Re: dhcpclient diff (new options)
On Tue, 18 Apr 2006, Nick Guenther wrote:
On 4/18/06, Joseph C. Bender [EMAIL PROTECTED] wrote:
Ted Unangst wrote:
another time, somebody should delete all this atom + 1 shit. any
computer that runs on electricity should be able to handle the strain.
Okay, so I have to ask.
Why would anyone do something that lame anyway?
Well, if you write something like:
if(*str == 'c')
{
//in here it's redundant to have strcmp check the first character,
since you already know it's a c
if(strcmp(str+1, har)) //if str == char
{
//eggs...
}
//spam...
}
It just cuts down the number of branches in the code... but it's
No, no, no, it increases the number of branches.
hardly worth it, it makes it to much more difficult to read.
I would say, not worth it.
-Otto
inet6(4)
I am working on some IPv4 IPv6 Interoperability stuff, and I hit a brick wall trying to get an IPv6 UDP server to receive IPv4 packets. It looks like that piece was taken out per inet6(4): OpenBSD does not route IPv4 traffic to an AF_INET6 socket. The particu- lar behavior in RFC 2553 is intentionally omitted for security reasons presented above. If both IPv4 and IPv6 traffic need to be accepted, lis- ten to two sockets. So if I want to add IPv6 functionality to an existing app, I would convert the current IPv4 stuff to use getaddrinfo, and I would just open two sockets by walking the link list provided by getaddrinfo, right? I wouldn't try to receive IPv4 traffic on an IPv6 socket for openBSD. Now, I have done a cursory review of docs via google for converting IPv4 apps to IPv6, but I haven't looked at the security issues with coding for both. Besides searching securityfocus, is there another site I should be reading for IPv6? Is KAME still relevant to the openBSD implementation? Cheers, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Sun X2100
Look at: http://www.armorlogic.com/openbsd_information_server_compatibility_list.html?action=detailid=x2100 The only *real* issue left is the nvidia network card puking under major load, but that might have been solved by the last commit (past 3.9-STABLE) by [EMAIL PROTECTED] I haven't got my hands on this box again to test though.
Re: Server Compatibility List
On 4/19/06, Jonathan Gray [EMAIL PROTECTED] wrote: That is totally out of date for 3.9, everything except the x4200 should be fine. Yes. Especially the HP hardware, since most of the problems were caused by missing PCI bridges that should be fixed now. As soon as I get my 3.9 CDs from Wim, we'll retest some of the boxes.
problems with carp and vlans
Hi, I have some problems with carp and vlans, at least I think so. I found this: http://archives.neohapsis.com/archives/openbsd/cvs/2005-04/0996.html so my assumption may be wrong, as I use openbsd 3.8. I have four physical interfaces in my two firewalls, one for pfsync, one to the Internet, DMZ and LAN. At the LAN interface seven VLAN interfaces are configured. The Internet and DMZ interfaces are on em(4) and the pfsync and LAN vlans on a bge(4) interface. When I remove one of the Internet or DMZ cables, all Interfaces on both firewalls behave as expected, the Interface where the cable is removed, goes to state INIT, the others become backup. When I do this with the LAN interface, then all carp interfaces for the seven vlans go to master state, but the two remaining carp interfaces for the Internet and DMZ stay in backup mode. my configuration on both hosts: net.inet.carp.preempt=1 net.inet.carp.allow=1 net.inet.carp.arpbalance=0 hostname.carp0 !ifconfig em0 up vhid 1 carpdev em0 172.16.0.1 172.16.0.255 netmask 255.255.255.0 up hostname.carp1 !ifconfig em1 up vhid 1 carpdev em1 172.16.1.1 172.16.1.255 netmask 255.255.255.0 up hostname.carp2 !ifconfig bge0 up !ifconfig vlan0 create !ifconfig vlan0 vlan 3 vlandev bge0 up vhid 1 carpdev vlan0 192.168.0.1 192.168.1.255 netmask 255.255.254.0 up hostname.carp3 up to hostname.carp9 (only the vlan interface numbers and ip addresses are different) !ifconfig vlan1 create !ifconfig vlan1 vlan 4 vlandev bge0 up vhid 1 carpdev vlan0 192.168.2.1 192.168.3.255 netmask 255.255.254.0 up I also tried to use the em interfaces for the vlan devices, with the same result, the interfaces do not stay in sync. assume the following: i remove a cable from the backup host from the carp interfaces, doesn't matter which one. The carp interface goes into init state, then i plug it back in, and the interface goes into backup state. but with a chance of about 1 of 5 the interface changes its state from backup to master, but the other interfaces stay in backup mode. The second host has all interfaces as master but the one as backup where at the first host the corresponding interface is in master mode. I also tried with different vhid's on all interfaces, but with no different results. Anybody knows how to keep the carp interfaces on the vlan devices in same state with the carp interfaces bound to the physical interfaces? Any hint would be greatly appreciated. lars -- Echte DSL-Flatrate dauerhaft f|r 0,- Euro*! Feel free mit GMX DSL! http://www.gmx.net/de/go/dsl
timeout panics
I committed a change this morning that should cause a misuses of a kernel api to generate panics rather than weird side effects. If anyone gets a panic with the message timeout_set: already queued can you submit a bug report via bugs@ or sendbug as soon as possible. I know I shouldn't have to ask, but can you please ensure you have a dmesg and a trace of the stack from ddb as part of the bug report? Cheers, dlg
Re: a little success in vnc over openvpn
Tim Donahue wrote: Perhaps this is easier than using a redirect statement in pf.conf. Set `sysctl -w net.inet.ip.forwarding=1` on both servers if it not already set. vncviewer 192.168.1.122 Tim Donahue i am sorry , you are right . according to man openvpn , example 3 : openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 makes vncviewer 192.168.1.122 enable . surely i do not need rdr in pf.conf . so i again rewote vnc over openvpn in http://nakajin.dyndns.org/pikara.html thanks lots . takesima
Re: PCMCIA USB 2.0
have you submitted a bug report? On 18/04/2006, at 11:00 PM, Jared Solomon wrote: Erm, that's not true. I picked up one at Beelzebub Buy and it crashes my openBSD 3.8 machine. On 4/17/06, David Gwynne [EMAIL PROTECTED] wrote: i hope you mean cardbus and not pcmcia. there is such a thing as a pcmcia usb host controller, but it is usb 1 only, and we don't have a driver for it. if someone wants to give me one i might work on that in the future though (i want usb on my sparc). as for usb2 carbus controllers, anything you pick up will probably work. try to avoid the cards that do firewire and stuff as well as usb. your best bet is a straight usb card. dlg On 18/04/2006, at 5:53 AM, Dan Smythe wrote: Since my laptop only has a USB 1 on it, I was thinking about getting a PCMCIA USB 2.0 adapter. I looked on the hardware list, but couldn't find a list of supported models. Any suggestions? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Try to do nothing for money that you wouldn't do for free. --Paul Krassner
Re: Multi Firewalls Admin
On Tue, Apr 18, 2006 at 12:47:31AM +0200, xanadu wrote:
Hi,
I have to remote admin 54 OpenBSD firewalls.
What tools can help me for that (Monitoring, Updates or PF broadcasts,
getting firewalls logs, automate processes, ...), is there all in one ?
It's usually better to assemble something from the individual best
components. Some possible choices:
- centralized syslog server(s) running syslog-ng, stock syslogd,
or whatever syslogd best suits your needs, taking into account
that the network being traversed is untrusted (i.e. some VPN
solution makes sense);
- automated log monitoring using, for instance, sec
(sysutils/sec)[1] or one of the other packages (swatch,
logsurfer, ...);
- automated network monitoring using, for instance, nagios[2]
(or mon, or ...);
- some custom scripting to handle pflog, or just keep it on the
host until needed - or just don't log it;
- distributing configuration and binaries using rdist (in base,
and works well, but uses a lot of bandwidth), rsync, or
something all-in like cfengine; or a simple FTP server; most
choices here allow you to run scripts;
- remote login using sshd, possibly augmented using something
that will run a command on N hosts;
- something more exotic, like using a single AFS-mounted image
for all of the firewalls, and telling the various syslogd
processes to log to the proper place.
Additionally, cron and/or /etc/{daily,weekly,monthly}.local is your
friend. Some custom scripting will be desired; use a Bourne shell, Perl,
Python, or whatever suits you.
Take into account that any package you do not need to install, is one
more package you don't have to depend on. Especially for a firewall,
the stock install is likely to be sufficient.
Joachim
[1] Sec is very powerful, but the documentation is a little lacking in
examples and writing a good ruleset will take time. OTOH, it is more
flexible, more powerful, and writing a good ruleset always takes time. I
have some working configurations for you, should you decide to take this
route.
Whatever you choose, it is vitally important that you *do* see anything
you have not mentioned in the configuration file. Those tend to be the
most 'interesting'.
[2] Nagios is quite useful, and makes pretty pictures. Good for showing
people.
Re: Best WAN Adaper?
Hello, On Sat, 15.04.2006 at 16:22:31 -0400, Daniel Ouellet [EMAIL PROTECTED] wrote: I don't know about the DS3 one as I am still looking for that myself, ... As for the DS3, if you get an answer on that one, please share with us! these seem to have mostly vanished from the planet. The only ones which were supported at some time in the past, and which I'm aware of, are SBE's, but they don't give any guarantees. Other cards which might be good could be those from ImageStream, but they don't support OpenBSD, nor do they offer reasonable docs (last I looked). Anyway, if someone of you comes across good E3 cards, please drop me a note. Otherwise, try to persuade your carrier to give you Ethernet. Best, --Toni++
Re: Sun X2100
On Tue, Apr 18, 2006 at 07:19:07PM -0400, stan wrote: I'm considering purchasing a Sun X2100 to use a an OpenBSD based firewall. Any hardware issues I should be aware of? What have been peoples experince with these (or similar) machines? Although it's not directly OpenBSD related, you'll probably want to flash the BIOS with the latest version, as Sun still seem to be shipping machines with the comically broken first version of the BIOS. Just to give you an idea of how bad it is: USB keyboards don't work reliably (and this is a machine without a PS/2 slot don't forget), and at least one BIOS screen says something like press Shift-F1 but misses the f in shift. Quality control were probably having an off day. Mercifully the BIOS update you can get from SUN is installable in an OS independent fashion, and after that the machine (and OpenBSD) seem to run fine. Laurie -- http://tratt.net/laurie/ -- Personal http://convergepl.org/ -- The Converge programming language http://sosym.dcs.kcl.ac.uk/ -- Software and Systems Modelling Team http://modelsconference.org/ -- MoDELS/UML 2006 conference
Re: PPPoA and OpenBSD
On Sun, Apr 09, 2006 at 07:03:36PM +1000, Dave Harrison wrote: Stuart Henderson wrote: On 2006/04/09 17:43, Dave Harrison wrote: I'm searching high and low for some documentation on setting up a PPPoA link (yes, it's for the UK and it's definitely PPPoA _not_ PPPoE) under OpenBSD in-tree: ueagle(4) otherwise: iirc there are some USB Speedtouch drivers Is it not possible to configure in a way similar to a ppp PPPoE setup ?? I have a modem that I'm connecting to via ethernet, then it plugs into the phone line. Can I drive PPPoA with the ppp daemon ?? If you're using a ADSL router which you plug your OpenBSD box into via ethernet I see two ways of connecting. Either get your ADSL modem to do the PPPoA connection, or make your OpenBSD box do PPPoE and your ADSL modem to do a bridge connection using ATM. I've posted on the list of how I get my OpenBSD box to do the PPP connection (last month if you look though the archives for PPPoA). I may as well turn last months email into html since it seems to be a common question and there's little on the subject using Google. Dan
Re: Best WAN Adaper?
On 19/04/06, Toni Mueller [EMAIL PROTECTED] wrote: Hello, On Sat, 15.04.2006 at 16:22:31 -0400, Daniel Ouellet [EMAIL PROTECTED] wrote: I don't know about the DS3 one as I am still looking for that myself, ... As for the DS3, if you get an answer on that one, please share with us! these seem to have mostly vanished from the planet. The only ones which were supported at some time in the past, and which I'm aware of, are SBE's, but they don't give any guarantees. Other cards which might be good could be those from ImageStream, but they don't support OpenBSD, nor do they offer reasonable docs (last I looked). Anyway, if someone of you comes across good E3 cards, please drop me a note. Otherwise, try to persuade your carrier to give you Ethernet. What about using Ethernet to T3/E3 converters instead ? That way you don't need funky cards in the openbsd box. I haven't had a closer look at the different vendors of those as we used Lucent and Nortel Ethernet over SDH equipment (of varying quality) at the telco I used to work at, but there are man companies out there selling this stuff. If you can find something which can run as a repeater go for that. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Ethical question on misc suggestion
On 4/18/06, Daniel Ouellet [EMAIL PROTECTED] wrote: I guess I don't know I know I don't know I don't know Regards, Daniel It could also be summarized as above.
pfw (was: Multi Firewalls Admin)
On 2006-04-19 10:43:43 +1000, Johan Allard wrote: If you check out http://www.allard.nu/pfw/, it's most likely going to be the closest thing for you. It can do PF broadcasts (installing a ruleset on multiple firewalls at once), examining logs on remote firewalls and do basic monitoring of your firewalls as well. Any chance of it becoming a port? Best Martin -- http://www.tm.oneiros.de
Re: pfw (was: Multi Firewalls Admin)
MS On 2006-04-19 10:43:43 +1000, Johan Allard wrote: If you check out http://www.allard.nu/pfw/, it's most likely going to be the closest thing for you. It can do PF broadcasts (installing a ruleset on multiple firewalls at once), examining logs on remote firewalls and do basic monitoring of your firewalls as well. MS Any chance of it becoming a port? try to write the same to ports@openbsd.org -- Best regards, Alexandermailto:[EMAIL PROTECTED]
Re: PCMCIA USB 2.0
No. I couldn't keep the machine up enough to get any change in the dmesg on it and decided that it was my fault for picking up a random piece-of-crap bit of hardware at Beelzebub Buy. If there is interest, I could fire up ye olde beast and attempt it. But, my hacking skills and OpenBSD usage is low, so I don't know if my bug report would be in a helpful format. On 4/19/06, David Gwynne [EMAIL PROTECTED] wrote: have you submitted a bug report? -- Try to do nothing for money that you wouldn't do for free. --Paul Krassner
Re: Ethical question on misc suggestion
On Tue, Apr 18, 2006 at 06:18:45PM -0400, Daniel Ouellet wrote: At the risk of been flame big time, and that's fine, I would however suggest that questions on misc@ follow the same criteria as the support for the OS it's self. Meaning, a new release come out, then support on the oldest is drop and only the last two are supported. Shouldn't support or question on misc@ follow the same policy. If one can't give himself/herself the pain to upgrade, I sure don't see why anyone else should give themselves the pain to support it either! Well, doesn't reality more-or-less reflect this already? The first sentence in a reply to such a post usually contains the word 'upgrade' (or 'update'). I'd put this in the same category as the RTFM questions - they can be answered quickly, effectively, and in such a way that the poster does his homework next time. Joachim
Re: fs block-number (soft) error - uncorrectable/corrected?
On Tue, Apr 18, 2006 at 08:04:22PM -0700, patrick ~ wrote: Hi, This is the second time I've been seeing this type of an error: Mar 27 01:30:47 box /bsd: wd0f: reading fsbn 3967732 of 3967732-3967735 (wd0 bn 9723412; cn 9646 tn 3 sn 55), retrying Mar 27 01:30:48 box /bsd: wd0: soft error (corrected) -- Apr 17 01:30:34 box /bsd: wd0f: uncorrectable data error reading fsbn 3655388 of 3655388-3655391 (wd0 bn 9411068; cn 9336 tn 6 sn 2), retrying Apr 17 01:30:36 box /bsd: wd0: soft error (corrected) wd0f is my /usr partition. How serious is this? Should I start looking into a hard-disk replacement? Obviously I'm making a back-up of data files I would like to keep. This usually indicates a disk on its way out. Replace the disk; it's highly unlikely that your data is worth so little that a new disk is out of the question. Joachim
VPN server and winxp client
Hello I want to create simply vpn server with native windows xp vpn client. What is the simply way to create this solution with openbsd? Jacek -- System poczty na jablko.one.pl
bluefish or other web design tools
i'm trying to migrate my web development to openbsd from winxp where i use dreamweaver. i want to have similar functionality to dreamweaver: a WYSIWYG interface, SFTP file transfers and code coloring. is this too much to ask for? i have installed the bluefish package on a post-3.9 current machine and that works fine, but i can't figure out how to use SFTP to transfer site files to and from a remote server. the bluefish-1.0p1.tgz package for 3.8 doesn't install its dependencies correctly, so i haven't tried it on 3.8-release. any other suggestions for website development software? cheers, jake
upgrade halted
After nummerous advices on the list that I should upgrade, I decided to try remote upgrading. At the folowing step: Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel. something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. Already checked ftpusers, but root is hashed (yes, I know this is wrong). Either I forgot the password, or something has changed. Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Regards, Jasper
Re: VPN server and winxp client
Original message Date: Wed, 19 Apr 2006 15:59:55 +0200 From: wolk [EMAIL PROTECTED] Subject: VPN server and winxp client To: misc@openbsd.org Hello I want to create simply vpn server with native windows xp vpn client. What is the simply way to create this solution with openbsd? Jacek -- System poczty na jablko.one.pl search the archives for this, it's been discussed ad nauseum. there are 2 such native winxp solutions, one being to use ipseccmd.exe to establish a tunnel directly with openbsd's isakmpd and the other uses the VPN style network connection and works over L2TP/PPP/IPSec. the latter one is much more complicated to setup and requires using and L2TP server, PPP interfaces and redirects.
Re: upgrade halted
On Wed, Apr 19, 2006 at 04:22:06PM +0200, Jasper Bal wrote: After nummerous advices on the list that I should upgrade, I decided to try remote upgrading. AFAIK you're running an 3.6 system, right? Did you directly go from 3.6 to 3.9? Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel. That's right. something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. root isn't able to login via ftp. Generic. Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Have you got a chance to connect via a serial terminal? Please give us further informations how you did the update. old version, new version, source update, generic kernel etc. -- Oliver Peter, email: [EMAIL PROTECTED], ICQ# 113969174 Worker bees can leave. Even drones can fly away. The Queen is their slave.
Re: upgrade halted
Jasper Bal wrote: After nummerous advices on the list that I should upgrade, I decided to try remote upgrading. there is reason we suggest practicing on an identical LOCAL box first! At the folowing step: Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel. something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. Already checked ftpusers, but root is hashed (yes, I know this is wrong). Either I forgot the password, or something has changed. Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Well, assuming there is a human being on the other end that you share a common language with, I doubt you need to travel. You provide basically no information about what you did, what you started with or where you tried to go, so you aren't going to get a certain answer here. However, the only time something like that happened to me is when I tried to take a system from 3.1 to 3.5 or similar by remote. Being the system was completely wrong by that point, I did a remote reinstall, including unpacking etcXX.tgz (which you will note, you are told not to do) which clobbered my existing passwd file (which I expected), but I forgot to change the password before reboot. I ended up with a completely functional system with no root password, and sshd is smart enough to keep people out of root if there is no pw. Oops. That's assuming ssh is really responding to you. If you are just getting slapped away, rather than getting a login prompt, it could be a problem with your PF configuration, most likely one that was going to bite you on reboot anyway, reboot or not. Can you log in as any other user via ssh? Got sudo set up? With FTP access to the box, your only hope is a configuration error you can exploit. Hopefully, that's not gonna happen. Most likely, you will just have someone local force the box for you: http://www.openbsd.org/faq/faq8.html#LostPW and then log in (or have them disable PF or ...). You can also look at /var/log/authlog for clues as to why you can't log in as you wish now. Nick.
Re: bluefish or other web design tools
Hi Jacob, On 2006-04-19T09:15, Jacob Yocom-Piatt wrote: ... any other suggestions for website development software? have a look at quanta it's a kde web-dev tool. http://quanta.kdewebdev.org/ hth, Marcus.
Re: bluefish or other web design tools
On 2006-04-19T14:54, Marcus Popp wrote: Hi Jacob, On 2006-04-19T09:15, Jacob Yocom-Piatt wrote: ... any other suggestions for website development software? have a look at quanta it's a kde web-dev tool. http://quanta.kdewebdev.org/ hth, Marcus. it's in the kdewebdev package. Marcus
Re: upgrade halted
Oliver Peter schreef: On Wed, Apr 19, 2006 at 04:22:06PM +0200, Jasper Bal wrote: After nummerous advices on the list that I should upgrade, I decided to try remote upgrading. AFAIK you're running an 3.6 system, right? Did you directly go from 3.6 to 3.9? 3.6 to 3.7 root isn't able to login via ftp. Generic. I changed that. Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Have you got a chance to connect via a serial terminal? No. Please give us further informations how you did the update. old version, new version, source update, generic kernel etc I was running 3.6 stable. I removed my packages. I removed the g++ compiler. I downloaded the install files for 3.7. I replaced bsd and bsd.rd. I installed new firmware. Then I issued a reboot. The rest is history. MvG Jasper
Re: bluefish or other web design tools
Original message Date: Wed, 19 Apr 2006 10:39:04 -0400 (EDT) From: Peter [EMAIL PROTECTED] Subject: Re: bluefish or other web design tools To: [EMAIL PROTECTED], misc@openbsd.org --- Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: i'm trying to migrate my web development to openbsd from winxp where i use dreamweaver. i want to have similar functionality to dreamweaver: a WYSIWYG interface, SFTP file transfers and code coloring. is this too much to ask for? i have installed the bluefish package on a post-3.9 current machine and that works fine, but i can't figure out how to use SFTP to transfer site files to and from a remote server. sftp is like ssh and scp: use the command line. Can you be more specific on how this is failing you? it isn't that it's failing me so much as i don't appear to have the same option as i do under dreamweaver in this regard. you can check out/in a site using SFTP under dreamweaver when you're working on a webserver that is remote. this way, you needn't make manual use of SFTP to upload individual files or get the most recent files you've checked in. i'm not too keen on having to manually do these transfers since it wastes time. also, there a number of packages and configuration changes i've made to the webserver that the code is supposed to run on, making it inconvenient to replicate such a setup on the local machine where i'm coding. #### # workstation## webserver # # running bluefish ## w/ extra packages and # ### configuration # ##
Re: upgrade halted
Nick Holland schreef: and then log in (or have them disable PF or ...). You can also look at /var/log/authlog for clues as to why you can't log in as you wish now. Nick. Thanks Nick. Look what I found in authlog: Apr 19 16:09:17 Speculum sshd[15678]: User jabal not allowed because shell /usr/local/bin/tcsh does not exist This is probably stupid, but I removed the tcsh pkg. I did think about possible difficulties logging in without, but i didn't think long enough. All my users use tcsh. Root uses csh. If I could only remember the password... Jasper
Re: upgrade halted
On 2006/04/19 16:22, Jasper Bal wrote: something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. Can you upload a ~/.ssh/authorized_keys for some user in wheel?
Re: upgrade halted
Stuart Henderson schreef: On 2006/04/19 16:22, Jasper Bal wrote: something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. Can you upload a ~/.ssh/authorized_keys for some user in wheel? Yes I can. Will connecting trough RSA/DSA not give the same problem with tcsh? See my response to Nick Holland. Jasper
Re: bluefish or other web design tools
--- Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: i'm trying to migrate my web development to openbsd from winxp where i use dreamweaver. i want to have similar functionality to dreamweaver: a WYSIWYG interface, SFTP file transfers and code coloring. is this too much to ask for? i have installed the bluefish package on a post-3.9 current machine and that works fine, but i can't figure out how to use SFTP to transfer site files to and from a remote server. sftp is like ssh and scp: use the command line. Can you be more specific on how this is failing you? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: upgrade halted
On 2006/04/19 17:20, Jasper Bal wrote: Can you upload a ~/.ssh/authorized_keys for some user in wheel? Yes I can. Will connecting trough RSA/DSA not give the same problem with tcsh? See my response to Nick Holland. Ah yes, it will, sorry..
Re: upgrade halted
if you can read /var/log/authlog, you are in wheel (unless you've changed perms on it). So just use scp to copy ksh to /usr/local/bin/ tcsh... /Pete On 19. apr. 2006, at 17.15, Jasper Bal wrote: Nick Holland schreef: and then log in (or have them disable PF or ...). You can also look at /var/log/authlog for clues as to why you can't log in as you wish now. Nick. Thanks Nick. Look what I found in authlog: Apr 19 16:09:17 Speculum sshd[15678]: User jabal not allowed because shell /usr/local/bin/tcsh does not exist This is probably stupid, but I removed the tcsh pkg. I did think about possible difficulties logging in without, but i didn't think long enough. All my users use tcsh. Root uses csh. If I could only remember the password... Jasper
Re: upgrade halted
At 05:20 PM 4/19/2006 +0200, Jasper Bal wrote: Will connecting trough RSA/DSA not give the same problem with tcsh? See my response to Nick Holland. How about ftp'ing up another copy of csh named tcsh? Might get you running, .. Lee
Re: upgrade halted
On Wed, Apr 19, 2006 at 05:36:37PM +0200, Pete Vickers wrote: | if you can read /var/log/authlog, you are in wheel (unless you've | changed perms on it). So just use scp to copy ksh to /usr/local/bin/ | tcsh... [EMAIL PROTECTED] $ id uid=864(weerd) gid=864(weerd) groups=864(weerd), 0(wheel), 5(operator), 9(wsrc), 69(network), 117(dialer) [EMAIL PROTECTED] $ touch /usr/local/bin/tcsh touch: /usr/local/bin/tcsh: Permission denied [EMAIL PROTECTED] $ ls -ld /usr/local/bin/ drwxr-xr-x 2 root wheel 13824 Mar 21 18:38 /usr/local/bin/ I may be in wheel, but wheel has no write permissions on /usr/local/bin, so that doens't help much. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: upgrade halted
On Wed, Apr 19, 2006 at 05:36:37PM +0200, Pete Vickers wrote: if you can read /var/log/authlog, you are in wheel (unless you've changed perms on it). So just use scp to copy ksh to /usr/local/bin/ tcsh... But you don't have write permission on that directory, at least, not on my machine. Joachim
Re: upgrade halted
On Wed, Apr 19, 2006 at 04:22:06PM +0200, Jasper Bal wrote: After nummerous advices on the list that I should upgrade, I decided to try remote upgrading. At the folowing step: Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel. something went wrong. I issued a reboot. And when the system came back up, SSH didn't recognize any of my passwords. All the services seem to be running though. I even have unchrooted access through FTP. I'm in wheel group but have no access as root with FTP. Already checked ftpusers, but root is hashed (yes, I know this is wrong). Either I forgot the password, or something has changed. Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Is sendmail listening to incoming connections? If so, you might have a chance to exploit it to gain (more/root) access. I can't help you here, but securityfocus.com does claim to have a PoC: http://www.securityfocus.com/bid/17192/info. No idea if it works, though, and OpenBSD's security enhancements are unlikely to be very helpful here. Of course, that's sort of the point... The one other security problem is only useful if you can get scp to try to work with strange filenames, and that's not very likely, is it? Since you have syslog access (further upthread - via FTP, I presume), what does the system say when you try to log in as root (over FTP? over SSH?)? Joachim
Re: upgrade halted
On 4/19/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Apr 19, 2006 at 05:36:37PM +0200, Pete Vickers wrote: if you can read /var/log/authlog, you are in wheel (unless you've changed perms on it). So just use scp to copy ksh to /usr/local/bin/ tcsh... But you don't have write permission on that directory, at least, not on my machine. Joachim Maybe I'm missing something, no access to a unix right now, but how about the ssh option for a command?, the ssh manpage says If command is specified, it is executed on the remote host instead of a login shell. and When the user's identity has been accepted by the server, the server ei- ther executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. maybe with an .authorized_keys file, you could invoke /bin/sh directly. ssh [EMAIL PROTECTED] '/bin/sh' auth may still deny it, the login shell not-existing, but its worth a shot...
Re: bluefish or other web design tools
i'm not too keen on having to manually do these transfers since it wastes time. How about rsync? also, there a number of packages and configuration changes i've made to the webserver that the code is supposed to run on, making it inconvenient to replicate such a setup on the local machine where i'm coding. Doing this would be a good exercise since you can document it at the same time, facilitating recovery if you have a problem with the webserver.
Re: upgrade halted
On 2006/04/19 13:10, Jeff Quast wrote: Maybe I'm missing something, no access to a unix right now, but how about the ssh option for a command?, the ssh manpage says I checked this earlier - it doesn't work (at least on current OpenSSH; I didn't check older versions). user ... not allowed because shell /bin/... does not exist
Re: upgrade halted
just throwing out an idea, again i havn't openbsd available to me atm, how about replacing a crontab for a fix via ftp? a netcat bindshell-style program for back-door entry. I'm thinking, though, since crontab is setuid, that you may not have permission to overwrite a crontab file (be it your own) over ftp. On 4/19/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/04/19 13:10, Jeff Quast wrote: Maybe I'm missing something, no access to a unix right now, but how about the ssh option for a command?, the ssh manpage says I checked this earlier - it doesn't work (at least on current OpenSSH; I didn't check older versions). user ... not allowed because shell /bin/... does not exist
Re: upgrade halted
* Joachim Schipper ([EMAIL PROTECTED]) wrote: On Wed, Apr 19, 2006 at 04:22:06PM +0200, Jasper Bal wrote: Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Is sendmail listening to incoming connections? If so, you might have a chance to exploit it to gain (more/root) access. I can't help you here, but securityfocus.com does claim to have a PoC: http://www.securityfocus.com/bid/17192/info. No idea if it works, though, and OpenBSD's security enhancements are unlikely to be very helpful here. Of course, that's sort of the point... Yeah, I think we all would be better of runnig a less secure OS. Then we could hack it when we screw up like this. I bet you got this tip from som Linux forum (couldn't help that :) Almost everyone that have used remote/headless machines for some time have locked themselves out for stupid reasons; upgrade, changing pf rules etc. (been there :P ) It really helps having two machines sharing a serial cable when something like this happens.. I would say that all sugestion so far in this thread are examples of actions that a secure OS should prevent. Good luck anyway, hope it works out. /Joakim The one other security problem is only useful if you can get scp to try to work with strange filenames, and that's not very likely, is it? Since you have syslog access (further upthread - via FTP, I presume), what does the system say when you try to log in as root (over FTP? over SSH?)? Joachim
Re: upgrade halted
Howdy, You might also want to check that you unpacked the base file set correctly (using tar xzpf). If you didn't preserve the setuid file modes in /usr/libexec/auth for example, the system's ability to process password based logins would be pretty well crippled.If this is the case, unpacking the fileset(s) again using the correct tar options will fix it. Regards, -- Mikey On Wednesday 19 April 2006 19:27, Stuart Henderson wrote: On 2006/04/19 13:10, Jeff Quast wrote: Maybe I'm missing something, no access to a unix right now, but how about the ssh option for a command?, the ssh manpage says I checked this earlier - it doesn't work (at least on current OpenSSH; I didn't check older versions). user ... not allowed because shell /bin/... does not exist
Re: upgrade halted
On Wed, Apr 19, 2006 at 04:59:32PM +0200, Jasper Bal wrote: Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? [...] I replaced bsd and bsd.rd. Made the obligatory backup copy (/obsd)? This could save you a train ticket -- just tell someone near the box to boot it with the old kernel. Ciao, Kili
Re: upgrade halted
On Wed, Apr 19, 2006 at 05:36:37PM +0200, Pete Vickers wrote: if you can read /var/log/authlog, you are in wheel (unless you've changed perms on it). So just use scp to copy ksh to /usr/local/bin/ tcsh... The above is exactly what we in germany call Gefrickel. $ ssh [EMAIL PROTECTED] chsh -s /bin/ksh Ciao, Kili
rc.conf.local update_motd=NO
Hi there,
--
--- rc.orig 2006-04-19 15:43:13.869242320 -0300
+++ rc 2006-04-19 15:45:43.632474848 -0300
@@ -491,6 +491,7 @@
if [ ! -f /etc/motd ]; then
install -c -o root -g wheel -m 664 /dev/null /etc/motd
fi
+if [ X${update_motd} != XNO ]; then
T=`mktemp /tmp/_motd.XX`
if [ $? -eq 0 ]; then
sysctl -n kern.version | sed 1q $T
@@ -499,6 +500,7 @@
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T
fi
+fi
if [ -f /var/account/acct ]; then
echo 'turning on accounting'; accton /var/account/acct
--
Some companies ask sysadmins to put a specific message of the day for
many purposes, this patch might become handy in such situations.
It is useful, at least for me.
Regards,
--
Eduardo Alvarenga
Re: upgrade halted
On Wed, Apr 19, 2006 at 11:28:37AM -0700, Michael Wilsker wrote: You might also want to check that you unpacked the base file set correctly (using tar xzpf). Well, tell me an idiot, but if I read the OPs mail, he just replaced the kernel and the firmware -- nothing else yet. Ciao, Kili
i just have to share this with you guys...
load averages: 0.78, 0.76, 0.75 14:00:32 61 processes: 51 idle, 9 zombie, 1 on processor CPU0 states: 0.6% user, 0.0% nice, 3.0% system, 0.0% interrupt, 96.4% idle CPU1 states: 0.2% user, 0.0% nice, 1.2% system, 0.0% interrupt, 98.6% idle CPU2 states: 0.2% user, 0.0% nice, 1.0% system, 0.0% interrupt, 98.8% idle CPU3 states: 0.0% user, 0.0% nice, 2.4% system, 0.0% interrupt, 97.6% idle CPU4 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU5 states: 0.0% user, 0.0% nice, 0.6% system, 0.0% interrupt, 99.4% idle CPU6 states: 0.4% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.4% idle CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 130M/640M act/tot Free: 3290M Swap: 0K/512M used/tot PID USERNAME PRI NICE SIZE RES STATEWAIT TIMECPU COMMAND 3501 root 100 25M 15M sleep/2 nanosl 8:30 2.15% perl 30343 _squid 20 5076K 7516K sleep/0 poll 0:02 0.00% squid 10251 _pflogd40 464K 444K sleep/0 bpf 0:00 0.00% pflogd 11953 root 20 2200K 3632K sleep/0 select 0:01 0.00% httpd 9056 root 20 1452K 2288K sleep/0 select 0:00 0.00% sendmail 16001 root 20 548K 924K idle select 0:02 0.00% cron 680 _syslogd 20 340K 840K sleep/0 poll 0:00 0.00% syslogd 20672 root 100 95M 81M sleep/0 nanosl 0:00 0.00% perl 9326 support 180 536K 576K sleep/0 pause 0:00 0.00% ksh 7664 named 20 3228K 4052K sleep/0 select 0:00 0.00% named 11355 root 20 564K 1796K idle select 0:00 0.00% sshd 27492 root 20 988K 1304K sleep/0 select 0:00 0.00% nmbd 1 root 100 448K 392K idle wait 0:00 0.00% init 2862 root 20 308K 732K idle netio 0:00 0.00% syslogd 20860 root 20 312K 844K idle select 0:00 0.00% inetd OpenBSD 3.8-stable (GENERIC.MP) #1: Tue Jan 17 04:13:56 EST 2006 real mem = 4226850816 (4127784K) avail mem = 3632709632 (3547568K) using 22937 buffers containing 422891520 bytes (412980K) of memory mainbus0 (root) mainbus0: Intel MP Specification (Version 1.4) (AMD HAMMER ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 885, 2606.31 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200454612Hz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 885, 2605.91 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Opteron(tm) Processor 885, 2605.91 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu2: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Opteron(tm) Processor 885, 2605.91 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu3: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu4 at mainbus0: apid 4 (application processor) cpu4: AMD Opteron(tm) Processor 885, 2605.91 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu4: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu4: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu5 at mainbus0: apid 5 (application processor) cpu5: AMD Opteron(tm) Processor 885, 2605.91 MHz cpu5:
Re: rc.conf.local update_motd=NO
On Wed, Apr 19, 2006 at 03:50:45PM -0300, Eduardo Alvarenga wrote: Some companies ask sysadmins to put a specific message of the day for many purposes, this patch might become handy in such situations. Did you read motd(5)?
Re: i just have to share this with you guys...
On Wed, Apr 19, 2006 at 11:00:59AM -0700, Joe Advisor wrote: load averages: 0.78, 0.76, 0.75 14:00:32 61 processes: 51 idle, 9 zombie, 1 on processor CPU0 states: 0.6% user, 0.0% nice, 3.0% system, CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 130M/640M act/tot Free: 3290M Swap: 0K/512M used/tot OpenBSD 3.8-stable (GENERIC.MP) #1: Tue Jan 17 04:13:56 EST 2006 cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200454612Hz hifn0 at pci1 dev 4 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, apic 8 int 16 (irq 11) Don't you think that hifn(4) is slightly... redundant? Otherwise, neat toy. Where do I get one, and do you know any banks that don't lock their vaults at night around here? ;-) Seriously, though - what are you going to throw that much power at? Joachim
Re: rc.conf.local update_motd=NO
Just leave the first two lines of motd intact, add you local motd after the two first lines, and your message will not be touched. The patch prevents rc from adding these two lines into the motd file. What I want is to not show information about the system and *JUST* my personal motd, for security purposes and to follow the company's policy. All I am asking is that if it is possible to commit upstream, It might become very handy and IMHO has minimal impact -- and of course should be disabled or even hidden from users by default. And yes, I have read motd(5). Regards, -- Eduardo Alvarenga
Re: Via EPIA boards
Thus spake Timo Schoeler ([EMAIL PROTECTED]) [18/04/06 08:33]: : hm. somehow missing ECC et al. keeps me from deploying such systems on : a regular basis... even when they're 'only' x86. The systems, as much as I love 'em, are missing a few crucial 'features': 1) Proper RAID support 2) 3+ NIC support 3) 802.11 support 4) ECC memory Though you can have, with a PCI slot, RAID, *or* 3+ NIC, *or* 802.11, you can't get 'em all. It would also be nice if their DP line eventually hit the market...
Problem with Intel 2200BG and PC-engines WRAP
Hello, I am trying to use the Intel 2200BG mini-PCI WLAN card with the PC Engines WRAP.1E-2 board (http://www.pcengines.ch/wrap.htm). My problem is that the card seems not to be recognized by the kernel/iwi driver - no iwi device appears when booting/in dmesg. I wonder if anybody has experience in using this particular hardware combination? This is with OpenBSD 3.8 (stable) and Flashdist 20050612. My kernel config is a NET4801 (originally for Soekris boards but works fine on this one) with slight modification to include the line for the iwi device. I am installing the 2.3 version of the 2200BG firmware files on the WRAP box: -rw-r--r-- 1 root wsrc6472 Apr 14 00:52 etc/firmware/iwi-boot -rwxr-xr-x 1 root wsrc 191142 Apr 14 00:52 etc/firmware/iwi-bss -rwxr-xr-x 1 root wsrc 185660 Apr 14 00:52 etc/firmware/iwi-ibss -rwxr-xr-x 1 root wsrc 12007 Apr 14 00:52 etc/firmware/iwi-license -rwxr-xr-x 1 root wsrc 187836 Apr 14 00:52 etc/firmware/iwi-monitor -rw-r--r-- 1 root wsrc 16334 Apr 14 00:52 etc/firmware/iwi-ucode-bss -rw-r--r-- 1 root wsrc 16312 Apr 14 00:52 etc/firmware/iwi-ucode-ibss -rw-r--r-- 1 root wsrc 16344 Apr 14 00:52 etc/firmware/iwi-ucode-monitor Full kernel config below and console output while booting: # OpenBSD config for networking on the Soekris Engineering # net4801 embedded systems- # [EMAIL PROTECTED] machine i386# architecture, used by config; REQUIRED #option NTP # hooks supporting the Network Time Protocol option DDB # in-kernel debugger #option DDB_SAFE_CONSOLE # allow break into ddb during boot #makeoptionsDEBUG=-g # compile full symbol table #makeoptionsPROF=-pg # build profiled kernel #option GPROF # kernel profiling, kgmon(8) option DIAGNOSTIC # internal consistency checks option KTRACE # system call tracing, a la ktrace(1) #option KMEMSTATS # collect malloc(9) statistics option CRYPTO # Cryptographic framework option FFS # UFS option MFS # Memory FS #option FFS_SOFTUPDATES # Soft updates option TCP_SACK# Selective Acknowledgements for TCP #option TCP_FACK# Forward Acknowledgements for TCP option TCP_SIGNATURE # TCP MD5 Signatures, for BGP routing sessions option FDESC # /dev/fd option FIFO# FIFOs; RECOMMENDED option KERNFS # /kern #option NULLFS # loopback file system option PROCFS # /proc #option UMAPFS # NULLFS + uid and gid remapping option INET# IP + ICMP + TCP + UDP option ALTQ# ALTQ base #option ALTQ_NOPCC # We don't have Pentium features on 486 # NOPCC may be necessary if the Geode's TSC is really as buggy as it sounds #option INET6 # IPv6 (needs INET) #option PULLDOWN_TEST # use m_pulldown for IPv6 packet parsing option IPSEC # IPsec #option PPP_BSDCOMP # PPP BSD compression #option PPP_DEFLATE option BOOT_CONFIG # add support for boot -c #option I486_CPU option I586_CPU #option I686_CPU option USER_PCICONF# user-space PCI configuration #option KGDB# Remote debugger support; exclusive of DDB #option KGDB_DEVNAME=\pccom\,KGDBADDR=0x2f8,KGDBRATE=9600 #option DUMMY_NOPS # speed hack; recommended # Work around -current breakage option PTRACE maxusers32 # estimated number of users config bsd root on wd0a mainbus0 at root cpu0at mainbus0 bios0 at mainbus0 apm0at bios0 flags 0x # flags 0x0101 to force protocol version 1.1 pcibios0 at bios0 flags 0x # use 0x30 for a total verbose isa0at mainbus0 isa0at pcib? pci*at mainbus0 ohci* at pci? # Open Host Controller usb*at ohci? # # The MediaGX (Geode) uses a PIT clock at standard frequency so there is # no special setting here like there is for the Elan SC520 # option PCCOMCONSOLE option CONSPEED=19200 option PCIVERBOSE uhub* at usb? # USB Hubs uhub* at uhub?# USB Hubs umodem* at uhub?# USB Modems/Serial ucom* at umodem? #ubsa* at uhub?# Belkin serial adapter #ucom* at ubsa? #uftdi* at uhub?# FTDI FT8U100AX serial adapter #ucom* at uftdi? #uplcom* at uhub? # I/O DATA USB-RSAQ2 serial adapter #ucom* at uplcom? #umct* at uhub?# MCT USB-RS232 serial adapter #ucom* at umct? #uaudio* at uhub? # USB Audio #umidi* at uhub? #ulpt* at uhub?# USB Printers #umass* at uhub?# USB Mass Storage devices
Soekris running squil? Openbsd laptop
Hi, I want to add a little box to my small network to learn about IDS systems. Should a soekris 4501 be enough for such a task? The logging can be done on a separate system. Soekris/wrap boards are best known for their firewall/router or ap possibilities, but what other things can they be useful for? What do you use? Last question: I am searching a cheap laptop capable of running Openbsd. Weight, speed doesn't interest me, I only need a light wm (fluxbox or icewm), some good editors and wifi. Any recommandations? I like the Via-CPU systems, but the'are difficult buying here in Belgium/Europe and I don't know if they run *BSD? -- PieterB - GNU/Linux User #310384 (Gentoo) Jabber: [EMAIL PROTECTED] PGP (keyserver.net) 0x68881F36 - [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Sguil soekris, openbsd laptop
On Apr 19, 2006, at 4:15 PM, Pieter Baele wrote: Hi, I want to add a little box to my small network to learn about IDS systems. Should a soekris 4501 be enough for such a task? The logging can be done on a separate system. No, Soekris systems are not your best choice for this. IDS systems use large amounts of CPU, which would quickly bog down the underpowered processor on these boxes. Soekris/wrap boards are best known for their firewall/router or ap possibilities, but what other things can they be useful for? What do you use? Personally, I use them for low-volume Firewall and VPN appliances. I'm not crazy about the sis chips on these, so I prefer stuff like the A-Series 19 servers from Iron Systems for high[er]-volume activity. P.S. This is really not a tech@ question, it should be on [EMAIL PROTECTED] Redirecting as such. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
install sets as packages
As no answer came up after a little searching on google and the openbsd FAQ... Would there be a benefit to use the pkg_ tools to install and manage the install sets? The pkg_ tools seem to be a fairly elegent system. So if money and time and developers grew on trees, would it be a reasonable goal? Just a simple design question. Yes, the installer works, so why fix what isn't broke. Yes, I'm a regular user asking other people to do work. (actually, I'm not asking for anything except knowledge). Yes, the package management system may not fit on the install floppy. I sure hope I didn't miss the FAQ entry that already answers this question. -- Will
Re: Set up root partition as read only.
On Friday 14 April 2006 22:17, you wrote: To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. That won't increase your security level much, but if you really want to make / read-only, there is more involved. (I recently did this on a machine with a flash drive instead of a standard hard drive in order to save wear on the flash.) To start with, read and understand /etc/rc and mfs(8). Convert /dev and /var to be on memory file systems (pay attention to -P in mfs(8)). Then edit /etc/rc and comment out the lines that mount /, /usr, and /var, and the lines that rewrite /etc/resolv.conf. If you need more information than this, Google is your friend. I also have a more detailed HOWTO-style document that i wrote that i would be willing to share off-list, though you might learn more if you do your own research instead. Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: install sets as packages
Will H. Backman wrote: Would there be a benefit to use the pkg_ tools to install and manage the install sets? I fail to see the point of it really. The install set is done at install time, or to add it if you miss it at the install. Plus packages tools is there to take care of dependency, etc. To remove all applications and add new one, or upgraded one. The install set are for the system and if there is upgrade to it, it's a patch. You wouldn't want someone to do: sudo pkg_delete etc39.tgz or sudo pkg_delete base39.tgz for example would you? If so, I wonder how you would still use the server?
Re: install sets as packages
Would there be a benefit to use the pkg_ tools to install and manage the install sets? Good luck fitting the pkg_tools and perl onto the install floppies.
Re: HP DX2000?
the chances of a plain jane, old celeron box not being supported are pretty slim Kevin [EMAIL PROTECTED] wrote: Anybody running OpenBSD on a HP DX2000 who can share results? A cheap microtower Celeron w/PATA, happens to be what the client has to spare, I'm hoping there are no hidden gotchas. I don't need X. Tried NYCBUG's dmesgd, no results. Thanks, Kevin -- The map is not the territory; the word is not the thing defined.
Re: i just have to share this with you guys...
On Wed, 19 Apr 2006 11:00:59 -0700 (PDT) Joe Advisor [EMAIL PROTECTED] wrote: CPU0 states: 0.6% user, 0.0% nice, 3.0% system, 0.0% interrupt, 96.4% idle CPU1 states: 0.2% user, 0.0% nice, 1.2% system, 0.0% interrupt, 98.6% idle CPU2 states: 0.2% user, 0.0% nice, 1.0% system, 0.0% interrupt, 98.8% idle CPU3 states: 0.0% user, 0.0% nice, 2.4% system, 0.0% interrupt, 97.6% idle CPU4 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU5 states: 0.0% user, 0.0% nice, 0.6% system, 0.0% interrupt, 99.4% idle CPU6 states: 0.4% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.4% idle CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 130M/640M act/tot Free: 3290M Swap: 0K/512M used/tot Nice, my 4 socket dual core opteron (hp bl45p) panics whenever I try to scp something to it. And because it doesn't have much in video hardware save java-web based stuff I can't even get a decent trace out of it. // nick
Re: pppoe
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnaud Bergeron Sent: Wednesday, 19 April 2006 9:57 AM To: misc@openbsd.org Cc: Brendan Grossman Subject: Re: pppoe On Tue, Apr 18, 2006 at 11:52:47AM +0930, Brendan Grossman wrote: Hi everyone To bring up a pppoe connection, I use ppp -ddial provider But how do I take it down? Also how do I remove old tunx devices? # ifconfig tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 inet 219.90.xxx.xxx -- 203.2.124.224 netmask 0x Opened by PID 71830 tun1: flags=8010POINTOPOINT,MULTICAST mtu 1500 tun2: flags=8010POINTOPOINT,MULTICAST mtu 1500 inet 219.90.xxx.xxx -- 219.90.174.215 netmask 0x What the? How do I get rid of the others? tun0 seems to be only in use there. It seems strange to me that you have this problem because I once had a setup similar to yours (under 3.4-3.5-3.6) and never had this problem. Maybe you did not do something right, maybe it's a bug but without showing more info one can only guess. The info required here would be the version you are running, your ppp.conf file (sanitized to remove passwords, of course) and your linkup and linkdown script if they contain anything. On another topic, if you are running 3.7 or higher, you could give the in-kernel pppoe a try, unless, of course, you have already tried and some wierd thing your provider is doing prevents it from working. Hi Arnaud, Running 3.8-stable # linkup MYADDR: ! sh -c /sbin/pfctl -e -F all -f /etc/pf.conf No linkdown # ppp.conf default: set log Phase Chat IPCP CCP tun command set redial 15 0 set reconnect 15 1 isp: set device !/usr/sbin/pppoe -i bce0 disable acfcomp protocomp deny acfcomp set mtu max 1492 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname [EMAIL PROTECTED] set authkey add! default HISADDR #enable dns enable mssfixup Cheers Brendan
Problem authenticating OpenBSD to a Windows 2003 Server
Greetings:
I have a small Windows network and I'm trying to implement an OpenBSD box to
be my file server and print server. What I'm trying to accomplish is:
configure Samba to publish the share directories so the users can store their
files there but at the same time authenticate the users against the Domain
Controller, pulling the account information from AD and not having to manually
add that info with smbpasswd.
Kerberos, as far as I know, is working fine, at least it tries to connect to
the realm, but then it gives a Password Incorrect Message. I know many of you
will respond that I am typing the password incorrectly, first I thought that
too, but then I went and tried the account in a windows client and it worked.
If it is of any help, I downloaded and installed Samba with LDAP support and
created the computer account in the Windows AD.
This is my krb5.conf file
[libdefaults]
# Set the realm of this host here
default_realm = DOMAIN.COM
ticket_lifetime = 6
clockskew = 300
[realms]
DOMAIN.COM = {
kdc = 10.0.0.1
kdc = 10.0.0.1:88
admin_server = 10.0.0.1:749
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
and this is the command I'm issuing in order to get tickets from the KDC (the
domain controller)
Code:
# kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: Password incorrect
Any help or hint of how I might connect to kerberos will be appreciated,
probably there's something I'm doing wrong or I'm missing. Thank you all in
advance.
Didier Caamaqo
Director Departamento Informatica
Sociedad Comercial Electrocenter Ltda.
Correo Electrsnico: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Telifono: 02 - 584 - 7039
Re: Problem authenticating OpenBSD to a Windows 2003 Server
As Kerberos - The Definitive Guide by O'Reilly states:
... as long as the users have DES keys enabled in AD, they will be able to
kinit to the Windows DC without a problem ...
On Wednesday 19 April 2006 23:41, Didier Caamaqo wrote:
Greetings:
I have a small Windows network and I'm trying to implement an OpenBSD box to
be my file server and print server. What I'm trying to accomplish is:
configure Samba to publish the share directories so the users can store their
files there but at the same time authenticate the users against the Domain
Controller, pulling the account information from AD and not having to manually
add that info with smbpasswd.
Kerberos, as far as I know, is working fine, at least it tries to connect to
the realm, but then it gives a Password Incorrect Message. I know many of you
will respond that I am typing the password incorrectly, first I thought that
too, but then I went and tried the account in a windows client and it worked.
If it is of any help, I downloaded and installed Samba with LDAP support and
created the computer account in the Windows AD.
This is my krb5.conf file
[libdefaults]
# Set the realm of this host here
default_realm = DOMAIN.COM
ticket_lifetime = 6
clockskew = 300
[realms]
DOMAIN.COM = {
kdc = 10.0.0.1
kdc = 10.0.0.1:88
admin_server = 10.0.0.1:749
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
and this is the command I'm issuing in order to get tickets from the KDC (the
domain controller)
Code:
# kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: Password incorrect
Any help or hint of how I might connect to kerberos will be appreciated,
probably there's something I'm doing wrong or I'm missing. Thank you all in
advance.
Didier Caamaqo
Director Departamento Informatica
Sociedad Comercial Electrocenter Ltda.
Correo Electrsnico: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Telifono: 02 - 584 - 7039
Re: i just have to share this with you guys...
Nick Nauwelaerts wrote: Nice, my 4 socket dual core opteron (hp bl45p) panics whenever I try to scp something to it. And because it doesn't have much in video hardware save java-web based stuff I can't even get a decent trace out of it. Sure you can, just ssh into the ilo and connect to the serial console. http://h2.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManuallocale=en_USdocIndexId=179166taskId=101prodTypeId=15351prodSeriesId=397989 or http://tinyurl.com/4jzzd Look for Integrated Lights-Out Virtual Serial Port configuration and operation HOWTO, it's a PDF, sorry.
GoDaddy.com Donates $10K to Open Source Development Project
Congratulations to the team... 'Bob Parsons, GoDaddy.com Founder and CEO commented, ''OpenSSH and the work of the OpenBSD project volunteers are integral to online security. Go Daddy is pleased to be able to help them continue their great contributions to the Internet community. At Go Daddy, we use OpenSSH extensively to manage our large and rapidly expanding technical infrastructure. Our engineering staff relies on it on a constant basis. Go Daddy is very grateful and we want to show our appreciation to this extremely vital organization.''' http://www.thehostingnews.com/article2217.html
Re: Via EPIA board/box
On Saturday 15 April 2006 20:03, Steve B wrote: I've seen a number of posts on various OBSD related sites about these Via EPIA boards and their various benefits - low power, hardware crypto, etc. They look like a nice replacement for my old board so I've been looking around at logicsupply.com, idotpc.com and mini-itx.com. There are probably other sites so if you've got them please share g. I've recently ordered a couple machines from www.solarpc.com. If you want the machine to be almost silent, then i suggest either getting one of the machines with a fanless CPU, or getting one with a fan in a 2U case and then replacing the 40mm fan with a 40 to 60mm adapter and an undervolted 60mm fan; the 40mm fan that comes with the CPU is rated to be very quiet but if you are moderately intolerant of noise then the default fan really won't seem quiet. Other than having to replace the fan as described, i have been very happy with the machines. They run OpenBSD very well. I even installed the x.org packages on one just for the heck of it (it was my first time trying to run X on OpenBSD) and X supported the built-in graphics without any manual configuration. Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: GoDaddy.com Donates $10K to Open Source Development Project
On 4/19/06, Melameth, Daniel D. [EMAIL PROTECTED] wrote: Congratulations to the team... 'Bob Parsons, GoDaddy.com Founder and CEO commented, ''OpenSSH and the work of the OpenBSD project volunteers are integral to online security. Go Daddy is pleased to be able to help them continue their great contributions to the Internet community. At Go Daddy, we use OpenSSH extensively to manage our large and rapidly expanding technical infrastructure. Our engineering staff relies on it on a constant basis. Go Daddy is very grateful and we want to show our appreciation to this extremely vital organization.''' That's awesome news. And all the more pathetic that the $353,000,000,000 company I work for can't be bothered to donate a dime. Greg
Re: GoDaddy.com Donates $10K to Open Source Development Project
On 4/19/06, Melameth, Daniel D. [EMAIL PROTECTED] wrote: Congratulations to the team... http://www.thehostingnews.com/article2217.html Hmm? Hopefully it seems that Mozilla's donation has kicked off a scrambling of companies to buy bragging rights about donating to OpenBSD. Yay? -Nick
Re: GoDaddy.com Donates $10K to Open Source Development Project
Congratulations to the team... http://www.thehostingnews.com/article2217.html Hmm? Hopefully it seems that Mozilla's donation has kicked off a scrambling of companies to buy bragging rights about donating to OpenBSD. Yay? A few things with a few vendors and larger company-users are moving ahead. All the Linux companies have said no. As some of you have heard before, Sun has said no because they consider OpenSSH to be a competitor to OpenSSH. Just can't make some of this stuff up Some people have been helping me talk to quite a few vendors, and while a few things are moving ahead some of the results are quite disgusting.
Re: GoDaddy.com Donates $10K to Open Source Development Project
Nick Guenther wrote: On 4/19/06, Melameth, Daniel D. [EMAIL PROTECTED] wrote: Congratulations to the team... http://www.thehostingnews.com/article2217.html Hmm? Hopefully it seems that Mozilla's donation has kicked off a scrambling of companies to buy bragging rights about donating to OpenBSD. Yay? Hopefully you're right. IMHO, the PR alone--and related patronization from open source savvy consumers that believe in supporting open source friendly companies--would make the 10 grand a bargain and provide for an ROI most businesses only dream of.
Re: GoDaddy.com Donates $10K to Open Source Development Project
On 4/19/06, Theo de Raadt [EMAIL PROTECTED] wrote: A few things with a few vendors and larger company-users are moving ahead. All the Linux companies have said no. As some of you have heard before, Sun has said no because they consider OpenSSH to be a competitor to OpenSSH. Just can't make some of this stuff up Do you mean SunSSH or is that actually the truth? Some people have been helping me talk to quite a few vendors, and while a few things are moving ahead some of the results are quite disgusting. Sounds depressing. I'm really not what sure to say. I could cheer you on, but I'm sure it wouldn't come out right so I'm just going to not. -Nick
Re: GoDaddy.com Donates $10K to Open Source Development Project
As some of you have heard before, Sun has said no because they consider OpenSSH to be a competitor to OpenSSH. Just can't make some of this stuff up Do you mean SunSSH or is that actually the truth? Oops: As some of you have heard before, Sun has said no because they consider OpenSSH to be a competitor to SunSSH (which is based on older OpenSSH code, but with pre-auth privsep disabled, meaning perhaps 30,000 lines of code run as root, at connection time). Some people have been helping me talk to quite a few vendors, and while a few things are moving ahead some of the results are quite disgusting. Sounds depressing. I'm really not what sure to say. I could cheer you on, but I'm sure it wouldn't come out right so I'm just going to not. Don't cheer us on. Help us -- by contacting vendors directly.
Re: Via EPIA board/box
On Saturday 15 April 2006 20:03, Steve B wrote: I've seen a number of posts on various OBSD related sites about these Via EPIA boards and their various benefits - low power, hardware crypto, etc. They look like a nice replacement for my old board so I've been looking around at logicsupply.com, idotpc.com and mini-itx.com. There are probably other sites so if you've got them please share g. I don't know if they are good or not, but just came across this today. Actually just a few minutes ago. I don't know more then this. http://www.liantec.com/ But the EMB-3640 and the EMB-5840 sure does look small and low AC power, needed, but sure look like you can get a lots of CPU power in some model. I know I will read more on this one. Just doing what you asked, passing it around, but that's all I can say about it.
Re: rc.conf.local update_motd=NO
On Thursday 20 April 2006 03:42, Eduardo Alvarenga wrote: Just leave the first two lines of motd intact, add you local motd after the two first lines, and your message will not be touched. The patch prevents rc from adding these two lines into the motd file. What I want is to not show information about the system and *JUST* my personal motd, for security purposes and to follow the company's policy. What security purposes? You have local users who you dont trust to know the operating system? Users who cant run uname? Lars Hansson
