker]

On Wed, Apr 12, 2006 at 08:34:53PM +0530, Siju George wrote:
> Hi,
> 
> I was trying to get wet with BGP, OpenBGPD, AS nos. etc so that I can
> Implement them in my network. Going through the print out of RFC 1930.
> 
> http://www.faqs.org/rfcs/rfc1930.html
> 
> I read
> 
> ---
> BGP (Border Gateway
>Protocol, the current de facto standard for inter-AS routing; see
>[BGP-4]), and IDRP (The OSI Inter-Domain Routing Protocol, which the
>Internet is expected to adopt when BGP becomes obsolete; see [IDRP]).
>It should be noted that the IDRP equivalent of an AS is the RDI, or
>Routing Domain Identifier.
> -
> 

Those guys were smooking good shit while writing the abstract.

> under the abstract.
> 
> It would be very helpful if someone can help me solve the confusion.
> 
> 1) Will BGP get obsolete soon? if so in what time frame? ( Just
> wondering if Henning's, Claudio's and Esben's work on OpenBGPD will be
> of little value in the comming years)
> 

Nobody will switch away from BGP anytime soon. That comment came from the
time where OSI was the next big thing that will replace IP. Now OSI is
dead and so nobody is thinking about moving away from BGP.

> 2) Henning used say about Theo motivating hime to write OpenBGPD, so I
> wonder why Theo did not ask them to write OpenIRDPD instead since the
> RFC is already predicting that BGP is going to be obsolete. or is it
> going to take some time for BGP to become obsolete?
> 

IDRP is dead it was burried a long time ago.

> Again folks this is not a TROLL ( People do mistake me as a troll
> often here at misc )
> Just want to get a little learning on things thats all :-)
> 

You should probably do some additional reasearch before asking such
questions. While google finds nothing that useful for IDRP it has tons of
hits for BGP.


-- 
:wq Claudio

Re: Will BGP be obsolete soon?

[Bob Beck]

> 1) Will BGP get obsolete soon? if so in what time frame? ( Just
> wondering if Henning's, Claudio's and Esben's work on OpenBGPD will be
> of little value in the comming years)
> 
> 2) Henning used say about Theo motivating hime to write OpenBGPD, so I
> wonder why Theo did not ask them to write OpenIRDPD instead since the
> RFC is already predicting that BGP is going to be obsolete. or is it
> going to take some time for BGP to become obsolete?
> 

10 year old RFC's confirm it!

*BGP is dying!

(you dumbasses) 

-Bob

Re: Multi-user Password Manager

[Bruno Carnazzi]

2006/4/12, Joachim Schipper <[EMAIL PROTECTED]>:
> On Wed, Apr 12, 2006 at 05:20:31PM +0400, Bruno Carnazzi wrote:
> >Hi misc,
> >
> > I'm looking for an open-source software solution for a multi-user
> > password management. Ideally, it's a webapp running on OpenBSD,
> > allowing multiple user, each can only see a subpart of the password
> > database (ACL or things like that). I've found a lots of such project
> > on sf.net but only for single user... Somebody got an idea ?
>
> Actually, I don't even know what you want to achieve.
>
> Should each user have access to his/her own passwords, and nothing else?
> Which user can change which password(s)?

The security model can be something like 'john belongs to pay_group,
so he can read and maybe write (if group administrator) passwords of
pay_group'.

This software: http://www.sowsoft.com/password-manager.htm seems to do
the trick but I'd prefer an open-source solution, of course...

>
> I have a feeling some parts of Horde could be used to make do, but it
> will be hackish. And still a webapp - not my first choice for storing
> critical information.

I agree, but in an heterogenous environment (windows, linuxes & macs)
which I'm in, it's helpfull :)

>
> Joachim
>
>

Thank you for reply,

Bruno.

Re: Openvpn plugin for passwd authentication

[Eric Pancer]

On Wed, 2006-04-12 at 12:21:33 -0300, Giancarlo Razzolini proclaimed...

>   I wrote a plugin for Openvpn that does authentication using the passwd
> or the shadow files. I wrote it cause the only authentication plugin for
> openvpn is the auth-pam, and i needed to do authentication using the
> shadow suite. I then wrote a small C program that did this, and used the
> --auth-user-pass-verify directive from the openvpn. But in this setup,
> you can't drop the privileges nor chroot the openvpn process.
> 
>   So, i wrote the plugin. As there isn't an easy way to check if the
> system is using shadow passwords or not, you must alter a compiler
> directive in the makefile. On BSD systems, the getpwnam(3) is a wrapper
> function that does authentication from the file that have the user
> passwords, in the OpenBSD, master.passwd. So, to make it work in
> OpenBSD, you have to set the compiler directive USE_SHADOW to 0. I've
> tested it in OpenBSD 3.8, and it works, but more testing is needed. I
> would appreciate any suggestions, reports and comments.

Shadow passwords? Auth pam? You must have the wrong mailing list; we don't
use those broken technologies here.

Re: Will BGP be obsolete soon?

[Martin Schröder]

On 2006-04-12 20:34:53 +0530, Siju George wrote:
>[BGP-4]), and IDRP (The OSI Inter-Domain Routing Protocol, which the
 ^^^
Nobody uses OSI-networking standards :-)

Best
Martin
-- 
http://www.tm.oneiros.de

Re: Will BGP be obsolete soon?

[Henning Brauer]

* Siju George <[EMAIL PROTECTED]> [2006-04-12 17:24]:
> http://www.faqs.org/rfcs/rfc1930.html
> 
> I read
> 
> ---
> BGP (Border Gateway
>Protocol, the current de facto standard for inter-AS routing; see
>[BGP-4]), and IDRP (The OSI Inter-Domain Routing Protocol, which the
>Internet is expected to adopt when BGP becomes obsolete; see [IDRP]).
>It should be noted that the IDRP equivalent of an AS is the RDI, or
>Routing Domain Identifier.
> -
> 
> under the abstract.
> 
> It would be very helpful if someone can help me solve the confusion.
> 
> 1) Will BGP get obsolete soon? if so in what time frame? ( Just
> wondering if Henning's, Claudio's and Esben's work on OpenBGPD will be
> of little value in the comming years)

yes, BGP will be obsolete soon, together with IP. All heil OSI 
protocols!

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: Will BGP be obsolete soon?

[tony sarendal]

On 12/04/06, Bob Beck <[EMAIL PROTECTED]> wrote:
>
> > 1) Will BGP get obsolete soon? if so in what time frame? ( Just
> > wondering if Henning's, Claudio's and Esben's work on OpenBGPD will be
> > of little value in the comming years)
> >
> > 2) Henning used say about Theo motivating hime to write OpenBGPD, so I
> > wonder why Theo did not ask them to write OpenIRDPD instead since the
> > RFC is already predicting that BGP is going to be obsolete. or is it
> > going to take some time for BGP to become obsolete?
> >
>
>10 year old RFC's confirm it!
>
>*BGP is dying!
>
>(you dumbasses)
>
>-Bob
>
>
Me and my old Betamax vcr are just waiting for OpenIDRP to be included
in obsd. Stop whining and start implementig Claudio.

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

Re: Multi-user Password Manager

[Spruell, Darren-Perot]

From: [EMAIL PROTECTED] 
> > Should each user have access to his/her own passwords, and 
> nothing else?
> > Which user can change which password(s)?
> 
> The security model can be something like 'john belongs to pay_group,
> so he can read and maybe write (if group administrator) passwords of
> pay_group'.
[...]
> I agree, but in an heterogenous environment (windows, linuxes & macs)
> which I'm in, it's helpfull :)

This screams LDAP to me. Delegate management of certain portions and
attributes of your tree to whomever should manage them via ACLs. Wrap your
choice of LDAP management around this and you have what you want.

DS

Re: Multi-user Password Manager

[Stuart Henderson]

On 2006/04/12 19:40, Bruno Carnazzi wrote:
> The security model can be something like 'john belongs to pay_group,
> so he can read and maybe write (if group administrator) passwords of
> pay_group'.

ldap could do this. login_ldap is in ports, you might need to write
some easy-to-use CGI scripts for people (or you may find an existing
ldap admin utility is sufficient).

Re: Will BGP be obsolete soon?

[Stuart Henderson]

On 2006/04/12 20:34, Siju George wrote:
> I was trying to get wet with BGP, OpenBGPD, AS nos. etc so that I can
> Implement them in my network. Going through the print out of RFC 1930.

The RFCs aren't especially helpful for learning this stuff, unless
you're writing an implementation (and even then, RFCs don't document
real-world vendor behaviour).

Books might be more useful: you often have to translate from cisco-eze
into OpenBGP (or JUNOS or whatever), but you'll get good treatment of
concepts and how to do things e.g.

Internet Routing Architectures (Halabi, Cisco Press)
BGP (van Beijnum, O'Reilly)
BGP4 (Stewart, Addison-Wesley)

and/or play on a test network (which you can build with vmware if
you can't spare the real machines).

Hopefully it goes without saying that you need a good solid
understanding of tcp/ip first. If you aren't familiar with how
subnets etc. work you'll find things confusing.

Re: Multi-user Password Manager

[Donald J. Ankney]

It sounds like you want to be using OpenLDAP (http:// 
www.openldap.org/). Instead of using groups for delegation, use OUs.  
It's probably not going to be a small project, though.



On Apr 12, 2006, at 8:40 AM, Bruno Carnazzi wrote:


2006/4/12, Joachim Schipper <[EMAIL PROTECTED]>:

On Wed, Apr 12, 2006 at 05:20:31PM +0400, Bruno Carnazzi wrote:

   Hi misc,

I'm looking for an open-source software solution for a multi-user
password management. Ideally, it's a webapp running on OpenBSD,
allowing multiple user, each can only see a subpart of the password
database (ACL or things like that). I've found a lots of such  
project

on sf.net but only for single user... Somebody got an idea ?


Actually, I don't even know what you want to achieve.

Should each user have access to his/her own passwords, and nothing  
else?

Which user can change which password(s)?


The security model can be something like 'john belongs to pay_group,
so he can read and maybe write (if group administrator) passwords of
pay_group'.

This software: http://www.sowsoft.com/password-manager.htm seems to do
the trick but I'd prefer an open-source solution, of course...



I have a feeling some parts of Horde could be used to make do, but it
will be hackish. And still a webapp - not my first choice for storing
critical information.


I agree, but in an heterogenous environment (windows, linuxes & macs)
which I'm in, it's helpfull :)



Joachim




Thank you for reply,

Bruno.

Re: Multi-user Password Manager

[Theo de Raadt]

> From: [EMAIL PROTECTED] 
> > > Should each user have access to his/her own passwords, and 
> > nothing else?
> > > Which user can change which password(s)?
> > 
> > The security model can be something like 'john belongs to pay_group,
> > so he can read and maybe write (if group administrator) passwords of
> > pay_group'.
> [...]
> > I agree, but in an heterogenous environment (windows, linuxes & macs)
> > which I'm in, it's helpfull :)
> 
> This screams LDAP to me. Delegate management of certain portions and
> attributes of your tree to whomever should manage them via ACLs. Wrap your
> choice of LDAP management around this and you have what you want.

That's right.  Because nothing should ever be simple...

Re: why is 'passwd' located in /usr/bin instead of /bin?

[David Terrell]

On Wed, Apr 12, 2006 at 12:04:12PM -0300, Jo?o Salvatti wrote:
> On 4/12/06, Bob Beck <[EMAIL PROTECTED]> wrote:
> > having said that I never run passwd to recover a root
> > password, I just use ed on /etc/master.passwd, paste in a copy
> > of a blowfish password I know and run pwd_mkdb
>
> Thanks Bob!

And if you need to make a hash, encrypt(1) is your friend.

-- 
David Terrell
[EMAIL PROTECTED]
((meatspace)) http://meat.net/

Re: Openvpn plugin for passwd authentication

[Joachim Schipper]

On Wed, Apr 12, 2006 at 10:48:38AM -0500, Eric Pancer wrote:
> On Wed, 2006-04-12 at 12:21:33 -0300, Giancarlo Razzolini proclaimed...
> 
> > I wrote a plugin for Openvpn that does authentication using the passwd
> > or the shadow files. I wrote it cause the only authentication plugin for
> > openvpn is the auth-pam, and i needed to do authentication using the
> > shadow suite. I then wrote a small C program that did this, and used the
> > --auth-user-pass-verify directive from the openvpn. But in this setup,
> > you can't drop the privileges nor chroot the openvpn process.
> > 
> > So, i wrote the plugin. As there isn't an easy way to check if the
> > system is using shadow passwords or not, you must alter a compiler
> > directive in the makefile. On BSD systems, the getpwnam(3) is a wrapper
> > function that does authentication from the file that have the user
> > passwords, in the OpenBSD, master.passwd. So, to make it work in
> > OpenBSD, you have to set the compiler directive USE_SHADOW to 0. I've
> > tested it in OpenBSD 3.8, and it works, but more testing is needed. I
> > would appreciate any suggestions, reports and comments.
> 
> Shadow passwords? Auth pam? You must have the wrong mailing list; we don't
> use those broken technologies here.

In fact, the OP seems to have created a version that does not use these
technologies with OpenBSD, so that should not be the problem.

Joachim

Re: Openvpn plugin for passwd authentication

[Giancarlo Razzolini]

Eric Pancer wrote:
> On Wed, 2006-04-12 at 12:21:33 -0300, Giancarlo Razzolini proclaimed...
>
>>  I wrote a plugin for Openvpn that does authentication using the passwd
>> or the shadow files. I wrote it cause the only authentication plugin for
>> openvpn is the auth-pam, and i needed to do authentication using the
>> shadow suite. I then wrote a small C program that did this, and used the
>> --auth-user-pass-verify directive from the openvpn. But in this setup,
>> you can't drop the privileges nor chroot the openvpn process.
>>
>>  So, i wrote the plugin. As there isn't an easy way to check if the
>> system is using shadow passwords or not, you must alter a compiler
>> directive in the makefile. On BSD systems, the getpwnam(3) is a wrapper
>> function that does authentication from the file that have the user
>> passwords, in the OpenBSD, master.passwd. So, to make it work in
>> OpenBSD, you have to set the compiler directive USE_SHADOW to 0. I've
>> tested it in OpenBSD 3.8, and it works, but more testing is needed. I
>> would appreciate any suggestions, reports and comments.
>
> Shadow passwords? Auth pam? You must have the wrong mailing list; we don't
> use those broken technologies here.
>
>
Did you read my mail at all? The plugin authenticate itself from
master.passwd on OpenBSD and from shadow on linux distributions. I
mentioned PAM, case the only plugin that existed for authentication in
openvpn uses PAM. I hate PAM, so i wrote the plugin. Next time read the
entire message before saying anything.

--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Installing X after OpenBSD 3.8 installation

[Maxim Bourmistrov]

Yes, you can do an "Upgrade".
Select only packages you want to upgrade (or missed ones).

On Wednesday 12 April 2006 05:11, Andrew Ng wrote:
> Hi,
> 
> understand that there are options to select xbase, game etcs during
> OpenBSD installation. Can I install these options, (particularly X)
> post-install same as the standard install, and not for Ports or other
> methods? I would not want to re-install the system unless necessary.
> Appreciate any help. Thanks.
> 
> Regards
> Andrew Ng
> -- 
>   Andrew Ng
>   [EMAIL PROTECTED]

Re: postfix issue

[josen]

> To fix this problem, I need to add some lines to named DNS server?

_IF_ you were the owner of the subnet your mailserver lies in you _SHOULD_
be able to add the proper reverse entrys, BUT i'd suggest asking your ISP,
which is propably the one responsible for the PTR-Record.




-Falk

Re: Will BGP be obsolete soon?

[Paul de Weerd]

On Wed, Apr 12, 2006 at 05:54:38PM +0200, Martin Schrvder wrote:
| On 2006-04-12 20:34:53 +0530, Siju George wrote:
| >[BGP-4]), and IDRP (The OSI Inter-Domain Routing Protocol, which the
|  ^^^
| Nobody uses OSI-networking standards :-)

IS-IS is quite commonly used and runs over OSI protocols.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: Openvpn plugin for passwd authentication

[Eric Pancer]

On Wed, 2006-04-12 at 14:07:53 -0300, Giancarlo Razzolini proclaimed...

> Did you read my mail at all? The plugin authenticate itself from
> master.passwd on OpenBSD and from shadow on linux distributions. I
> mentioned PAM, case the only plugin that existed for authentication in
> openvpn uses PAM. I hate PAM, so i wrote the plugin. Next time read the
> entire message before saying anything.

Heh, indeed I didn't. I just saw those linux related things and panicked! I
thought for a moment you were intending to help us increase the market
viability of OpenBSD by implementing some uberlite way of making OpenBSD
understood by linux idiots.

I apologize! Continue on with more pointfilled discussions!

Re: Openvpn plugin for passwd authentication

[Giancarlo Razzolini]

Eric Pancer wrote:
> On Wed, 2006-04-12 at 14:07:53 -0300, Giancarlo Razzolini proclaimed...
>
>> Did you read my mail at all? The plugin authenticate itself from
>> master.passwd on OpenBSD and from shadow on linux distributions. I
>> mentioned PAM, case the only plugin that existed for authentication in
>> openvpn uses PAM. I hate PAM, so i wrote the plugin. Next time read the
>> entire message before saying anything.
>
> Heh, indeed I didn't. I just saw those linux related things and panicked! I
> thought for a moment you were intending to help us increase the market
> viability of OpenBSD by implementing some uberlite way of making OpenBSD
> understood by linux idiots.
>
> I apologize! Continue on with more pointfilled discussions!
>

This one was fun!

In fact i am trying to move away from linux. OpenBSD really rocks, and
the only reason the plugin authenticate from shadow too it's because i
still need and more people will need it too.

Apologies accepeted!
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Will BGP be obsolete soon?

[chefren]

On 04/12/06 17:59, Henning Brauer wrote:

yes, BGP will be obsolete soon, together with IP. All heil OSI 
protocols!


Yep!

With ATM ("high speed" ISDN) instead of Ethernet of course.

Ideals come true, wonderful world!


Please keep turd polishing, better a polished operating cheap turd 
than hills of expensive glamorous white papers with "perfect" but 
clueless ideas that will never really work.


+++chefren

Re: OpenBSD 3.9 stable from cvs

[Geof Crowl]

Unless I am reading something wrong, isn't this:



If you had started from a 3.9-beta, you might have got lucky.  But
jumping from 3.8 to 3.9 is NOT an easy process, and is completely
unsupported.



and this:



1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).



totally contradictory?

Re: OpenBSD 3.9 stable from cvs

[Otto Moerbeek]

On Wed, 12 Apr 2006, Geof Crowl wrote:

> Unless I am reading something wrong, isn't this:
> 
> > 
> > If you had started from a 3.9-beta, you might have got lucky.  But
> > jumping from 3.8 to 3.9 is NOT an easy process, and is completely
> > unsupported.
> > 
> 
> and this:
> 
> > 
> > 1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).
> > 
> 
> totally contradictory?

First case is source upgrade, second is binary upgrade. That's the
difference Nick is talking about.

-Otto

Re: OpenBSD 3.9 stable from cvs

[Paul de Weerd]

On Wed, Apr 12, 2006 at 12:34:55PM -0400, Geof Crowl wrote:
| Unless I am reading something wrong, isn't this:
|
| >
| >If you had started from a 3.9-beta, you might have got lucky.  But
| >jumping from 3.8 to 3.9 is NOT an easy process, and is completely
| >unsupported.
| >
|
| and this:
|
| >
| >1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).
| >
|
| totally contradictory?

You miss (relevant) parts of Nicks e-mail. Jumping from 3.8 to 3.9 (by
source) is not supported. *UPGRADING* 3.8 to 3.9 IS supported. Please
read the original mail again, it's actually quite clear.

Cheers,

Paul 'WEiRD' de Weerd

--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: OpenBSD 3.9 stable from cvs

[Ted Unangst]

On 4/12/06, Geof Crowl <[EMAIL PROTECTED]> wrote:
> Unless I am reading something wrong, isn't this:
>
> >
> > If you had started from a 3.9-beta, you might have got lucky.  But
> > jumping from 3.8 to 3.9 is NOT an easy process, and is completely
> > unsupported.

[building 3.9 source on 3.8]

> and this:
> >
> > 1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).

[install 3.9 binaries]

> totally contradictory?

yeah, except i think what nick was getting at was that upgrading via
source is going to be bad, upgrading via sets is easy.

OSPF problems with Vlan interfaces

[Tim Donahue]

I am having problems getting ospfd to work with 802.1q vlans.  I have 2 
existing ospfd servers that are working correctly with physical interfaces in 
each network they are trying to take part in.  I recently built new box that 
I'm trying to use vlans as it only has 2 interfaces and I want it to talk to 
3 different networks.  When I start `ospfd -d` to see why no networks ever 
get populated into the FIB I get the follow errors.  Is there anything I can 
do to resolve this problem?

Tim Donahue

recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3, expected 
1496
if_fsm: event WAITTIMER resulted in action NOTHING and changing state for 
interface vlan33 from DROTHER to DROTHER
recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.1, expected 
1496


# ifconfig 
de0: flags=8863 mtu 1500
lladdr 00:c0:f0:16:f0:5e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2c0:f0ff:fe16:f05e%de0 prefixlen 64 scopeid 0x2
vlan33: flags=8843 mtu 1496
lladdr 00:c0:f0:16:f0:5e
vlan: 33 priority: 0 parent interface: de0
groups: vlan
inet6 fe80::2c0:f0ff:fe16:f05e%vlan33 prefixlen 64 scopeid 0xf
inet 10.4.64.4 netmask 0xff00 broadcast 10.4.64.255
vlan35: flags=8843 mtu 1496
lladdr 00:c0:f0:16:f0:5e
vlan: 35 priority: 0 parent interface: de0
groups: vlan
inet6 fe80::2c0:f0ff:fe16:f05e%vlan35 prefixlen 64 scopeid 0x10
inet 10.2.8.1 netmask 0xff00 broadcast 10.2.8.255



# cat /etc/ospfd.conf

# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $

# macros
password="secret"

# global configuration
router-id 10.4.64.4
fib-update yes
# spf-delay 1
# spf-holdtime 5
redistribute none

# auth-key $password
# auth-type simple
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1

# areas
area 1 {
interface vlan33 {
auth-type none
}
}


# cat /etc/pf.conf

#   $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

set skip on { lo }

scrub in

block in log
pass out keep state

antispoof quick for { lo }

pass in on de0 from any to any
pass in on vlan33 from any to any
pass in on vlan35 from any to any

Re: OpenBSD 3.9 stable from cvs

[Matthias Kilian]

On Wed, Apr 12, 2006 at 12:34:55PM -0400, Geof Crowl wrote:
> >If you had started from a 3.9-beta, you might have got lucky.  But
> >jumping from 3.8 to 3.9 is NOT an easy process, and is completely
> >unsupported.
> >
> 
> and this:
> 
> >
> >1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).
> >
> 
> totally contradictory?

No. The first one means building 3.9 from source (on top of 3.8),
the second one is about a binary update from 3.8 to 3.9.

Ciao,
Kili

Re: bash: delete key sends ~ instead of [del]

[imEnsion]

[EMAIL PROTECTED]:~> cat .inputrc
"\e[3~": delete-char
"\e[1~": beginning-of-line
"\e[4~": end-of-line
[EMAIL PROTECTED]:~> uptime
 2:18PM  up 527 days,  9:49, 3 users, load averages: 0.85, 0.97, 0.99
[EMAIL PROTECTED]:~>


Heh... just thought I would throw out the uptime. It's my longest
uptime (freebsd 5.2.1 btw).

cheers.

On 4/9/06, viq <[EMAIL PROTECTED]> wrote:
> On Sunday 12 February 2006 07:51, jared r r spiegel wrote:
> > On Sat, Feb 11, 2006 at 05:17:29PM -0500, Nick Guenther wrote:
> > > Yeah, it does that. I don't know why, I assume historical reasons, and
> > > I would like to learn from someone here who does know. Use backspace
> > > instead.
> > >
> > > On 2/11/06, Martin Schrvder <[EMAIL PROTECTED]> wrote:
> > > > Hi,
> > > > on my freshly installed 3.7 in bash the delete key sends an ~
> > > > instead of [del]. How can I fix this?
> >
> >   it *is* sending del.  rather, the characters sent when you strike the
> >   delete key are recognized by the shell and the shell executes the
> >   editing command "delete-char-backward".   problem is it also sends
> >   a tilde after the sequence that the shell recognizes.
> >
> >   ^[[3~ is what i get here if i just go to a normal console terminal
> >   and hit delete.  that is one character more than my shell is listening
> >   for.
> >
> >   i believe, at least with respect to ksh, bound keys are editing commands
> >   that are executed when the shell sees a a control character, which may
> >   be have a prefix-character in front of it, come across.
> >   the ksh manpage (/ for bind) describes it better than i do,
> >   but basically, look at it like this:
> >
> >   ^[[3~ is three parts.  ^[[, 3, and ~.  ^[[ == ^X, 3 == 3, ~ == ~.
> >
> >   when the shell sees that, it recognizes "^[[" as 'prefix-2', or ^X.
> >   ^X3 is (i think?) set to 'delete-char-backward'.  at that point, the
> > shell does that.  the ~ was not part of the sequence of keys the shell
> > recognized because it is too many chars.  you get a "prefix" and a "control
> > char", not a prefix and two control chars.  if you type:
> >
> > blah
> >
> >   and hit 'delete', usually you'll end up with
> >
> > bla~
> >
> >   because it did the delete-char-backward, which killed the 'h', but then
> >   the '~' showed up after any shell-recognition was done and so it made
> >   it out to the terminal as a normal character.
> >
> >   a hackish way around that is to use '-m' and make it so
> >   that the shell substitutes "^[[3" with a control-X.  eg:
> >
> > $ bind -m '^[[3'='^X'
> >
> >   ( where '^X' isn't "-<6>, -", but rather:
> >   "-, -". )
> >
> >   and then
> >
> > $ bind '^X~'=delete-char-backward
> >
> >   which makes it to that when the shell sees '^[[3', it substitutes that
> > for a real ^X.  if i'm hitting , the ~ is also sent by my keypress,
> > but at that point, the sequence has become '^X~', which then executes
> > 'delete-char-backward'.
> >
> >   perhaps bash is the same...
>
>
> And what about the home and end keys? Any way to make them work?
>
> --
> viq
>
> --
> Poznaj Stefana! Zmien komunikator! >>> http://link.interia.pl/f1924

Re: bash: delete key sends ~ instead of [del]

[Otto Moerbeek]

On Wed, 12 Apr 2006, imEnsion wrote:

> [EMAIL PROTECTED]:~> cat .inputrc
> "\e[3~": delete-char
> "\e[1~": beginning-of-line
> "\e[4~": end-of-line
> [EMAIL PROTECTED]:~> uptime
>  2:18PM  up 527 days,  9:49, 3 users, load averages: 0.85, 0.97, 0.99
> [EMAIL PROTECTED]:~>
> 
> 
> Heh... just thought I would throw out the uptime. It's my longest
> uptime (freebsd 5.2.1 btw).

To cure this, take art's GENERIC viagra:
http://www.blahonga.org/~art/diffs/index.html.

-Otto

Re: OSPF problems with Vlan interfaces

[Claudio Jeker]

On Wed, Apr 12, 2006 at 03:15:50PM -0400, Tim Donahue wrote:
> I am having problems getting ospfd to work with 802.1q vlans.  I have 2 
> existing ospfd servers that are working correctly with physical interfaces in 
> each network they are trying to take part in.  I recently built new box that 
> I'm trying to use vlans as it only has 2 interfaces and I want it to talk to 
> 3 different networks.  When I start `ospfd -d` to see why no networks ever 
> get populated into the FIB I get the follow errors.  Is there anything I can 
> do to resolve this problem?
> 
> Tim Donahue
> 
> recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3, expected 
> 1496
> if_fsm: event WAITTIMER resulted in action NOTHING and changing state for 
> interface vlan33 from DROTHER to DROTHER
> recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.1, expected 
> 1496
> 
> 
> # ifconfig 
> de0: flags=8863 mtu 1500
> lladdr 00:c0:f0:16:f0:5e
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::2c0:f0ff:fe16:f05e%de0 prefixlen 64 scopeid 0x2
> vlan33: flags=8843 mtu 1496
> lladdr 00:c0:f0:16:f0:5e
> vlan: 33 priority: 0 parent interface: de0
> groups: vlan
> inet6 fe80::2c0:f0ff:fe16:f05e%vlan33 prefixlen 64 scopeid 0xf
> inet 10.4.64.4 netmask 0xff00 broadcast 10.4.64.255

Welcome in the OSPF hell. OSPF requires that the MTU on all routers is
equal or smaller then the own MTU (this ensures that you are able to 
receive all packets comming from that link). Now VLAN tends to reduce the
MTU because of the VLAN header if you have a "crappy" ethernet card.

Either you switch all interfaces that connect to your vlans to MTU 1496 or
you modify your setup to be able to run a MTU of 1500 over your vlan
links. Afaik all modern cards support these "oversized" frames for VLAN.

Trivia: the MTU check was add to "fix" bro^Wtoken ring where it was
possible to run with MTU/MRU combinations that made it impossible for two
systems to exchange traffic correctly.
-- 
:wq Claudio

Re: OSPF problems with Vlan interfaces

[Tim Donahue]

On Wednesday 12 April 2006 15:38, Jason Ackley wrote:
> Tim Donahue wrote:
> > recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3,
> > expected 1496
>
>   This is your problem. Your physical interface driver
>   doesn't understand frames that are 'slightly' larger
>   than 1500 (baby giant).  Frames are increased by
>   4 bytes when they have 802.1q tags prepended to them.
>
[snip]
>   If you are unsure, you can grep around for
>   'IFCAP_VLAN_MTU' in the driver source code.
>
>   Most fxp/bge/nge/em/sk cards should be good. Some
>   vr/rl will work as well.
>
>   What is the other interface on the box?

Its an xl card so I'll need to see if we have any other cards around.

>   You could reduce the MTU on the other routers, but
>   that is a hack. Get a real card/driver and you will
>   be set.

This would just be a pain in the rear as time goes on

Thanks for the pointer.  
Tim Donahue

Re: OSPF problems with Vlan interfaces

[Jason Ackley]

Tim Donahue wrote:

recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3, expected 
1496


 This is your problem. Your physical interface driver
 doesn't understand frames that are 'slightly' larger
 than 1500 (baby giant).  Frames are increased by
 4 bytes when they have 802.1q tags prepended to them.

 Since the driver/card doesn't understand them, the
 vlan(4) driver creates itself with a reduced MTU
 so that it is able to function. If memory serves,
 there is a warning at the time it is created.

 MTUs must match for OSPF for form adjacencies.

 Easiest thing is to use a card/driver that knows
 about baby giants. Your vlan interfaces will then
 be created with MTUs of 1500 and that will match
 the other devices on your network.

 If you are unsure, you can grep around for
 'IFCAP_VLAN_MTU' in the driver source code.

 Most fxp/bge/nge/em/sk cards should be good. Some
 vr/rl will work as well.

 What is the other interface on the box?

 You could reduce the MTU on the other routers, but
 that is a hack. Get a real card/driver and you will
 be set.


cheers,
--
jason

Re: bash: delete key sends ~ instead of [del]

[imEnsion]

hahahaha I think I just got owned.

That is so awesome. I needed the laugh, thank you.


On 4/12/06, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
>
>
> On Wed, 12 Apr 2006, imEnsion wrote:
>
> > [EMAIL PROTECTED]:~> cat .inputrc
> > "\e[3~": delete-char
> > "\e[1~": beginning-of-line
> > "\e[4~": end-of-line
> > [EMAIL PROTECTED]:~> uptime
> >  2:18PM  up 527 days,  9:49, 3 users, load averages: 0.85, 0.97, 0.99
> > [EMAIL PROTECTED]:~>
> >
> >
> > Heh... just thought I would throw out the uptime. It's my longest
> > uptime (freebsd 5.2.1 btw).
>
> To cure this, take art's GENERIC viagra:
> http://www.blahonga.org/~art/diffs/index.html.
>
>-Otto

Re: gcc 3 bug

[chefren]

On 04/12/06 21:08, Otto Moerbeek wrote:

Hi,

This fixes a gcc code generation bug, demonstrated using -march=i686
-O2, but I suspect it can occur in other circumstances as well. 


Yep, any architecture with and without -march=i686


The interesting thing is that the gcc people classified this as a m68k
bug (the gcc PR was for m68k), but the fix is not in target specific
code.

See  for
the test program (and some noise) and


Some missching characters at the end of the link I presume:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=11441923132379

+++chefren





So far I've done kernel builds and make builds using this diff on macppc
and i386. More testing (also on other gcc 3 platforms) appreciated.

-Otto

Index: gcc/reload1.c
===
RCS file: /cvs/src/gnu/usr.bin/gcc/gcc/reload1.c,v
retrieving revision 1.3
diff -u -p -r1.3 reload1.c
--- gcc/reload1.c   25 Dec 2004 00:23:11 -  1.3
+++ gcc/reload1.c   11 Apr 2006 08:48:39 -
@@ -6923,6 +6923,10 @@ do_input_reload (chain, rl, j)
  actually no need to store the old value in it.  */
 
   if (optimize

+  /* Only attempt this for input reloads; for RELOAD_OTHER we miss
+that there may be multiple uses of the previous output reload.
+Restricting to RELOAD_FOR_INPUT is mostly paranoia.  */
+  && rl->when_needed == RELOAD_FOR_INPUT
   && (reload_inherited[j] || reload_override_in[j])
   && rl->reg_rtx
   && GET_CODE (rl->reg_rtx) == REG

Re: gcc 3 bug

[Otto Moerbeek]

On Wed, 12 Apr 2006, chefren wrote:

> On 04/12/06 21:08, Otto Moerbeek wrote:
> > Hi,
> > 
> > This fixes a gcc code generation bug, demonstrated using -march=i686
> > -O2, but I suspect it can occur in other circumstances as well. 
> 
> Yep, any architecture with and without -march=i686
> 
> > The interesting thing is that the gcc people classified this as a m68k
> > bug (the gcc PR was for m68k), but the fix is not in target specific
> > code.
> > 
> > See  for
> > the test program (and some noise) and
> 
> Some missching characters at the end of the link I presume:
> 
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=11441923132379

Now you're making the same mistake as I did ...

http://marc.theaimsgroup.com/?l=openbsd-misc&m=114419231323793

-Otto

ospfd.conf example inheritance problem

[andrew fresh]

I was trying to set default auth-type and auth-md and ran into some
trouble.  Doing some debugging, I tried just uncommenting part of the
example ospfd.conf and have found it doesn't work.  Here is what I did:

ospfd.conf.orig is the v1.2 available here:
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/ospfd.conf?rev=1.2&content-type=text/x-cvsweb-markup

$ sudo diff -u ospfd.conf.orig ospfd.conf
--- ospfd.conf.orig Wed Apr 12 14:57:51 2006
+++ ospfd.conf  Wed Apr 12 14:58:09 2006
@@ -9,8 +9,8 @@
 # spf-delay 1
 # spf-holdtime 5

-# auth-key $password
-# auth-type simple
+auth-key $password
+auth-type simple
 # hello-interval 10
 # metric 10
 # retransmit-interval 5

$ sudo ospfd -n
/etc/ospfd.conf:12: syntax error
/etc/ospfd.conf:23: unknown interface em0
/etc/ospfd.conf:35: unknown interface em2
/etc/ospfd.conf:37: syntax error

$ sudo head -12 ospfd.conf | tail -1
auth-key $password

I don't have em0 or em2, so the rest of the errors are mostly expected
but the line 12 syntax error seems odd since all I did was uncomment
those options.  I also don't have an em1, but ospfd doesn't error on that.

I can't tell for sure from the man page, but the example looks like it
should work, but it doesn't.

Is this the expected behaviour?  

I have tried on 3.8-stable as well as a 3.9 snapshot from March second
with the same results.

l8rZ,
-- 
andrew - ICQ# 253198 - JID: [EMAIL PROTECTED]
 Proud member: http://www.mad-techies.org

BOFH excuse of the day: backup tape overwritten with copy of system
manager's favourite CD

Re: OT: Feedback on BLOB and why not allow it.

[Daniel Ouellet]

A follow up on this that might be of interest.

Also a request for information as to what people might know on cases, or 
anything that would very strongly justify my position to want this stop.


After many weeks requesting to justify this where I never got any answer 
to it and keep asking about the justification, I finally got this first 
replay:


"We have the servers report in so we can get gross level data on 
features and customer counts. We do not collect any user-specific data. 
We do not share the data with anyone outside of . We do this 
primarily in case we need to contact customers proactively (e.g. if 
their system has a lot of customers on it and may have load issues).


Our contracts specify this kind of monitoring precisely for this reason: 
so that we can proactively contact customers if needed."


And then continuing to push the issue as I never allow this to start 
with, nor was I ever informed it would take place. Plus who really trust 
this statement anyway from a company that can't even come clean on the 
issue when push to it!


I finally got a follow up to it as this:

"Just to clarify on this issue, there is a section in our standard 
contract that addresses this - its part of the Software License grant 
language:


Compliance with License:
Customer hereby grants x the right to periodically audit and 
review Customer's use of the Software, via remote connection or on-site 
inspection, to ensure compliance with the terms of the Software License 
and this Agreement.  Customer shall at all times cooperate in good faith 
with such reviews and shall promptly remedy any acts of non-compliance 
with such License and/or Agreement as a material term hereof."


Sure this is new in new contract, not in mine, plus even more, if that 
was the only case, fine, I see no problem with that. If requested, I 
sure could allow site inspection for License if needed. I see no problem 
with that, but then, I allow it and I am ask for it.


This is totally different to me then having someone spy on my on a daily 
basis and not even letting me know and trying to justify it as doing it 
to help me, but I never got help from them on many issues, including one 
time when I contacted them as I ran out of licenses to buy more and it 
took them almost a week to send me a new license file to address the 
issue after they got paid obviously. So, what's wrong here???


Anyway, anyone that said BLOB are good, needs a HUGE reality check big time!

Now, I still don't want them to do it and they still try to justify it 
left and right.


In the end I guess it will come down to, you want to use our system, 
then that's how it is, or go else where. But right now, I can't go else 
where. It's already be the second VoIP platform I use and switching is 
pretty darn expensive thank you!


Just thought you might like to see real life stubborn experience with 
BLOB and even after been discover, they do not want to correct the issue 
and try to justify their rights at doing so!


What a shame I tell you!

This is wrong!

Daniel

Re: Assembly Language Programs

[ren]

> Hi to all.
> I am interested to developing a little
> assembly language programs.
> 
> I rode the article written by Thomas Sommers
> ( http://user.nj.net/~tms/hello.html )
> I followed author's instructions but at the end of compilation
> 
>   as -o .o .s
>   ld -o  .o
> 
> what I have is
> 
>  #./
>  #ksh: Operation not permitted
> 
> 
>  Someone knows what is happenig ?
> 
> Ale

add the following section:

.section ".note.openbsd.ident", "a"
  .p2align 2
  .long 8
  .long 4
  .long 1
  .ascii "OpenBSD\0"
  .long 0
  .p2align 2

see elf(5) or google for ".note.openbsd.ident"

-- 
ren

Re: Assembly Language Programs

[Tobias Ulmer]

On Wed, Apr 12, 2006 at 09:22:49AM +0200, Alessandro Coppelli wrote:
> Hi to all.
> I am interested to developing a little
> assembly language programs.
> 
> I rode the article written by Thomas Sommers
> ( http://user.nj.net/~tms/hello.html )
> I followed author's instructions but at the end of compilation
> 
>   as -o .o .s
>   ld -o  .o
> 
> what I have is
> 
>  #./
>  #ksh: Operation not permitted
> 
> 
>  Someone knows what is happenig ?
> 
> Ale
> 
>

Yes, your file is not recognized as valid OpenBSD ELF executable.

Try this:

-- 8< -- (hello.s)
section .text
global _start

msg db  "Hello, world!",0xa
len equ $ - msg

_syscall:
int 0x80
ret

_start:
pushdword len
pushdword msg
pushdword 1 ; stdout 
mov eax,0x4 ; write
call_syscall

add esp,12

pushdword 0
mov eax,0x1
call_syscall


Valid OpenBSD elf header :)
-- 8< -- (obsd-elf.s)
.section ".note.openbsd.ident", "a"
.p2align 2
.long   8
.long   4
.long   1
.ascii "OpenBSD\0"
.long   0
.p2align 2

Compile and link it...

$ as obsd-elf.s -o obsd-elf.o
$ nasm -f elf -o hello.o hello.s
$ ld -s -o hello hello.o obsd-elf.o
$ ./hello
Hello, world!


Tobias

Re: Openvpn plugin for passwd authentication

[Lars Hansson]

On Wednesday 12 April 2006 23:21, Giancarlo Razzolini wrote:
>   I wrote a plugin for Openvpn that does authentication using the passwd
> or the shadow files

What would be even cooler is a bsd-auth plugin.


Lars Hansson

Re: OpenBSD 3.9 stable from cvs

[Nick Holland]

Ted Unangst wrote:

On 4/12/06, Geof Crowl <[EMAIL PROTECTED]> wrote:

Unless I am reading something wrong, isn't this:


If you had started from a 3.9-beta, you might have got lucky.  But
jumping from 3.8 to 3.9 is NOT an easy process, and is completely
unsupported.


[building 3.9 source on 3.8]


and this:

1) Start with 3.8, and upgrade to 3.9 later (actually, pretty easy).


[install 3.9 binaries]


totally contradictory?


yeah, except i think what nick was getting at was that upgrading via
source is going to be bad, upgrading via sets is easy.


yeah, and one of these days, Nick will learn what everyone else has long 
figured out: don't give long, detailed answers, as someone will try to 
pick it apart and take it out of context, analyzing the text as if it 
were a fine novel, rather than a quick "I need a break from helping 
people at work, let's see if I can help someone on the mail list" posting.


Yes:
Upgrading from source = difficult, if even possible by ordinary people, 
and certainly not supported by developers.

Upgrading by binaries = easy.

Nick.

Re: Openvpn plugin for passwd authentication

[Giancarlo Razzolini]

Lars Hansson wrote:
> On Wednesday 12 April 2006 23:21, Giancarlo Razzolini wrote:
>>  I wrote a plugin for Openvpn that does authentication using the passwd
>> or the shadow files
>
> What would be even cooler is a bsd-auth plugin.
>
> 
> Lars Hansson
>
>

>From the man of the OpenBSD getpwnam(3) function:
These routines have been written to ``shadow'' the password file, i.e.,
allow only certain programs to have access to the encrypted password.
If the process which calls them has an effective UID of 0 or has the
``_shadow'' group in its group vector, the encrypted password will be
returned, otherwise, the password field of the returned structure will
point to the string `*'.

My plugin uses the getpwnam(3) function if you do not set the Makefile
directive USE_SHADOW. The shadow suite only complicated things. Move
encrypted passwords to another file, i agree with that. But writing new
functions to read this file, this is an aberration. My plugin
authenticate from the shadow if you define or from the passwd (read
here: using the original function getpwnam(3)). If the program runs with
the uid 0 (which is the case here), it will successfully authenticate
the user. So it does authentication in BSD systems cause, AFAIK, this
behavior of the getpwnam(3) is present on all BSD derivative systems,
since it was decided to move encrypted passwords to another file (in
OpenBSD, /etc/master.passwd). I wrote the plugin this way because i
still need shadow authentication and many people need it, but nobody
that i have talked to bothered to write the plugin. But, as I'm using
OpenBSD know, i wrote it to work in it too. I believe it works on the
majority, if not all, of unix systems that openvpn runs with minor or no
modifications, but didn't tested it yet. I did test it in some linux
distributions with different kernels and glibc versions and in OpenBSD
3.8. So please, try it, and then report any problemas, suggestions or
comments.

Thanks,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Storage container for servers & switches

[Phusion]

I will be moving some servers and switches in the near future. The
computer equipment is all rack-mountable so it's 1U and 2U. I was
wondering if anyone could recommend storage containers for this type
of computer equipment. Let me know if you have any ideas. Thanks.

Phusion

Re: Storage container for servers & switches

[Chris 'Xenon' Hanson]

Phusion wrote:

I will be moving some servers and switches in the near future. The
computer equipment is all rack-mountable so it's 1U and 2U. I was
wondering if anyone could recommend storage containers for this type
of computer equipment. Let me know if you have any ideas. Thanks.


  You can buy "roadie" cases with standard rack rails from musician supply stores and 
catalogs. They're basically portable, armored racks. Dunno how it fits with your budget, 
but if it can help digital music gear survive a concert tour, it is probably good for your 
servers.



Phusion


--
 Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/
 "I set the wheels in motion, turn up all the machines, activate the programs,
  and run behind the scenes. I set the clouds in motion, turn up light and 
sound,
  activate the window, and watch the world go 'round." -Prime Mover, Rush.

Re: Will BGP be obsolete soon?

[Curtis H. Wilbar Jr.]

On Wed, 2006-04-12 at 12:12, Stuart Henderson wrote:
> On 2006/04/12 20:34, Siju George wrote:
> > I was trying to get wet with BGP, OpenBGPD, AS nos. etc so that I can
> > Implement them in my network. Going through the print out of RFC 1930.
> 
> The RFCs aren't especially helpful for learning this stuff, unless
> you're writing an implementation (and even then, RFCs don't document
> real-world vendor behaviour).
> 
> Books might be more useful: you often have to translate from cisco-eze
> into OpenBGP (or JUNOS or whatever), but you'll get good treatment of
> concepts and how to do things e.g.
> 
> Internet Routing Architectures (Halabi, Cisco Press)

There is a free BGP4 paper by Halabi that as I understand it
formed the 'basis' of his book that covers BGP4... it is a very
good paper (at least if you are working with Ciscos).

Check out:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.pdf
http://www.cisco.com/warp/public/459/bgp-toc.pdf

The second one is the BGP4 Case Studies/Tutorial that I referenced
so long ago in my ISP days... it is what I learned BGP from.

If you ever get into OSPF... he has a similar paper on OSPF, I think
it was called a 'Design Guide'... but I don't recall off hand.

Hope they help,

-- Curt

> BGP (van Beijnum, O'Reilly)
> BGP4 (Stewart, Addison-Wesley)
> 
> and/or play on a test network (which you can build with vmware if
> you can't spare the real machines).
> 
> Hopefully it goes without saying that you need a good solid
> understanding of tcp/ip first. If you aren't familiar with how
> subnets etc. work you'll find things confusing.

Re: Storage container for servers & switches

[Steve Shockley]

Phusion wrote:

I will be moving some servers and switches in the near future. The
computer equipment is all rack-mountable so it's 1U and 2U. I was
wondering if anyone could recommend storage containers for this type
of computer equipment. Let me know if you have any ideas. Thanks.


At work, we have two cases that look similar to
http://www.justcases.com/delwheelship.html

We use them to ship servers, they seem to work well.  An ML570 (7U) fits 
in nicely plus padding.

Sparc64 Crash- Sensors/admtemp

[Proc]

Since this from a two month old snapshot, I don't know if this even 
worth reporting...


console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED]/[EMAIL 
PROTECTED],3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 3.9-beta (GENERIC) #750: Mon Feb 13 06:21:43 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
total memory = 536870912
avail memory = 478846976
using 3276 buffers containing 26836992 bytes of memory
bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL 
PROTECTED],0
mainbus0 (root): Netra T1 200 (UltraSPARC-IIe 500MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 500 MHz, version 0 FPU
cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 1024K 
external (64 b

/l)
psycho0 at mainbus0
SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 2; PCI bus 0
DVMA map: c000 to e000
IOTDB: 26a8000 to 2728000
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 "Sun Simba PCI-PCI" rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 12 function 0 "Sun PCIO Ebus2 (US III)" rev 0x01
flashprom at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59: hostid 830fc187
ebus_attach: idprom: incomplete
SUNW,lomh at ebus0 addr 20-23 ipl 42 not configured
gem0 at pci1 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 3006, 
address 00:

03:ba:0f:c1:87
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd

, model 0x0002
ohci0 at pci1 dev 12 function 3 "Sun USB" rev 0x01: ivec 24, version 
1.0, legac

y support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
alipm0 at pci1 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: 74KHz 
clock

iic0 at alipm0
admtemp0 at iic0 addr 0x18: max1617
"at34c02" at iic0 addr 0x54 not configured
"at34c02" at iic0 addr 0x55 not configured
"at34c02" at iic0 addr 0x56 not configured
"at34c02" at iic0 addr 0x57 not configured
"at24c64" at iic0 addr 0x50 not configured
"at24c64" at iic0 addr 0x51 not configured
ebus1 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
power at ebus1 addr 2000-2007 ipl 37 not configured
com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
com0: console
com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: 
DMA, cha

nnel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 180c for native-PCI interrupt
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
gem1 at pci1 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 301c, 
address 00:0

3:ba:0f:c1:88
ukphy1 at gem1 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd

, model 0x0002
ohci1 at pci1 dev 5 function 3 "Sun USB" rev 0x01: ivec 26, version 1.0, 
legacy

 support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: Sun OHCI root hub, rev 1.00/1.00, addr 1
uhub1: 4 ports with 4 removable, self powered
ppb1 at pci0 dev 1 function 0 "Sun Simba PCI-PCI" rev 0x13
pci2 at ppb1 bus 2
siop0 at pci2 dev 8 function 0 "Symbios Logic 53c896" rev 0x07: ivec 
1820, usin

g 8K of on-board RAM
scsibus0 at siop0: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 8748MB, 15110 cyl, 3 head, 395 sec, 512 bytes/sec, 17916240 sec total
sd1 at scsibus0 targ 1 lun 0:  SCSI2 
0/direct fix

ed
sd1: 8727MB, 9942 cyl, 6 head, 299 sec, 512 bytes/sec, 17873040 sec total
siop1 at pci2 dev 8 function 1 "Symbios Logic 53c896" rev 0x07: ivec 
1820, usin

g 8K of on-board RAM
scsibus1 at siop1: 16 targets
pcons at mainbus0 not configured
No counter-timer -- using %tick at 500MHz as system clock.
root on sd0a
siop0: target 0 now using tagged 16 bit 40.0 MHz 31 REQ/ACK offset xfers
rootdev=0x700 rrootdev=0x1100 rawdev=0x1102
siop0: target 1 now using tagged 16 bit 40.0 MHz 31 REQ/ACK offset xfers
ohci1: 1 scheduling overruns
ohci0: 1 scheduling overruns
ohci1: 1 scheduling overruns
ohci0: 1 scheduling overruns
ohci1: 1 scheduling overruns
ohci0: 2 scheduling overruns
ohci1: 1 scheduling overruns
data fault: pc=10b227c addr=e000e000
panic: kernel fault
kdb breakpoint at 132c940
Stopped at  Debugger+0x4:   nop
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
 27435   1017   1017506  3   0x184  select perl
 10677   1017   1017506  3   0x184  select perl
  1017  1   1017  0  30x84  select perl
 26648  1  26648  0  3  0x4086  ttyin  getty
  5882  1   5882  0  30x84  select cron
 18530  1  18530532  3   0x184  poll   milter-spamd
  1335  1   1335539

Re: Will BGP be obsolete soon?

[friscom]

At 05.15 13/04/2006, Curtis H. Wilbar Jr. wrote:

(..)
If you ever get into OSPF... he has a similar paper on OSPF, I think
it was called a 'Design Guide'... but I don't recall off hand.

Hope they help,

-- Curt


May it be this one?
http://www.cisco.com/warp/public/104/1.html

friscom