Re: Preventing password reuse
On Tue, 4 Jul 2006, Chet Uber wrote: Not to bicker, but the resources needed to use a database of all possible passwords even with alphanumerics and salted is very finite -- albeit large. OpenBSD blowfish hashes have 16 bytes of salt, so a database of these will not be feasible for a while. -d
Re: Preventing password reuse
On Tue, Jul 04, 2006 at 12:04:11AM -0400, Chet Uber wrote: Not to bicker, but the resources needed to use a database of all possible passwords even with alphanumerics and salted is very finite -- albeit large. OpenBSD's blowfish passwords have 128-bits of salt. A table of all 8 character (lower-case only) alphanumeric passwords would require 2^128 * (26+10)^8 ~= 9.6*10^50 entries. Being ``very finite'' is irrelevant at this order of magnitude. Just don't want people to think that they are safe as is not an NP- complete problem. It is an NP-hard problem however. You are aware NP-complete problems are, by definition, reducible to NP-hard problems, right? In other words, NP-hard problems are ``harder'' than NP-complete ones.
Re: Preventing password reuse
Not to bicker, but the resources needed to use a database of all possible passwords even with alphanumerics and salted is very finite -- albeit large. OpenBSD blowfish hashes have 16 bytes of salt, so a database of these will not be feasible for a while. I agree that for all but those with the most powerful computing environments this is not something they are going to accomplish My point really was to clarify that infinite and finite should be used appropriately, and that intractable and uncomputable also are not the same. Sometimes these conversations get long and the words NP- complete, suffering the halting problem and an infinite search space should be used carefully. It makes our communications between ourselves that much more effective and accurate. You are right on that the feasibility of all but the most well funded adversaries can accomplish this, but it is not NP-complete, uncomputable, or subject to the halting problem. It is just very very difficult. I like the world feasible, the only improvement I would say is to state feasible for who. For any major corporation it is feasible, for drug cartels it is feasible, for foreign governments, the NSA, and few others it is feasible, but expensive. For any normal person, small company, hacker, cracker, activist, hoodlum, or deranged person it is not feasible or likely. I know that we are not going to attempt this in the next 3-5 years. We study hash collisions, but your problem above is above our financial capacity or need. We mainly deal with the issues related to login() and the use of MD5. If your adversary is the NSA I would not rest assured that it can't already happen. CU Chet Uber President and Principal Scientist SecurityPosture, Inc. 3718 N 113th Plaza, Omaha, NE 68164 vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211 [EMAIL PROTECTED] | www.securityposture.com 'It is vain to do with more what can be done with fewer' -- This communication is confidential to the parties it was intended to serve --
Re: Preventing password reuse
Not to bicker, but the resources needed to use a database of all possible passwords even with alphanumerics and salted is very finite -- albeit large. OpenBSD's blowfish passwords have 128-bits of salt. A table of all 8 character (lower-case only) alphanumeric passwords would require 2^128 * (26+10)^8 ~= 9.6*10^50 entries. Being ``very finite'' is irrelevant at this order of magnitude. The term used earlier was nearly infinite, I used very finite because it is bounded -- which infinities are not. There are as you know multiple infinite sets that have no common members. Just don't want people to think that they are safe as is not an NP- complete problem. It is an NP-hard problem however. You are aware NP-complete problems are, by definition, reducible to NP-hard problems, right? In other words, NP-hard problems are ``harder'' than NP-complete ones. I should have properly stated that it is not an NP-complete problem but an NP one. NP-complete problems are the most difficult complexity problems. CU
Re: Preventing password reuse
On Tue, Jul 04, 2006 at 02:29:56AM -0400, Chet Uber wrote: NP-complete problems are the most difficult complexity problems. No, NP-complete problems are the most difficult problems _in NP_.
Re: kernel settings for pf default block
Hello Joachim, Sorry I could not get on internet the answer from Alexey. Can you please give the URL for this. Also please confirm that there is no kernel parameter to make pf block everything by default. Thanks in advance murthy Joachim Schipper wrote: On Mon, Jul 03, 2006 at 05:30:44PM -0700, c.s.r.c.murthy wrote: Hi, This seems to be widely discussed problem in openbsd pf. There is no kernel parameter that makes the pf to block all packets by default. I have searched on the internet and found some discussion taken place in 2005 regarding this. The discussion concludes no such parameter in kernel. Are there any changes done in openbsd latest to have a kernel configurable parameter to make pf block packets by default? Alexey already answered this, why do you repost it? Joachim [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of murthy.4807DEFANGED-vcf]
Re: MD5
Chet Uber wrote: Theo, Also the last I checked obsd still supports MD5 CU Can you please explain why it should not ? Can you please find a collision for 3d16b4f76338838044b90ffae5e71cb5 ?
Re: kernel settings for pf default block
On Tue, Jul 04, 2006 at 12:12:22PM -0700, c.s.r.c.murthy wrote: Also please confirm that there is no kernel parameter to make pf block everything by default. Yes, there is no kernel parameter to make pf block everything by default. You make pf block everything by default by putting ``block all'' at the appropriate place in your pf.conf file. This is spelt out for you in the pf.conf(5) man page: To block everything by default and only pass packets that match explicit rules, one uses block all as the first filter rule.
Why is SSH wierd?
Just looking through the manpages and I noticed that SSH-related things don't seem to fit in with the system. For example, there is ssh_config(5) instead of ssh.conf and sftp-server instead of sftpd. Why is this? Is this a historical curiosity from the original SSH, or does it have something to do with portability, or what? Thank you, -Nick
questions on fork()
ey misc, from the fork(2) man pages: fork() causes creation of a new process. The new process (child process) is an exact copy of the calling process (parent process) except for the following: snip i have several questions/clarifications regarding this. 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? thank you for your patience. -- salud, eyan
Re: Wireless Bridge...
bridging doesn't work with wireless lan. Thomas On Mon, 3 Jul 2006, Novak, Trevor SCIC wrote: I'm trying to setup a wireless bridge with openbsd on a Toshiba laptop. I'm using an SMC2532W-B (Prism 2.5) wireless card and a 3Com 3C574-TX. I've created a bridgename.bridge0 file and added wi0 and ep1 to the file. The bridge is up and running. I can ping both on the wireless side and the ethernet side from the Obsd box, but I can't get any traffic to pass through it. I don't have PF running, in fact, I've stopped most of the services (hopefully not one I need). Anyway, any help would be appreciated.
Re: Preventing password reuse
On Tue, 2006-07-04 at 07:15 +0200, Paul de Weerd wrote: | So, you are suggesting using something other than the hash stored in | OpenBSD's master.passwd then? Why exactly would we need another hash ? Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. | If not try this: | Add a user, nothing special. | Record the hash from master.passwd | Log in as the test user. | Change your password. | Change it back. | Compare the hashes. | Different eh? How come these are different ? What happened ? It's still the same password, right ? How can one string hash to two different outputs ? Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. | So you need to change to a less secure password hash method. Why ? Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. Your password is not hashed as-is. A salt is added (for extra flavour) before hashing. Quite. Cheers Steffen.
Re: Preventing password reuse
On 2006/07/04 16:53, Steffen Kluge wrote: Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. Storing the old crypted passwords from master.passwd gives you the following information when someone changes their password: Typed new password (cleartext) Old passwords (salted+enciphered) Salts used to encipher old passwords So you run through the old salts, for each one you hash the new password with the old salt, and see if it matches. passwordcheck (login.conf) currently only feeds the password, not the username, to the checking program; this is no good for this purpose, since it makes it too easy to test other user's passwords, and would be slow on a busy system.
Re: starting Apache in SSL mode
On Mon, Jul 03, 2006 at 11:24:44PM -0400, Michael Erdely wrote: L. V. Lammert wrote: Certificates have nothing to do with Apache, much less OpenBSD. If you want a signed certificate, you must create your own CA, or purchased a publically-signed cert from Verisign, Eqifax, Thawte, et al. That may be true, but mentioning man 8 ssl and referencing GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS would have been helpful. :) -ME -- Thanks for your reply. Well, actually I did exactly what's described in the man 8 ssl page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https. As I mentioned in a previous e-mail, lynx displays a message saying: SSL error:self signed certificate-Continue? (y) and after pressing enter does display the page. Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup??? Up to now, I used SSL (self-signed certs only!) with Jetty and the installation was very easy. I'm surprised to face this kind of problems with Apache. Thanks George
Re: openwebmail with chrooted apache
On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: FTP wrote: On Mon, Jul 03, 2006 at 08:49:03PM +0200, Sigfred Heversen wrote: Stuart Henderson wrote: On 2006/07/03 13:52, Nick Holland wrote: (contrast this to Squirrelmail, which does (amazingly) run in a chroot Same for Hastymail and Roundcube. I guess it's not too much of a stretch with IMP either (though I haven't actually used IMP recently enough to have checked chroot). In tree mail/imp depends on devel/horde that has exploit(s) in the wild. /Sigfred I had a look on IMP and looks fine to me cause you can have POP3 too as well. I actually dodn't intend to isntall an IMAP server. Using IMP to avoid an IMAP server is like cutting off your hands because you don't wish to trim your fingernails. A Bit Drastic, I do think. And similarly crippling, as IMP is less than 100% effective without IMAP, apparently: http://www.horde.org/imp/docs/?f=INSTALL.html IMAP is recommended over POP3 in order to let users maintain mail folders other than INBOX and is required to allow messages to be flagged. IMAP is also much faster than POP3 in displaying a mailbox of messages. In short, do not use POP3 unless IMAP is not available. If you want IMP, IMAP is the least of your tasks. I think once you have IMP configured, you will forget that IMAP was even involved. As a result is IMP a good solution for a small e-mail server? I've never got IMP all the way running...but I very quickly came to the conclusion that small and IMP or any other Horde-based product have nothing to do with each other. That's not to say that IMP isn't a (potentially) cool product, and I'd like to come back to it, but the setup and config is much more involved than I'd find justified for a small e-mail server. OpenWebmail is very charming because of how very little it needs to bring into base OpenBSD to get working. I set it up for a school of about 200 students on a PII-450, worked well (once I set up MASSIVE amounts of swap space...having 25 students change their PWs at the same time burned through something like 600M of RAM+swap very quickly...swap-to-file to the rescue!). I must say, at this point, being not written in PHP is starting to look Really Nice, too. Nick. bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? Thanks George
Re: starting Apache in SSL mode
On Tuesday 04 July 2006 16:30, FTP wrote: Well, actually I did exactly what's described in the man 8 ssl page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https. As I mentioned in a previous e-mail, lynx displays a message saying: SSL error:self signed certificate-Continue? (y) As someone who followed faq10 just today I can for certain say that the procedure works. I dont know why Firefox dont like you cert because if you follow faq10 it just works, with firefox, lynx and konqueror. What error does firefox show? Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup??? Nothing is wrong in your setup if Lynx shows the page after prompting you to confirm the self-signed certificate. I'm surprised to face this kind of problems with Apache. How can it be any easier than just cut-n-pasting the commands from the faq? Took me a whole 2 minutes. --- Lars Hansson
Re: questions on fork()
On Tue, 4 Jul 2006 15:27:17 +0800 Edwin Eyan Moragas [EMAIL PROTECTED] wrote: ey misc, from the fork(2) man pages: fork() causes creation of a new process. The new process (child process) is an exact copy of the calling process (parent process) except for the following: snip i have several questions/clarifications regarding this. 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? The child process gets an exact copy of the memory allocated by the parent process. A value available at a particular address in parent is available at the same address in child, except that it will be a copy and that modification in one of the processes won't affect the other. 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? If the parent process open()-s a file then fork()-s, the child will also get a copy of the file descriptor on which it can perform same operations as parent (read/write depending on open() flags).
Re: Upgrading questions
On Tue, 4 Jul 2006 00:34:53 -0700 (PDT) Rob Baldassano [EMAIL PROTECTED] wrote: I have been running OpenBSD 3.6 since the day it came out, and am now in need up going to 3.9 The question is: What upgrade issues have folks run into? I'm running it on a DELL desktop. BTW, some of the reasons I want to upgrade: 1. Support for PHP in the Apache mods. 2. Increased security 3. webmail 4. I REALLY want to get the Xwindows environment working (never did on 3.6) 5. I'm looking to expand some functionality and want to include things like: PHP, MySQL, Apache, a PHP based store front, Java - if it's available yet, and general client side functionality 6. So that I can deploy my current windows box as a backup server (It sucks low memory and CPU for windows, but I know OpenBSD will run fine on it -- I hope). So... Any hints, pitfalls, suggestions that people have run into before? in general is it safe to do an Upgrade? a former co-worker says NO don't do that, never trust upgrades. I tend to disagree. Thanks, --Rob - Eirik Goransson / Rob Baldassano Member, Barony of Endless Hills; House Odlahorde; Viking All around Good Egg ; VROC #5029 (Tigger) come visit http://www.dracowolf.com Yahoo! Music Unlimited - Access over 1 million songs.Try it free. why don't you start here: http://www.openbsd.org/faq/upgrade39.html
Re: questions on fork()
On Tue, Jul 04, 2006 at 03:27:17PM +0800, Edwin Eyan Moragas wrote: ey misc, from the fork(2) man pages: fork() causes creation of a new process. The new process (child process) is an exact copy of the calling process (parent process) except for the following: snip i have several questions/clarifications regarding this. 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? Yes, copy is not the original (though normally Unix-OSs do a lazy copy-on-write after a fork). If you want shared memory between partent and child, have a look at shmat (2). 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? It means all file descriptors of the partent process at the time of the fork will be copied to the child process. As a result, there will be two processes able to write to the same file. You might have a look at pipe(2) to see the benefits of this. Bernd
Re: [solved] starting Apache in SSL mode
On Tue, Jul 04, 2006 at 04:54:51PM +0800, Lars Hansson wrote: On Tuesday 04 July 2006 16:30, FTP wrote: Well, actually I did exactly what's described in the man 8 ssl page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https. As I mentioned in a previous e-mail, lynx displays a message saying: SSL error:self signed certificate-Continue? (y) As someone who followed faq10 just today I can for certain say that the procedure works. I dont know why Firefox dont like you cert because if you follow faq10 it just works, with firefox, lynx and konqueror. What error does firefox show? Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup??? Nothing is wrong in your setup if Lynx shows the page after prompting you to confirm the self-signed certificate. I'm surprised to face this kind of problems with Apache. How can it be any easier than just cut-n-pasting the commands from the faq? Took me a whole 2 minutes. --- Lars Hansson I was blocking port 443 in pf.conf and that was the reason :-( I'm terribly sorry for my stupid mistake and thanks all of you for your support. Thanks George
Re: MD5
On Jul 4, 2006, at 3:00 AM, Gilles Chehade wrote: Chet Uber wrote: Theo, Also the last I checked obsd still supports MD5 CU Can you please explain why it should not ? Can you please find a collision for 3d16b4f76338838044b90ffae5e71cb5 ? 1. No, but you can certainly find the numerous citations on why it is weak hash. 2. No, as you are not a customer, we do not have custody of the machine, and I have no desire to play games or to potentially provide you access to a machine that is not yours. I never said it should not have MD5, although if you follow the logic that removed telnet (as it should have been) then it should be scheduled at sometime in the near future for removal. CU Chet Uber President and Principal Scientist SecurityPosture, Inc. 3718 N 113th Plaza, Omaha, NE 68164 vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211 [EMAIL PROTECTED] | www.securityposture.com 'It is vain to do with more what can be done with fewer' -- This communication is confidential to the parties it was intended to serve --
Re: Upgrading questions
On 7/4/06, mike [EMAIL PROTECTED] wrote: On Tue, 4 Jul 2006 00:34:53 -0700 (PDT) Rob Baldassano wrote: I have been running OpenBSD 3.6 since the day it came out, and am now in need up going to 3.9 why don't you start here: http://www.openbsd.org/faq/upgrade39.html Please be careful with this piece of advice. From the OP's present release (3.6) to the latest release (3.9), it is probably easier to perform a full backup of your system and install a fresh system onto the drive. Upgrades are supported between releases immediately following it (i.e. 3.6 to 3.7; 3.7 to 3.8, 3.8 to 3.9, etc.) and not in larger steps. The instructions explicitly state so. From 3.6, your upgrade path either runs through 3.7, 3.8 towards 3.9 or through a full backup, towards 3.9 and a restore of your user data. As you should make backups anyway (also for upgrades) and practice your restore procedures regularly, I recommend doing a fresh install. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Patent jeopardizes IETF syslog standard
On Tue, 4 Jul 2006 10:32:34 +0800, Lars Hansson [EMAIL PROTECTED] wrote: On Tuesday 04 July 2006 05:05, Chris Cappuccio wrote: Either way, this makes them look like the biggest fucking idiots ever. Most people who have ever had to use any of their devices knew this already. --- Lars Hansson (; now that was truly funny... and sad. jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
socketpair(2) portability (was Re: questions on fork())
On 7/4/06, Bernd Schoeller [EMAIL PROTECTED] wrote: 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? Yes, copy is not the original (though normally Unix-OSs do a lazy copy-on-write after a fork). If you want shared memory between partent and child, have a look at shmat (2). i'm actually interested in socketpair(2). and fork(2). please see below. 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? It means all file descriptors of the partent process at the time of the fork will be copied to the child process. As a result, there will be two processes able to write to the same file. You might have a look at pipe(2) to see the benefits of this. pipe(2) as implemented by openbsd is capable of bidirectional traffic according to the manpages. this is nifty but the man pages discourages the use of the bidirectional feature. thanks for pointing me out to this. i was thinking of using socketpair(2) to communicate between forked processes. the question is which is better to use for more portable apps? pipe(2) is dictated by POSIX while socketpair(2) is X/Open. i can probably use two pipes instead of socketpair. which would be better. your opinions would be highly appreciated. thank you for the replies so far. -- salud, eyan
Re: Wireless Bridge...
On 7/4/06, Thomas BC6rnert [EMAIL PROTECTED] wrote: bridging doesn't work with wireless lan. Yes it does. However the wireless adapter needs to be in hostap mode. -- ach
Re: [OpenBGPd] Can a nexthop be set on routes announced as my network ?
Hi Claudio, thanks a lot for your prompt reply! On Jul 3, 2006, at 4:32 PM, Claudio Jeker wrote: as network x.x.x.x/19 sends the announcement stating that $peerip is the nexthop, I am not using depend options on carp, what I want is that snip I guess you want to set the nexthop to the $carpip instead. Sure, typo on my side. - Having inside the neighbor configuration block a set nexthop $carpip, but this seems to be plainly ignored This will change the incomming routes and not the outgoing ones. Yes, it actually did change incoming routes (which I forced back outside the neighbor block) but did nothing on the outgoing announce. - Having an explicit match to $peerip set nexthop $carpip, but that seems to affect only routes re-announched to the peer and not routes coming from my network a.b.c.d/19 option. match to + set nexthop was broken until recently. The problem is that nexthops are added and verified asynchronously and so setting them on outgoing rules did not work. I fixed this by preloading nexthops that are used by the filters. YES! This was the trick: upgraded to current (the snapshot of Jul 03) and added a match to $peer_colt set nexthop $carp_colt where carp_colt = 62.152.98.4, now this is the announce out: Update Message (2), length: 45 Origin (1), length: 1, Flags [T]: IGP AS Path (2), length: 4, Flags [T]: 35193 Next Hop (3), length: 4, Flags [T]: 62.152.98.4 Updated routes: 85.239.160.0/19 With -current it works like a charm, I have it in production right now. Have you tried network a.b.c.d/19 set nexthop $carpip This would not be possible, obviously (not obvious because I did not say it, but it is so) each of our BGP routers has multiple sessions with sifferent peers, each on a different interface with a different CARP IP. Map at http://www.break.net/~blackye/routing20060621.pdf As you see OpenBGPd is doing a great job for us! First try the network a.b.c.d/19 set nexthop $carpip option if that does not help you need to run a -current bgpd. Additionally mrt_dump_bgp_msg() is totaly the wrong spot to fix this. The code is more in rde_update.c and rde_filter.c plus some parts in rde_rib.c. I am sorry I did not really have the chance (or did not apply enough time) to understand the code structure in deep enough (lost into qmail-ldap code these days :-), this morning I looked better because I also had to port the -current bgpd on FreeBSD (we run this other *BSD brother :) which involved stripping out the carp.c code (FreeBSD does not have interface groups AFAIK). Looking at the rationale behind that code I found interesting that it does something very similar to what we do here with a shell script: if the main router has one or more sessions down widthdraw its precedence on CARP interfaces. Only point of difference is that in the script we lower the precedence of 100 if one peer is down, of 200 if all peers are down, adding this with a base delta of 50 between the master and slave routers always keeps the one in better shape as both ingress and egress traffic. Another difference is that I think CARP interfaces should be demoted when bgpd is.. actually not running! Perhaps a per-peer config option like promote mask delta which actually promotes the skew of interfaces matching mask of a value delta would be more flexible (so one might boot with carp interfaces at skew say 200 and promote them of 50 for each session which is up). If anyone needs the script we use it can be downloaded here (no guarantees, and surely needs to be hacked for your environment): http://www.break.net/~blackye/bgprobe I am managing to have the openbgpd-20060703 snapshot go into the FreeBSD's ports, if anyone can't wait take the tarball of the package at http://www.break.net/~blackye/openbgpd-devel.tgz and the snapshot at http://www.break.net/~blackye/openbgpd-devel-20060703.tgz So if one needs the current version of FreeBSD _now_ this: curl http://www.break.net/~blackye/openbgpd-devel-20060703.tgz \ /usr/ports/distfiles/openbgpd/openbgpd-devel-20060703.tgz cd /usr/ports/net http://www.break.net/~blackye/openbgpd-devel.tgz | tar zpxf - portinstall openbgpd-devel ... will do the job. Claudio, you have been very kind in responding so quickly, thanks a lot, I see that most of the work done in porting openbgpd on FreeBSD is quite non-intrusive, if you agree I might prepare a clean and non- intrusive pach that makes it a bit more platform independent without affecting any feature on OpenBGPd (perhaps for who does not have interface groups we might use masks, like carp*) Ciao and thanks, Andrea
Problem with dhcpd
Hi Friends, I am new to openBSD. I have a problem with dhcpd. Whenever I delete dhcpd.leases and again create it via touch command then it does not create the list of clients that are assigned the dynamic IP's. I have tried all sort of combinations like rebooting the server which is openBSD in my case. Also, rebooting the client which in my case is CentOS etc. But next day when I turned on my server and looked at dhcpd.leases it give the MAC address with the IP that are allocated I wanted to know whether there is any time limit after which the dhcpd.leases file is updated after i remove it and create it an empty file of the same name. Also i wanted to know the behaviour of dhcpd when an IP lease is finished. i.e. whether the name of the client(MAC address) and IP will be removed from the dhcpd.leases file or not. Plz help me. Thanks for ur precious time in reading this mail.
Re: socketpair(2) portability (was Re: questions on fork())
On Tue, 4 Jul 2006, Edwin Eyan Moragas wrote: On 7/4/06, Bernd Schoeller [EMAIL PROTECTED] wrote: 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? Yes, copy is not the original (though normally Unix-OSs do a lazy copy-on-write after a fork). If you want shared memory between partent and child, have a look at shmat (2). i'm actually interested in socketpair(2). and fork(2). please see below. 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? It means all file descriptors of the partent process at the time of the fork will be copied to the child process. As a result, there will be two processes able to write to the same file. You might have a look at pipe(2) to see the benefits of this. pipe(2) as implemented by openbsd is capable of bidirectional traffic according to the manpages. this is nifty but the man pages discourages the use of the bidirectional feature. thanks for pointing me out to this. i was thinking of using socketpair(2) to communicate between forked processes. the question is which is better to use for more portable apps? pipe(2) is dictated by POSIX while socketpair(2) is X/Open. socketpair() is also in posix. i can probably use two pipes instead of socketpair. which would be better. your opinions would be highly appreciated. Two pairs of pipes might give you better performance, but you can't beat the simplicity of socketpair(). -Otto
Re: Recommendation for RAID-Array
On 6/29/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/06/29 09:40, Karsten McMinn wrote: On 6/29/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: My big problem is in selecting which SATA-Card (I've only used Dawicontrol on OBSD) and if I should buy one with four ports or two with two ports. Cheap generic is probably the way forward. Ebay it if it doesn't work. Don't know about the 2 vs. 4... Ask your hardware vendor if you can see the card before buying it. If you see SiI 3112 (2-ports) or SiI 3114 (4-ports) chipsets on the card, you're probably in luck. These controllers (from Silicon Image) have yet to let me down. IIRC, you'll find them on many more devices that use SATA ports (including LSI ami(4) cards). LSI (ami) sata controllers will get you up to 8 disks on a controller. They are well liked adapters in these parts. snip The 8-channel also will not work in any old plain pci system (keyed for 3.3v only iirc), though looking at photos on websites the 4- and 6- probably will (check the keying before stuffing into slots and do not force it :-) The MegaRAID SATA 150-4 and 150-6 models fitted nicely into the 32 bit PCI slots I have and work as expected. 'Expected' here means: expect degraded performance (w.r.t. use in a 64 bit slot). Nevertheless, the card works fine, be it in 32 bit or 64 bit slots. The 300-8X I have in my hands at the moment is keyed for 3.3V 64 bit PCI / PCI-X slots. No point in trying to fit it into a 32 bit PCI slot. Stuart is right: if the card doesn't fit, don't force the issue :) Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Preventing password reuse
From man page: The quality of the password can be enforced by specifying an external checking program via the ``passwordcheck'' variable in login.conf(5). Writing a script to store the ten last hashes in a ``per-user'' file is trivial and would ensure the check while using a native command ;)
CARP alias address issues
Hello, I've two i386 boxes running 3.9-stable acting as redundant firewalls with PF + CARP/pfsync behind a Cisco router. xDSL | | cisco | | - | | FW1 FW2 | | - | DMZ Public IP addresses used below are faked. The router: #sh ip int brief Interface IP-Address OK? Method Status Protocol ... FastEthernet0/0172.16.0.6 YES NVRAM up up FastEthernet0/0.1 172.16.31.6 YES NVRAM up up ... Loopback0 4.3.2.6 YES NVRAM up up #sh ip route static 172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks S 172.16.0.0/16 [1/0] via 172.16.0.1 4.3.2.0/24 is variably subnetted, 23 subnets, 3 masks S 4.3.2.0/29 is directly connected, FastEthernet0/0 The firewalls: # sysctl -a | grep ^net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 On the external carp1 interface I have a private address (172.16.0.1, used for routing) and a public IP address alias (let's say 4.3.2.1, used for redirection of services to DMZ hosts). On the internal carp11 interface I have the DMZ to which ports from the public IP address alias are redirected. # route -n show | grep default default172.16.0.6 UGS 0 180952 - carp1 # ifconfig carp1 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev fxp1 vhid 1 advbase 1 advskew 0 groups: carp egress inet 172.16.0.1 netmask 0xfff8 broadcast 172.16.0.7 inet 4.3.2.1 netmask 0xfff8 broadcast 1.2.3.7 [EMAIL PROTECTED]:~ # ifconfig carp11 carp11: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev vlan11 vhid 11 advbase 1 advskew 0 groups: carp inet 172.16.1.1 netmask 0xff00 broadcast 172.16.1.255 I'd like to add one more public ip address on the carp1 interface so I do # ifconfig carp1 vhid 1 carpdev fxp1 pass whatasecret alias 4.3.2.2 netmask 255.255.255.248 on the master firewall. Immediately after adding the alias the firewall stops forwarding packets in both directions. I have to reboot the firewall to have it working again, removing the alias is not sufficient. My PF ruleset defaults to 'block drop log all' but tcpdump on pflog0 does not seem to be particularly useful. This is in production too, so I cannot experiment a lot. I have a similar setup working (multiple public ip addresses as aliases on the external interface mapped to internal private addresses on 3.8-stable) but I'm not using CARP there. Any idea why this happens? thanks
Re: Problem with dhcpd
Rahul Sharma([EMAIL PROTECTED]) on 2006.07.04 16:49:24 +: Whenever I delete dhcpd.leases and again create it via touch command then it Why are you deleting it? Read http://www.ietf.org/rfc/rfc1531.txt Read dhcpd.leases (5) to understand what that file does and how dhcpd hands out addresses. does not create the list of clients that are assigned the dynamic IP's. You have just deleted that list. dhcpd has no other knowledge of its allocations than this file. [...] Also i wanted to know the behaviour of dhcpd when an IP lease is finished. i.e. whether the name of the client(MAC address) and IP will be removed from the dhcpd.leases file or not. Its not removed - the current time is beyond the ends-time and the server knows that this IP is free to be reused. However, the addr is not reassigned to other clients unless there are no other unassigned adresses. /B. -- Sebastian Benoit [EMAIL PROTECTED] If mass-email wouldn't work, you woudn't be reading this! -- found in spam-email
Re: Problem with dhcpd
On 2006/07/04 16:49, Rahul Sharma wrote: Whenever I delete dhcpd.leases and again create it via touch command then it does not create the list of clients that are assigned the dynamic IP's. The manual tells you exactly when this is written: Before dhcpd grants a lease to a host, it records the lease in this file and makes sure that the contents of the file are flushed to disk. Also i wanted to know the behaviour of dhcpd when an IP lease is finished. i.e. whether the name of the client(MAC address) and IP will be removed from the dhcpd.leases file or not. What are you actually trying to accomplish? Learning? Well, you'll learn better if you try it for yourself. Set a short lease-time, renew the lease on a client, and see what happens... Something in particular? It's better to describe what you're trying to do and people can make better suggestions.
Re: Problem with dhcpd
Rahul Sharma wrote: Hi Friends, I am new to openBSD. I have a problem with dhcpd. Whenever I delete dhcpd.leases and again create it via touch command then it does not create the list of clients that are assigned the dynamic IP's. I have tried all sort of combinations like rebooting the server which is openBSD in my case. Also, rebooting the client which in my case is CentOS etc. But next day when I turned on my server and looked at dhcpd.leases it give the MAC address with the IP that are allocated I wanted to know whether there is any time limit after which the dhcpd.leases file is updated after i remove it and create it an empty file of the same name. Also i wanted to know the behaviour of dhcpd when an IP lease is finished. i.e. whether the name of the client(MAC address) and IP will be removed from the dhcpd.leases file or not. Plz help me. Thanks for ur precious time in reading this mail. Never delete the dhcpd.leases file with the daemon running. First kill it, then delete the file, touch it, and only then start the daemon. Also, from the dhcpd man page: In order to keep track of leases across system reboots and server restarts, dhcpd keeps a list of leases it has assigned in the dhcpd.leases(5) file. Before dhcpd grants a lease to a host, it records the lease in this file and makes sure that the contents of the file are flushed to disk. This ensures that even in the event of a system crash, dhcpd will not forget about a lease that it has assigned. On startup, after reading the dhcpd.conf file, dhcpd reads the dhcpd.leases file to refresh its memory about what leases have been assigned. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 10:33:30AM +0200, FTP wrote: On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: OpenWebmail is very charming because of how very little it needs to bring into base OpenBSD to get working. I set it up for a school of about 200 students (...). I must say, at this point, being not written in PHP is starting to look Really Nice, too. bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? Over here, I use Hastymail+Dovecot IMAP server. Dovecot is extremely easy to setup and Works For Me, though it does not appear to work for everyone. Hastymail is a basic webmail application, and about as sane as webmail applications get. Notably, it does not support sending HTML mail, does not use Javascript, and can - but need not - use cookies; what's better, it actually has a thought-out and configurable security model. The interface is basic, but functional, and the only thing required is a couple of flat files and an IMAP server. (No SQL is a Good Thing, too - not to say that SQL isn't cool, but SQL is *not* a filesystem, despite what the LAMP crowd seems to think...) The only thing that might be construed as 'missing' is PGP support, but while I really like PGP, the whole idea of PGP over webmail has too many problems to classify as a Good Idea. Not being able to send HTML mail does make some people less happy, though. That, and it's written in PHP - and my opinion of PHP is certainly no better than Nick's. Joachim P.S. Not to be a nazi, but trimming quotes is a good idea... P.P.S. Flames invited over Excess Capitalization and the above P.S.
Re: CARP alias address issues
On Tue, 2006-07-04 at 12:56 +0200, Luca Corti wrote: Sorry, forgot to google a bit before posting. This is a known issue. Here is the solution. http://www.benzedrine.cx/pf/msg04544.html thanks
Re: MD5
On Tue, 4 Jul 2006 06:18:53 -0400 Chet Uber [EMAIL PROTECTED] wrote: On Jul 4, 2006, at 3:00 AM, Gilles Chehade wrote: Chet Uber wrote: Theo, Also the last I checked obsd still supports MD5 CU Can you please explain why it should not ? Can you please find a collision for 3d16b4f76338838044b90ffae5e71cb5 ? 1. No, but you can certainly find the numerous citations on why it is weak hash. I know why it is a weak hash, I was not implying it was strong but it is still useful for many applications that still rely on it, for some protocols that use mixed hashes [md5/sha, ...]. Not to mention that a use coupled with salting for the master.passwd database isn't weak in my opinion. 2. No, as you are not a customer, we do not have custody of the machine, and I have no desire to play games or to potentially provide you access to a machine that is not yours. haha, that was a good one :) I *really* hoped you would paste a collision and prove me wrong ... And yeah I *do* know it is possible but I was trying to make sure it wasn't just yet another crypto expert talking ... I never said it should not have MD5, although if you follow the logic that removed telnet (as it should have been) then it should be scheduled at sometime in the near future for removal. read 1-, there is a difference between pro-active advocacy of new protocols to deprecate old ones, and removal of a key feature upon which many tools and protocols are still relying.
Re: Preventing password reuse
On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote: Well, just to play the devil's advocate here ... One of the main functions of any password hygiene program 'should' be to prevent users from changing 'mypassword1' to 'mypassword2' and then 'mypassword3', etc. (Yes, we can force complex passwords, but the idea is the same.) It's fairly simple to compare 'newpassword' to 'existingpassword' and prevent this sort of behavior (I THINK that's what the -s option to passwdqc is for, but the man page is kind of ambiguous and I haven't had time to dive into the source yet - pam_passwdqc does it) but then the user can just do 'mypassword1', 'mydogsname1', 'mypassword2', mydogsname2', etc. and totally invalidate your carefully designed security policy. And hashes aren't gonna help. Don't get me wrong, I'm not knocking the idea completely. My assignment here is that I've been told that in order to get my client certified I have to avoid reuse of a password over a cycle of 4 90 day forced changes. My JOB is to assure that doing this doesn't open my client up to a whole new string of vulnerabilities. Mr. Rock, meet Mr. Hard Place. In conclusion the main thing we did wrong ... was to worry about criminals being clever; we should rather have worried about our customers ... being stupid. Ross Anderson, Security Engineering This suggests a rather fascist, and thus very effective approach: deny the users the right to create their own passwords, but institute some scheme that produces strong, but hopefully memorizable passwords. Of course, whether or not dd if=/dev/urandom bs=8 count=1 | b64encode - can be considered to produce memorizable passwords is open for debate, but the passwords it produces are quite strong, and can be typed from any reasonably modern box (say, anything that's not an all-caps text terminal - note that /usr/bin/login supports those, and this support is, in fact, documented in the FAQ). In fact, the above is exactly the way I generate at least part of my passwords. It's not necessarily possible to get everyone else to do it this way, though. However, do note that unleashing a fuzzer of some sort on the entered password and comparing the hash of each iteration to a list of previously-used hashes, while computationally intensive, is both moderately secure and reasonably easy to implement. Another thing worth considering is what happens when a user changes the password four times in five minutes. Or, more dangerously, what happens when a user keeps submitting twenty password change requests per second. Joachim
Re: set skip on interface rule doesn't show up in pfctl -sr
On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote: Henning Brauer wrote: skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) It does not have much to do with the topic but, if i do enable skip on an interface, if i send packets to the skipped interface with tags on them, these tags will be lost? I'm asking because i did some tagging and sent to the ftp-proxy running in the lo0 interface, and the tags were gone when the ftp-proxy did the connection on behalf of the user. I need this to do qos. If this is pre-3.9 ftp-proxy, well, it should be obvious that it works that way, no? Use multiple ftp-proxy processes, running under different usernames/groups, and tag on username/group. Joachim
Re: Why is SSH wierd?
On Tue, Jul 04, 2006 at 03:12:11AM -0400, Nick Guenther wrote: Just looking through the manpages and I noticed that SSH-related things don't seem to fit in with the system. For example, there is ssh_config(5) instead of ssh.conf ssh_config and sshd_config predate OpenSSH. and sftp-server instead of sftpd. The trailing d usually denotes a daemon. sftp-server is not a daemon. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Cryptographic Hardware?
Hello! I would need an advice about the hardware that would be enough for my project. The network layout is like this: ADSL2 (10Mbps/768k) ADSL2 (10Mbps/768k) | | | | Branch1 --- 10 Mbps --- Head office ---10 Mbps Branch2 VPN1| VPN2 20 Mbps | ISP My client has a 10Mbps leased line between offices and 20 Mbps to ISP from head office. They also have 2 ADSL2 each with 10Mbps/768k for backup. First I was planning to secure the traffic between offices with VPN tunnels. At head office I was planning to use 2 OBSD boxes with CARP for failover and 1 OBSD box at each branch office. Both boxes (at branch1 and head office) will be doing load balancing between the two connections to ISP. The question is, what kind of hardware would be enough for this project? The network traffic between offices and ISP will be very fragmented with lot of packets (80% of traffic will be some kind of P2P traffic). I cannot predict the number of packets. For that matter I was thinking to use some kind of cryptography accelerators but I was advised that they not perform very well at least vpn1411. Any comments on this? I was thinking about an athlon 64 platform or an entry level opteron servers with gigabit lans and/or HW cryptography accelerator. Any recommendations? Or already tested setups? The project budget is limited to max 6000 EUR. -- Mitja
Redirect to ftp-proxy when client is on localhost?
Hello, I like the 3.9 ftp-proxy so much I'm thinking wouldn't it be nice if, in addition to the clients inside my lan, ftp connections from this very openbsd machine went through it also. Is this just a silly idea? Is this possible, trivial, tricky? Done before? I found nada on google, but a freebsd post attempting something similar which suggested that as the initial packet never goes in to the ext_if the obvious rdr won't work. Instead it is necessary to snag it with on a 'pass out' rule and use 'route-to' to pipe it back through localhost. Using this technique I can get tcpdump to prove these packets hit the lo0 (although with their initial addresses)... pass out quick route-to (lo0 127.0.0.1) proto tcp from any to any port 21 Great, that was 6 hours. Now to push them through the proxy I'm expecting an rdr similar to the text book example will lead me home. No luck so far... rdr pass on lo0 proto tcp from any to any port 21 - 127.0.0.1 port 8021 ... just doesn't seem to catch them. I'm expecting ftp-proxy on full debug would have something to say if it was getting them. The last step would presumably be a 'pass out' for anything ftp from user proxy. I'm betting that some bright spark/anal geek has tried this before, and perhaps hope that they can throw me a bone. Otherwise am I just wasting everyone's time and should follow the tried and true path like a good sheep? Thanks, John.
Re: Preventing password reuse
On Tue, Jul 04, 2006 at 12:04:34AM -0400, Chet Uber wrote: I can't resist pointing out that this is an AWFUL policy. You will be remembering peoples passwords, a history of them, which are very likely to be used on other systems. Thats really bad. I wonder (at least in the USA) what would happen to your company if that data was ever stolen? Ahhh, .. that's what hash's are for; easily recreatable given duplicate input strings, but creating the input string FROM the hash is just about impossible [lacking near infinate resources]. Not to bicker, but the resources needed to use a database of all possible passwords even with alphanumerics and salted is very finite -- albeit large. If we are talking about login() that is. Our company maintains one for 8 characters and while requiring a large database still makes cracking passwords of finding collisions a trivial chore for 8 character passwords. We are currently working on one that will handle 13 character strings and hope to have it running by the end of the year. Just don't want people to think that they are safe as is not an NP- complete problem. It is an NP-hard problem however. While all this complexity theory is really interesting, this is system administration. From a .sig: 'computer science is about lofty goals and algorithmic optimization; sysadminning is about cleaning up the fscking mess that results'. In theory, creating a rainbow table for the Blowfish hash as currently used is not very feasible, and by the times it becomes feasible, adding a couple of rounds is a very good defense. In practice, however, a good list of - say - 10.000 commonly used passwords is very, very likely to yield at least one hit across the complete population of users. I've heard it say that 1000 is likely to be enough. (Anyone who disagrees should first find another reason why we continue to see ssh probes.) All in all, no, storing hashes is not a good idea, *particularly* if the users are wont to choose bad passwords. Joachim
Re: Wireless Bridge...
The adapter is in BSS (Infrastructure mode) because I need it to connect to another access point. Can I do this if my card is in HostAP mode? -Original Message- From: Andy Hayward [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 04, 2006 4:32 AM To: misc Subject: Re: Wireless Bridge... On 7/4/06, Thomas BC6rnert [EMAIL PROTECTED] wrote: bridging doesn't work with wireless lan. Yes it does. However the wireless adapter needs to be in hostap mode. -- ach
DDOS attack
Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya-
Re: Why is SSH wierd?
On Tue, Jul 04, 2006 at 03:12:11AM -0400, Nick Guenther wrote: Just looking through the manpages and I noticed that SSH-related things don't seem to fit in with the system. For example, there is ssh_config(5) instead of ssh.conf and sftp-server instead of sftpd. Why is this? Is this a historical curiosity from the original SSH, or does it have something to do with portability, or what? Since OpenSSH was developed on, for, and by the OpenBSD project, if anyone is doing it wrong, it's the rest of the world. ;-) This, in fact, does explain some of the differences. (Most of) the rest of the world uses portable OpenSSH, which has some added options (dealing with PAM, for instance), and possibly some different defaults. Joachim
Re: Upgrading questions
On Tue, Jul 04, 2006 at 12:34:53AM -0700, Rob Baldassano wrote: I have been running OpenBSD 3.6 since the day it came out, and am now in need up going to 3.9 The question is: What upgrade issues have folks run into? I'm running it on a DELL desktop. BTW, some of the reasons I want to upgrade: 1. Support for PHP in the Apache mods. 2. Increased security 3. webmail 4. I REALLY want to get the Xwindows environment working (never did on 3.6) 5. I'm looking to expand some functionality and want to include things like: PHP, MySQL, Apache, a PHP based store front, Java - if it's available yet, and general client side functionality Several Java implementations are in ports; Sun Java works on i386 only, I believe. 6. So that I can deploy my current windows box as a backup server (It sucks low memory and CPU for windows, but I know OpenBSD will run fine on it -- I hope). So... Any hints, pitfalls, suggestions that people have run into before? in general is it safe to do an Upgrade? a former co-worker says NO don't do that, never trust upgrades. I tend to disagree. Upgrading and installing OpenBSD are usually quite painless. Making a mistake occasionally is a given, but since you should have backups anyway... Also, the only thing that you are likely to do wrong and is hard to recover from is untarring etc39.tgz over your current configuration. (That, and forgetting the 'p' flag to tar, but that's easily solved by booting from removable media.) However, if you upgrade by this much, you will most likely have to rethink and possibly rewrite at least a couple of configuration files. Joachim
Re: kernel settings for pf default block
On Tue, Jul 04, 2006 at 12:12:45PM -0700, c.s.r.c.murthy wrote: Hello Joachim, Sorry I could not get on internet the answer from Alexey. Can you please give the URL for this. Also please confirm that there is no kernel parameter to make pf block everything by default. This has been confirmed three times now, so I'll let that go. On a side note, this is a mailing list, not a web forum. There is a web archive, however, at http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=kernel+settings+for+pf+d. (And in many, many other places.) Joachim
Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 02:21:32PM +0200, Joachim Schipper wrote: On Tue, Jul 04, 2006 at 10:33:30AM +0200, FTP wrote: On Mon, Jul 03, 2006 at 06:25:52PM -0400, Nick Holland wrote: OpenWebmail is very charming because of how very little it needs to bring into base OpenBSD to get working. I set it up for a school of about 200 students (...). I must say, at this point, being not written in PHP is starting to look Really Nice, too. bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? Over here, I use Hastymail+Dovecot IMAP server. Dovecot is extremely easy to setup and Works For Me, though it does not appear to work for everyone. Hastymail is a basic webmail application, and about as sane as webmail applications get. Notably, it does not support sending HTML mail, does not use Javascript, and can - but need not - use cookies; what's better, it actually has a thought-out and configurable security model. The interface is basic, but functional, and the only thing required is a couple of flat files and an IMAP server. (No SQL is a Good Thing, too - not to say that SQL isn't cool, but SQL is *not* a filesystem, despite what the LAMP crowd seems to think...) The only thing that might be construed as 'missing' is PGP support, but while I really like PGP, the whole idea of PGP over webmail has too many problems to classify as a Good Idea. Not being able to send HTML mail does make some people less happy, though. That, and it's written in PHP - and my opinion of PHP is certainly no better than Nick's. Joachim P.S. Not to be a nazi, but trimming quotes is a good idea... P.P.S. Flames invited over Excess Capitalization and the above P.S. I see. In that case looks like to be better of to first install dovecot (which I was trying to avoid!) and then I'll have plenty of choices concerning the web-front GUI. Thanks George
Re: set skip on interface rule doesn't show up in pfctl -sr
Joachim Schipper wrote: On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote: Henning Brauer wrote: skip steps and set skip have noting to do with each other. set skip basically disables pf on a per-interface basis. skip steps is an optimization in rule processing you can safely ignore. it Just Works in the background and saves you CPU cycles :) It does not have much to do with the topic but, if i do enable skip on an interface, if i send packets to the skipped interface with tags on them, these tags will be lost? I'm asking because i did some tagging and sent to the ftp-proxy running in the lo0 interface, and the tags were gone when the ftp-proxy did the connection on behalf of the user. I need this to do qos. If this is pre-3.9 ftp-proxy, well, it should be obvious that it works that way, no? Use multiple ftp-proxy processes, running under different usernames/groups, and tag on username/group. Joachim My question is not only about ftp-proxy, i only used it to exemplify. My question is: if i tag a packet that is entering one interface and in the same rule (rdr pass, for example) i send this packet to an interface which is skipped by pf. I want to know if when this packet get out of this interface it will still be tagged or not. The only thing that the man page says is that tags are internal markers. So i'm supposing that if i send them to an interface skipped by pf, the tag will not be on the packets getting out of it. Just want to get sure about this, cause all my tests point to this conclusion. Thanks, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: DDOS attack
On Tue, Jul 04, 2006 at 08:08:39PM +0700, sonjaya wrote: Dear all How to blok ddos/Flooding/ssh brute attack with pf . Since there is no context: 'block all' works pretty well. Joachim
Re: Upgrading questions
Joachim Schipper wrote: Several Java implementations are in ports; Sun Java works on i386 only, I believe. Sun Java 1.5 works on amd64 in -current. /Sigfred
Samba 3.0.21b from ports dies with SIGABRT when creating password file (tdbsam)
Hi. After installing Samba from the ports tree (Samba version 3.021b without any flavors) running smbd the first time -the password file passdb.tdb does not exist- smbd dies with SIGABRT after creating the password file # /usr/local/libexec/smbd -D # ps axuw | grep smbd root 4370 0.0 0.1 452 476 p2 S+ 3:41PM0:00.02 grep smbd root 7642 0.0 0.1 352 420 p3 S+ 3:36PM0:00.02 tail -f /var/log/samba/log.smbd The generated logfile (/var/log/samba/log.smbd) shows an INTERNAL ERROR: [2006/07/04 15:40:50, 1] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/smbd/files.c:file_init(197) file_init: Information only: requested 1 open files, 1752 are available. [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/passdb/pdb_tdb.c:tdbsam_tdbopen(196) Unable to open/create TDB passwd [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/passdb/pdb_tdb.c:tdbsam_getsampwrid(490) pdb_getsampwrid: Unable to open TDB rid database! [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/passdb/pdb_tdb.c:tdbsam_tdbopen(196) Unable to open/create TDB passwd [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/passdb/pdb_tdb.c:tdbsam_tdbopen(196) Unable to open/create TDB passwd [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/passdb/pdb_tdb.c:tdbsam_getsampwnam(425) pdb_getsampwnam: TDB passwd (/etc/samba/passdb.tdb) did not exist. File successfully created. [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/lib/fault.c:fault_report(36) === [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 13571 (3.0.21b) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/lib/fault.c:fault_report(40) === [2006/07/04 15:40:50, 0] /usr/ports/net/samba/w-samba-3.0.21bp2/samba-3.0.21b/source/lib/util.c:smb_panic2(1554) PANIC: internal error The password file was created successfully and smbd can be restarted and runs without any problems. I can reproduce this behaviour by stopping smbd and removing the password file. This system is running: # uname -a OpenBSD son-goku.badphish.dyndns.org 3.9 GENERIC#617 i386 Did anyone see such a behaviour? Is this an OpenBSD specific bug or should I report this to the bugzilla.samba.org? Many thanks in advance, Andreas. P.S.: If someone is interested I can provide a ktrace output. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: DDOS attack
On Tue, Jul 04, 2006 at 08:08:39PM +0700, sonjaya wrote: Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya- I usually bind sshd on another port. The scripted ssh brute forcing stops. The logs are happy. -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump http://en.wikipedia.org/w/index.php?title=Pufferfisholdid=20768394; | sed -n 131,136p So long and thanks for all the fish!!!
Nationwide Security Alert! (Update And Secure Your Account Records).
Nationwide Building Society * Dear Valued Customer Our technical service department has recently updated our online banking software, and due to software upgrade we kindly ask you to follow the reference given below to confirm your membership details. Failure to confirm your membership details will suspend you from accessing your banking online . http://periodicaccountupdate/nationwide.html Nationwide Builing Society Security Advisor Nationwide PLC Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Nationwide Online Bank account and choose the Help link on any page. Nationwide Email ID # 54793
Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
Some days ago I read a question related to encrypting a partition. I just know that swap gets encrypted automaticly. Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly with the same mechanism wich is used to encrypt the SWAP? Somebody mentioned that encrypting /tmp would be needed to because many applicatiosn store their temp. data there (wich is mostly correct). I didn`t posted that question to tech because misc@ is a better place but maybe a developer could answer my question. I thought about the statement that encrypting /tmp and /var/tmp is a good idea and I would angree so are there any (technical?) reasons that can`t be done even if a user does not use svnds? And btw: wouldn`t it be better to use rm -P for /tmp/* (or even -P as default for rm?)? Kind regards, Sebastian
Re: Upgrading questions
Joachim Schipper [2006-07-04, 15:13:35]: Several Java implementations are in ports; Sun Java works on i386 only, I believe. kurt has enabled jdk 1.5 on amd64 as well some time ago (-current only). -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: DDOS attack
Hi. You can bind ssh to another port and/or you can play with a little scripting and the excellent packet filter. I run a script from cron that greps the IP addresses from the sshscans, dups them in an file and a pf table uses this file to drop connections from these IPs. Depending on the type these IP addresses will be removed after a specific amount of time. The script is really stupid and easy: #!/bin/sh exec 21 LOGTAIL=/usr/local/bin/logtail PF_TABLE=sshscanners # Penalties: PENALTY_SCAN=1.0 PENALTY_INVALID_USER=2.0 PENALTY_ROOT_ACCESS=4.0 # Time to expire TTE_BLACK_LIST=43200 # 12 hours TMPFILE=/tmp/authlog.tail.$$ NOW=`date +'%s'` $LOGTAIL /var/log/authlog $TMPFILE grep 'Did not receive identification string from' $TMPFILE | awk -v SCORE=$PENALTY_SCAN '{print $12,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c /tmp/sshd_no_id.$$ grep 'Invalid user' $TMPFILE | awk -v SCORE=$PENALTY_INVALID_USER '{print $10,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c /tmp/sshd_invalid_users.$$ grep 'Failed password for root from' $TMPFILE | awk -v SCORE=$PENALTY_ROOT_ACCESS '{print $11,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c /tmp/sshd_root_hackers.$$ cat /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$ /tmp/sshd_no_id.$$ | awk -v STAMP=$NOW '{bastards[$2]+=$1*$3;} END{for (ip in bastards) {print ip # bastards[ip] STAMP;}}' /tmp/new_bastards.$$ cp /etc/pf.d/sshscans /tmp/sshscans.$$ echo Updating table ${PF_TABLE}: echo cat /tmp/sshscans.$$ /tmp/new_bastards.$$ | grep '^[0-9]' | awk -v NOW=$NOW -v TTE=$TTE_BLACK_LIST '{if ((NOW-$4)TTE*$3) {print $0;}}' /etc/pf.d/sshscans /sbin/pfctl -t $PF_TABLE -T replace -f /etc/pf.d/sshscans -v | grep -v '^X' | sed -e 's/^A /Adding /g' -e 's/`D /Deleting /g' 21 echo /bin/rm -f /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$ /tmp/sshd_no_id.$$ /tmp/new_bastards.$$ $TMPFILE pf.conf defines a table with the addresse build from that file and drops them: [... snipp ...] table sshscanners file /etc/pf.d/sshscans persist [...] block return-rst in log quick on $ext_if proto tcp from sshscanners to any port 22 [... snipp ...] This works for me but zour mileage may vary. HTH, Andreas. On 7/4/06, sonjaya [EMAIL PROTECTED] wrote: Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya- -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: Preventing password reuse
Rod.. Whitworth wrote: ... Test with well known cracker tools and weep. I have (as root) fed a slice of master.passwd to John the Ripper with a few nologin users added using dictionary words of 7 or 8 chars as passwords and after 10 days it had not cracked one of them. I bet it takes less time on lesser hashes to get some results. actually, I've had somewhat different results using ports/security/crack to look at how people entered a system. A PII-450 was able to find an eight-letter dictionary PW (which was a particularly bad choice for a root PW) in a day or two, and at least one other trivial PW as well. So there is potentially some difference in the tools used. Nick.
Re: openwebmail with chrooted apache
FTP wrote: ... bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? MY suggestion..yes. Reasonable people may (and probably will) have differing opinions. Here's a better idea: why don't you grab a bunch of different solutions and try 'em out? Don't trust us, make your own decision. Keep the Big Picture in mind... Yes, it's the insecure use of apache, but this eliminates a bunch of other programs that would have to do the same thing, creating similar potential holes, anyway. Nick.
Re: Cryptographic Hardware?
Ah good, an excuse for another `what amd64 hardware can I use' thread :) I was thinking about an athlon 64 platform or an entry level opteron servers with gigabit lans and/or HW cryptography accelerator. Any recommendations? I quite like Supermicro H8SSL boards at the moment (including in a short-depth 1U server AS1010S-MR), As a general guideline, `openssl speed aes' with an opteron 146 in one says this: OpenSSL 0.9.7j 04 May 2006 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: information not available available timing options: USE_TOD HZ=100 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128 cbc 35346.62k68753.89k82861.39k84275.76k84480.53k aes-192 cbc 63094.76k68063.09k70317.31k70892.22k71450.25k aes-256 cbc 56869.60k62100.62k63914.80k64769.08k64334.51k Haven't done any ipsec testing on them. 1h20 total for building source and making release (arch=i386). The hw is nicely made, the fan on the 1010S-MR is a bit noisy (better alongside servers rather than in a mostly-quiet office, it is no soekris/wrap/epia). Serial console redirect (try a wscons rather than xterm console to use the bios menus, unless someone has any clues). I originally considered Sun x2100 for the task I had in mind, but these Supermicros have PCI-X rather than PCI-Express, which I find a lot more useful since I can buy reasonable quad nics on ebay, and I prefer the onboard nics here (two bge(4) on a fast bus). Optional ipmi cards aren't supported in OpenBSD yet (neither for querying from the OS, nor for the card parasiting onto the host's use of the nic). admcts(4) temp and voltage sensors work in -current, fan sensors are hiding I know not where, but it's not inconceivable that the ipmi hides there too. Here's a dmesg (Chris Cappuccio posted one a few months ago, this shows sensors etc too that show up in -current), taken from a box with added ahc, ami, st, ch. OpenBSD 3.9-current (GENERIC) #4: Tue Jun 27 11:36:27 BST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Opteron(tm) Processor 146 (AuthenticAMD 686-class, 1024KB L2 cache) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: Cool`n'Quiet K8 1996 Mhz: speeds: 2000 1800 1000 Mhz real mem = 1073246208 (1048092K) avail mem = 975134720 (952280K) using 4256 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 02/21/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf8dc0 (60 entries) bios0: Supermicro H8SSL pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4f50/160 (8 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1166 product 0x0205 pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1600 0xc9800/0x1600 0xcb000/0x2200 0xcd800/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) ppb0 at pci0 dev 1 function 0 ServerWorks HT-1000 PCI rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 13 function 0 ServerWorks HT-1000 PCIX rev 0xb2 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 vendor Intel, unknown product 0x0335 rev 0x07 pci3 at ppb2 bus 3 ami0 at pci3 dev 14 function 0 Symbios Logic MegaRAID SATA 4x/8x rev 0x07: irq 7 ami0: LSI 3008, 32b, FW 814B, BIOS vH431, 128MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 1424784MB, 1424784 cyl, 64 head, 32 sec, 512 bytes/sec, 2917957632 sec total scsibus1 at ami0: 16 targets bge0 at pci2 dev 3 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 9, address 00:30:48:58:86:40 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 3 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:30:48:58:86:41 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling iic0 at piixpm0 admcts0 at iic0 addr 0x2c pciide0 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: PIONEER, DVD-ROM DVD-500M, 1.07 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0 pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00 ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
On Tue, Jul 04, 2006 at 04:14:51PM +0200, [EMAIL PROTECTED] wrote: Some days ago I read a question related to encrypting a partition. I just know that swap gets encrypted automaticly. Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly with the same mechanism wich is used to encrypt the SWAP? No, but you can mount an encrypted svnd(4) device; some improvements have been made in -current (but these are, in this case, irrelevant). Somebody mentioned that encrypting /tmp would be needed to because many applicatiosn store their temp. data there (wich is mostly correct). I didn`t posted that question to tech because misc@ is a better place but maybe a developer could answer my question. I thought about the statement that encrypting /tmp and /var/tmp is a good idea and I would angree so are there any (technical?) reasons that can`t be done even if a user does not use svnds? And btw: wouldn`t it be better to use rm -P for /tmp/* (or even -P as default for rm?)? In all of these cases, the default is tuned for performance. This has a good reason - encrypted disks only work if they are not mounted, which, in practice, roughly equates to 'when the system is not running'. For servers, desktops, and pretty much anything but laptops, this means that anything likely to be able to get at your data does so while the encrypted device is mounted, i.e. while encrypted disks wouldn't help you anyway. Since in the majority of cases, OpenBSD is not used on a laptop but on a different type of machine, the defaults make sense - as defaults. In certain, specialized circumstances, customization is called for. Joachim
Re: DDOS attack
On 2006/07/04 16:25, Andreas Maus wrote: You can bind ssh to another port and/or you can play with a little scripting Oh please, not this thread again...
Re: DDOS attack
On 7/4/06, sonjaya [EMAIL PROTECTED] wrote: How to blok ddos/Flooding/ssh brute attack with pf . This subject has been pretty much beaten to death. In the list archives, you will find a myriad of solutions people use for this problem. Please read the archives before posting (and flogging this dead horse again). Personally, I use the max-src-conn-rate variant and a set of tables for addresses that should always get unimpeded access (to prevent a DoS against myself). See pf.conf(5) for more information. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Why is SSH wierd?
On 7/4/06, Joachim Schipper [EMAIL PROTECTED] wrote: Since OpenSSH was developed on, for, and by the OpenBSD project, if anyone is doing it wrong, it's the rest of the world. ;-) This, in fact, does explain some of the differences. (Most of) the rest of the world uses portable OpenSSH, which has some added options (dealing with PAM, for instance), and possibly some different defaults. On 7/4/06, Darren Tucker [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 03:12:11AM -0400, Nick Guenther wrote: Just looking through the manpages and I noticed that SSH-related things don't seem to fit in with the system. For example, there is ssh_config(5) instead of ssh.conf ssh_config and sshd_config predate OpenSSH. and sftp-server instead of sftpd. The trailing d usually denotes a daemon. sftp-server is not a daemon. Thank you both.
Re: openwebmail with chrooted apache
On Tue, Jul 04, 2006 at 10:44:05AM -0400, Nick Holland wrote: FTP wrote: ... bottom line, your suggestion is to stick with openwebmail (if I don't want to intsall IMAP) and run 'insecure' apache? Would that be a 'good' solution for a small e-mail server? MY suggestion..yes. Reasonable people may (and probably will) have differing opinions. Here's a better idea: why don't you grab a bunch of different solutions and try 'em out? Don't trust us, make your own decision. Keep the Big Picture in mind... Yes, it's the insecure use of apache, but this eliminates a bunch of other programs that would have to do the same thing, creating similar potential holes, anyway. Nick. Thanks for your reply. I didn't mean that I 'trust' you or someone else and I do agree that I have to try different solutions till I decide. I only wanted to see what kind of experince you and others collected up to now and the reasons when proposing something. That's all :-) Thanks for your valuable time George
more: NAT through encryption interface
Hi, all: I am configuring an IPsec tunnel like so: local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP local host| openBSD | Cisco PIX | remote internal host alias_IP is a carp alias. It is one end of an IPsec security association. netstat -rn gives this (altered) output: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) remote_internal_subnet/23 0 alias_IP/32 0 0 remote_peer_IP/50/use/in alias_IP/32 0 remote_internal_subnet/23 0 0 remote_peer_IP/50/require/out The SA is coming up. I am natting over the alias_IP with this line: nat on $enc_if from $local_internal_IP to any - $alias_IP (to pre-empt misunderstanding, I have also tried nat on $ext_if from $local_internal_IP to any - $alias_IP) From the OpenBSD box, I can ping remote_internal_IP like so: ping -I alias_IP remote_internal_IP When pinging from the local host, however, pings time out. When I ping from the local host to $remote_internal_IP while running tcpdump on the OpenBSD box, I get this (altered) output: # tcpdump -nvvv -i sis1 host $remote_internal_ip and icmp tcpdump: listening on sis1, link-type EN10MB 09:00:27.092289 $local_internal_ip $remote_internal_ip: icmp: echo request (id:0200 seq:15369) (ttl 128, id 14737, len 60) 09:00:32.572227 $local_internal_ip $remote_internal_ip: icmp: echo request (id:0200 seq:15625) (ttl 128, id 14763, len 60) 09:00:38.072243 $local_internal_ip $remote_internal_ip: icmp: echo request (id:0200 seq:15881) (ttl 128, id 14767, len 60) 09:00:43.572226 $local_internal_ip $remote_internal_ip: icmp: echo request (id:0200 seq:16137) (ttl 128, id 14773, len 60) It would appear that there is a problem with natting. What do I need to do to make this work? Thanks for your help, -Stephen-
Re: more: NAT through encryption interface
Stephen Bosch wrote: Hi, all: I am configuring an IPsec tunnel like so: local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP local host | openBSD | Cisco PIX | remote internal host alias_IP is a carp alias. It is one end of an IPsec security association. netstat -rn gives this (altered) output: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) remote_internal_subnet/23 0 alias_IP/32 0 0 remote_peer_IP/50/use/in alias_IP/32 0 remote_internal_subnet/23 0 0 remote_peer_IP/50/require/out The SA is coming up. I am natting over the alias_IP with this line: nat on $enc_if from $local_internal_IP to any - $alias_IP (to pre-empt misunderstanding, I have also tried nat on $ext_if from $local_internal_IP to any - $alias_IP) From the OpenBSD box, I can ping remote_internal_IP like so: ping -I alias_IP remote_internal_IP When pinging from the local host, however, pings time out. It would appear that there is a problem with natting. The ping works even with all the NAT lines commented out, so it looks like the nat isn't doing anything at all... -Stephen-
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could prove viable. On 7/4/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Some days ago I read a question related to encrypting a partition. I just know that swap gets encrypted automaticly. Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly with the same mechanism wich is used to encrypt the SWAP? Somebody mentioned that encrypting /tmp would be needed to because many applicatiosn store their temp. data there (wich is mostly correct). I didn`t posted that question to tech because misc@ is a better place but maybe a developer could answer my question. I thought about the statement that encrypting /tmp and /var/tmp is a good idea and I would angree so are there any (technical?) reasons that can`t be done even if a user does not use svnds? And btw: wouldn`t it be better to use rm -P for /tmp/* (or even -P as default for rm?)? Kind regards, Sebastian
Re: News From HiFn
Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. -Pete On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: Howdy misc@ Though I stayed out of the last public fiasco regarding HiFn here on the misc@ list, I privately contacted the people I know at the company. I didn't reply just to Hank Cohen who posted here on misc@ but I also included the VP of engineering (Russ Dietz), the CEO (Chris Kebner) and the VP of marketing (Tom Moore). I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Please check out the readme on the FTP. Basically it says if you wish to automatically get the HiFn updates/errata/notifications, you should probably sign up for the HiFn extranet thing. You don't have to but you can if you want. Kind Regards, JCR -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
Hi! On Tue, Jul 04, 2006 at 11:44:22AM -0400, Peter Blair wrote: I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could prove viable. It *is*. I've done so since a nearly uncountable number of years. Something like this in /etc/fstab helps. /dev/wd0b /tmpmfs rw,-m0,-s204800 0 0 Kind regards, Hannah.
Re: Upgrading questions
Rob Baldassano wrote: I have been running OpenBSD 3.6 since the day it came out, and am now in need up going to 3.9 The question is: What upgrade issues have folks run into? Very few, myself. I've got at least one machine running which started out with OpenBSD 3.1, and has been remotely upgraded to 3.9, and will be to 4.0 (unless I replace it for other reasons, and as it is a P1, there is a lot of merit to doing so) (and yes, the upgrade over the 3.3 - 3.4 ELF conversion was darned scary, but done without a trip to the box). I'm running it on a DELL desktop. you realize that doesn't help much, right? However, I've found few desktop Dell machines that have difficulty with OpenBSD, and can't think of any reason why a machine that ran 3.6 fine would do anything other than run 3.9 at least as well (and likely, better). BTW, some of the reasons I want to upgrade: ... you missed the important reasons. A biggie being that 3.6 is no longer supported by security patches. You do need to upgrade. Whether that means start over and reload from scratch, or follow the upgrade process, that's for you to decide, but you need to stop running 3.6 and start running 3.9. So... Any hints, pitfalls, suggestions that people have run into before? in general is it safe to do an Upgrade? a former co-worker says NO don't do that, never trust upgrades. I tend to disagree. On most systems, upgrades work Just Fine. On the other hand...you haven't upgraded this machine in three releases, so you have a bit of work to do (three separate upgrade processes). Some thoughts, mostly without conclusions: * If your disk layout is perfect, or at least sufficient, upgrade, don't reload. If the disk layout turned out to be wrong, good time to fix it with a reload, rather than upgrade. (warning: your /usr partition will grow by a huge amount for 3.9, 'specially if you have to build -stable from source on this machine). * New applications may need a new disk layout. On the other hand, you may not know what that disk layout should be until after you are testing. * Disk is cheap. Buying a new disk, install fresh and test on that. If things go right, you are done, if they go wrong, you can easily revert to your existing config until you figure out what went wrong. * Used computers that run OpenBSD well for many apps are also cheap...you could just swap out the whole machine...downtime measured in minutes, and a fully tested replacement at that (and very fast reversion if your testing sucks)... Granted, you mentioned Java...so this may not apply. * Look at why you have rejected the advice about keeping your machine up-to-date with a supported version of OpenBSD (recommended upgrades every six months, no less frequently than annually). Fix that. * If you have installed a lot of software without the packages mechanism, you may have stuff all over the place that you have no idea how to get rid of. * In your case, you will end up dumping all your installed packages due to the 3.6-3.7 compiler upgrade. Not that this is bad, your installed packages usually need to be updated more critically than the base system anyway, but something to be aware of. It does give you a chance to say, THIS is what I want on the system, and not that. As for your co-worker's advice about not doing upgrades, he's wrong. Of course, there is some risk of doing anything to a running system, but there is also a risk to doing nothing. You need to have the systems in place to contain the risk of doing the upgrades, so that when there is a security hole which turns out to be important, you can IMMEDIATELY and without issue implement a practiced and understood process, not a oh, sh*t, now what do we do?. The upgrade process must be part of your plans. Nick.
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
On 04/07/06, Hannah Schroeter [EMAIL PROTECTED] wrote: Hi! On Tue, Jul 04, 2006 at 11:44:22AM -0400, Peter Blair wrote: I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could prove viable. It *is*. I've done so since a nearly uncountable number of years. Something like this in /etc/fstab helps. /dev/wd0b /tmpmfs rw,-m0,-s204800 0 0 and swap is encrypted by default [EMAIL PROTECTED] sysctl vm.swapencrypt.enable vm.swapencrypt.enable=1 [EMAIL PROTECTED] /Tony
Re: Upgrading questions
On 7/4/06, Rob Baldassano [EMAIL PROTECTED] wrote: a former co-worker says NO don't do that, never trust upgrades. I tend to disagree. Are they a windows user? -Nick
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
Hi! On Tue, Jul 04, 2006 at 05:30:51PM +0100, tony sarendal wrote: On 04/07/06, Hannah Schroeter [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 11:44:22AM -0400, Peter Blair wrote: I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could prove viable. It *is*. I've done so since a nearly uncountable number of years. Something like this in /etc/fstab helps. /dev/wd0b /tmpmfs rw,-m0,-s204800 0 0 and swap is encrypted by default [EMAIL PROTECTED] sysctl vm.swapencrypt.enable vm.swapencrypt.enable=1 [EMAIL PROTECTED] /Tony *nods* And I had it encrypted for some time before it got enabled by default, too. Kind regards, Hannah.
Re: News From HiFn
On Tue, Jul 04, 2006 at 12:16:45PM -0400, Nick Guenther wrote: On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. Doesn't work here either. Curious... Looks like they're still working on it, as announced; it does not accept connections. Give them some time; this is not entirely unexpected behaviour from a server they just set up. Joachim
Error (setuid) starting openwebmail.pl
Hi, when I try to access: https://myserver/cgi-bin/openwebmail/openwebmail.pl I get the following: '/var/www/cgi-bin/openwebmail/openwebmail.pl' must setuid to root but my current permissions are: -rwsr-sr-x 1 root wheel 35830 Jun 26 13:05 openwebmail.pl I thought that the above are correct? Thanks George
Kernel Panic with 3.9-stable MP
This is the second time this server crash since we switched to the MP kernel, about a month ago. I have found the following blue text in the console (it may contain some errors because I copied it by hand): uvm_fault( 0xd05cc660, 0xec3de000, 0, 1 ) - e Fatal page fault in supervisor mode trap type 6 code 0 eip d0350fd5 cs 8 eflags 10257 cr2 ec3de000 cpl 0 panic: trap type 6, code=0, pc=d0350fde Starting stack trace... panic(0, da33b004,ec298d8c, 0, da3db004) at panic+0x71 panic(d0544842, 6, 0, d0350fd5, d01034fd) at panic+0x71 trap() at trap+0x13e --- Trap (number 6) --- pmap_page_remove(d1ffdda8, c, 0, ee09ca80, da2a7750) at pmap_page_remove+0xd5 uvm_vnp_terminate(d9ad4f3c, 0, 0, 0, 0, 14, 0, da052e18) at uvm_vnp_terminate +0x31e uvn_attach(d9ad4f3c, 0, b5, 0, d87a5724) at uvn_attach+0x2b5 uvm_unmap_detach(edd10b04, 0 d87a57c8, 1) at uvm_unmap_detach+0x62 uvmspace_free(d807a5724, 6, d0609720) at uvmspace_free+0xfd uvm_exit(d9983b8c, 14, 8, 286) at uvm_exit+0x19 reaper(da3db004) at reaper+0x90 Bad frame pointer: 0xd0717ed8 End of stack trace. Here it is the dmesg: OpenBSD 3.9-stable (GENERIC.MP) #0: Sun May 28 16:13:53 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3 real mem = 2146738176 (2096424K) avail mem = 1952694272 (1906928K) using 4278 buffers containing 107438080 bytes (104920K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/14/05, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf57b0/224 (12 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x5200! mainbus0: Intel MP Specification (Version 1.1) (ASUSTeK Deluxe ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Powernow: TS FID VID TTP cpu0: apic clock running at 200 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.21 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3 mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 3, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) VIA VT6306 FireWire rev 0x80 at pci0 dev 7 function 0 not configured skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Marvell Yukon Lite (0x9): apic 2 int 17 (irq 10) sk0 at skc0 port A, address 00:11:d8:98:9e:88 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 gdt0 at pci0 dev 13 function 0 Intel GDT RAID rev 0x00: apic 2 int 18 (irq 5) dpmem eff0 2-bus 1 cache device gdt0: ver 222, cache on, strategy 2, writeback on, blksz 32 gdt0: raw feat 1 cache feat 101 scsibus0 at gdt0: 35 targets sd0 at scsibus0 targ 0 lun 0: ICP, Host drive #00, SCSI2 0/direct fixed sd0: 69931MB, 69931 cyl, 64 head, 32 sec, 512 bytes/sec, 143219475 sec total scsibus1 at gdt0: 16 targets scsibus2 at gdt0: 16 targets pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using apic 2 int 20 (irq 10) for native-PCI interrupt pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8163B, 0L23 SCSI0 5/cdrom removable cd0(pciide1:0:0): using PIO mode 4, DMA mode 2 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 11) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 11) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: apic 2 int 21 (irq 10) usb2 at uhci2: USB revision 1.0 uhub2 at usb2
3.9 + ath....panic fixed in -current and can it run G band yet as well ?
I've been having the panic problem reported by others on stable and saw a post by Reyk that it's fixed in -current. That's awesome, thanks for the fix...but I also wanted to ask if there's work towards getting G band working in the ath driver, specifically the AR5212 chip. I'm running a Soekris 4521 w/miniPCI and would LOVE to run G band...which is why I bought this card ;) Should I shutup and upgrade to -current and/or will G band be supported (maybe 4.0) ? dmesg ath0 at pci0 dev 15 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:37:29:87 CVS commit by reyk File: [OpenBSD] / src / sys / dev / ic / ath.c (download) Revision 1.52, Fri Jun 23 21:53:01 2006 UTC (10 days, 19 hours ago) by reyk Branch: MAIN CVS Tags: HEAD Changes since 1.51: +4 -2 lines set the RSSI Max value in ath(4) and use the new RSSI radiotap header instead of the old db signal header. also allow tcpdump and hostapd to print the new RSSI radiotap header values current/max rssi. ok damien@ jsg@ Thanks in advance for any feedback ;) ~Allie
Re: Error (setuid) starting openwebmail.pl
On Tue, Jul 04, 2006 at 07:25:38PM +0200, FTP wrote: Hi, when I try to access: https://myserver/cgi-bin/openwebmail/openwebmail.pl I get the following: '/var/www/cgi-bin/openwebmail/openwebmail.pl' must setuid to root but my current permissions are: -rwsr-sr-x 1 root wheel 35830 Jun 26 13:05 openwebmail.pl I thought that the above are correct? George, take a look in your /etc/fstab, I'll bet you have nosuid set for your /var partition.
Re: Error (setuid) starting openwebmail.pl
On 7/4/06, FTP [EMAIL PROTECTED] wrote: but my current permissions are: -rwsr-sr-x 1 root wheel 35830 Jun 26 13:05 openwebmail.pl I thought that the above are correct? Have you checked that the partition your /var/www resides on is not mounted with the 'nosuid' setting? Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Error (setuid) starting openwebmail.pl
FTP wrote: Hi, when I try to access: https://myserver/cgi-bin/openwebmail/openwebmail.pl I get the following: '/var/www/cgi-bin/openwebmail/openwebmail.pl' must setuid to root but my current permissions are: -rwsr-sr-x 1 root wheel 35830 Jun 26 13:05 openwebmail.pl I thought that the above are correct? look at the output of the mount command. I suspect your /var partition might look something like this: /dev/sd0f on /var type ffs (local, nodev, nosuid, softdep) nosuid is not your friend anymore. noexec isn't, either. Nick.
Re: Upgrading questions
Thank you everyone for the useful information. I think that this is actually the most I have ever received on any list when I have asked a (to me) fairly complex question. I have now been armed with insightful, and meaningful information that I can move forward with. I'll be doing 2 things. 1. I have a second box (that is much older and therefore in my mind not a good choice to replace with), but I will install 3.6 there, and then run through the upgrade process on it, from 3.7 to 3.8 and finally 3.9 2. When step 1 completes, then I'll start the process on my main box. That way I will know exactly what to expect. Thanks again, --Rob - Eirik Goransson / Rob Baldassano Member, Barony of Endless Hills; House Odlahorde; Viking All around Good Egg ; VROC #5029 (Tigger) come visit http://www.dracowolf.com Want to be your own boss? Learn how on Yahoo! Small Business.
File Server Advice Required
Hello, I was wondering if i could pick the brains of more experienced inividuals to provide me with a more suited solution. I am a total beginner at this so please bear with me. I wish to setup a file server to sit on my networ at home and provide all the files between a couple of pc's and laptops. I was thinking about a Via Nano-itx single disk setup. OpenBSD has been recommended to me for a few reasons, one of which is its security. Security is important to me as i wish to login remotle sometime with my laptop when i am away from home. What i need my server todo: 1. I need to be able to logon to any of my computers and all of the files relevent to the user be present and ready for action. (Would this mean having a machines / directory on the file server ? I dont mind have no local files) 2. Strict login/user privileges. This will include disk quota control and file/folder access permisions. 3. Ultra secure remote login away from home on the laptop. 4. Support users from windows, linux (Mac would be a bonus but not that important right now) The major problem that i am trying to overcome by having a file server is; being able to keep track of files. As i work on different computers, i end up having duplicates of files everywere, which then leads to not being able to keep track of which documents are the newest. A real nightmare as you can imagine So really i need your help in pointing me in the right direction. Maybe you have had experiences with a similar issue and can talk to me about the best way to setup this file server. HDD encryption ? Secure file transfere (Wired, WiFi or remote) ? Having the / on the file server. So all computers store all their files on the own user/disk quota on the file server. How would the above work if i wanted to use my laptop away from home without a net connection Filesystems: NFS ? smbFS or what about sshFS (Secure shell filesystem). Someone has suggested CODA or Intermezzo) ?? Someone has mentioned Rsync There is so much to think abou as a newbie i am confused were to start. Pleas help. I know i am asking alot of questions but any pointer are greatly recieved. Thanks again Take Care G_N -- View this message in context: http://www.nabble.com/File-Server-Advice-Required-tf1891201.html#a5171271 Sent from the openbsd user - misc forum at Nabble.com.
Re: more: NAT through encryption interface
On Tue, 4 Jul 2006, Stephen Bosch wrote: Stephen Bosch wrote: Hi, all: I am configuring an IPsec tunnel like so: local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP local host| openBSD | Cisco PIX | remote internal host alias_IP is a carp alias. It is one end of an IPsec security association. netstat -rn gives this (altered) output: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) remote_internal_subnet/23 0 alias_IP/32 0 0 remote_peer_IP/50/use/in alias_IP/32 0 remote_internal_subnet/23 0 0 remote_peer_IP/50/require/out The SA is coming up. I am natting over the alias_IP with this line: nat on $enc_if from $local_internal_IP to any - $alias_IP (to pre-empt misunderstanding, I have also tried nat on $ext_if from $local_internal_IP to any - $alias_IP) From the OpenBSD box, I can ping remote_internal_IP like so: ping -I alias_IP remote_internal_IP When pinging from the local host, however, pings time out. It would appear that there is a problem with natting. The ping works even with all the NAT lines commented out, so it looks like the nat isn't doing anything at all... -Stephen- I don't think what you want to do is currently possible: Here is your problem: Let's say you have these settings internal_host 10.0.0.5 internal_openbsd_nic 10.0.0.1 external_openbsd_nic AAA.AAA.AAA.AAA Remote_concentrator BBB.BBB.BBB.BBB Remote_internal_host 192.168.0.10 and they say they need you to look like you are coming from 192.168.0.5 (it happens frequently because of the other side's policy or poor planning). So you think no problem, you configure isakmpd and bring up an SA between 192.168.0.5 --- IPSEC_SA --- 192.168.0.10 You setup an IP alias on one of your NIC's and assign it that address, then you think you can do NAT on your enc0. But you can't. Because here is what happens: 1. packet comes in from 10.0.0.5 - 10.0.0.1 destined for 192.168.0.10 2. your box looks at it to see if it matches an existing flow in the Security Association Database (SADB). It does NOT. You have a flow between 192.168.0.5 and 192.168.0.10, NOT between 10.0.0.5 and 192.168.0.10. So at this point there is no further route to get to that destination and the packet is dropped. It never reaches your enc0 interface to actually get NAT'd because it FIRST has to match a flow. In setting up about 30 ISPEC tunnels on an OpenBSD box in the past 6 months I had this issue come up with about 4 of the remote peers. Typically it is one of two problems. 1. They have a made a policy level decision somewhere and say they will only route traffic to public IP's or they want to assign you a public IP from their IP space. Typically this is because they don't want to deal with the issue of multiple remote networks sharing the same private IP space. 2. Your IP space conflicts with another existing IP space they are routing to across another tunnel so they need you to NAT and make it look like you are coming from somewhere else. So here is what you can do: 1. Place another box in front of your box doing IPSEC and NAT the traffic before it gets there based on its destination. I got my setup working fine this way. Cheap boxes are easy to come by for simply doing NAT. 2. Submit a patch which I'm sure a lot of people would be interested in that alllows NAT to take place before SADB flow matching, perhaps a sysctl would be nice. A lot of VPN adminsitrators seem to think that you should have no problem NAT'ing this way because many of the current popular VPN concentrators allow you to do this all on one box. If you want to test any ideas or setup's privately email me off the list and I'd be happy to help. Good luck! man 4 ipsec NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow match- ing, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. -Matt-
Re: File Server Advice Required
On Tue, Jul 04, 2006 at 11:07:37AM -0700, Ginja_Ninja wrote: Hello, I was wondering if i could pick the brains of more experienced inividuals to provide me with a more suited solution. I am a total beginner at this so please bear with me. I wish to setup a file server to sit on my networ at home and provide all the files between a couple of pc's and laptops. I was thinking about a Via Nano-itx single disk setup. OpenBSD has been recommended to me for a few reasons, one of which is its security. Security is important to me as i wish to login remotle sometime with my laptop when i am away from home. That does not follow; in this case, using a secure protocol between laptop and fileserver is important, and securing the laptop well is even more so. The fileserver is very unlikely to be the weakest link there. What i need my server todo: 1. I need to be able to logon to any of my computers and all of the files relevent to the user be present and ready for action. (Would this mean having a machines / directory on the file server ? I dont mind have no local files) No, sharing /home or /home/g_n is more likely to do what you want. 2. Strict login/user privileges. This will include disk quota control and file/folder access permisions. All filesystems I know of have this in one form or another. 3. Ultra secure remote login away from home on the laptop. Run it over IPsec, or OpenVPN if you want to be able to pass broken firewalls. (Note - setting up IPsec on OpenBSD is very easy, especially on -current; but setting up IPsec on Windows is, while not impossible, less trivial.) 4. Support users from windows, linux (Mac would be a bonus but not that important right now) Both Windows and Linux speak both SMB and NFS, so you're in luck here. I imagine the Mac might speak SMB, though I am not sure, and am quite certain it does speak NFS. The major problem that i am trying to overcome by having a file server is; being able to keep track of files. As i work on different computers, i end up having duplicates of files everywere, which then leads to not being able to keep track of which documents are the newest. A real nightmare as you can imagine So really i need your help in pointing me in the right direction. Maybe you have had experiences with a similar issue and can talk to me about the best way to setup this file server. HDD encryption ? Secure file transfere (Wired, WiFi or remote) ? HDD encryption is useless on a box which will always be on; encrypt the laptop's hard disk, if you want to encrypt something that actually makes sense to encrypt. (Again, -current has advancements here.) Secure file transfer is most easily implemented as NFS or SMB (CIFS, whatever - use SAMBA) over IPsec. Note that NFS has plenty of problems; as much as it pains me to say so, if SAMBA wasn't as likely to have yet another security hole as it is, I'd recommend SMB over NFS (right now, do whatever is most convenient - which most likely means SMB). Having the / on the file server. So all computers store all their files on the own user/disk quota on the file server. That does not work (easily), at least for Windows - you can share data freely, though. Netbooting a set of *NIX machines from a file server works well, but is somewhat more complicated than what you seem to intend. Do you want to share data, or the whole system? How would the above work if i wanted to use my laptop away from home without a net connection Not at all, you'd not have any file available. One possible solution is using a synchronization program. I use unison on my own laptop, and it works very well - but it will at least be quite a bit slower on Windows. Filesystems: NFS ? smbFS or what about sshFS (Secure shell filesystem). Someone has suggested CODA or Intermezzo) ?? sshFS is implemented in terms of the userland filesystem, which is a Linux-only feature; Coda and Intermezzo aren't supported, either, but Intermezzo is an offshoot of Coda which is an offshoot of AFS, which is supported - OpenBSD can be a client, or, in -current, a server using OpenAFS. Note, though, that while AFS is considerably more stable than Coda or Intermezo (which never made it past the research stage, it seems), it does not support disconnected operation (well). Another interesting option seems to be Lustre www.lustre.org, which is what Intermezzo involved into. It's very much Linux-only at the moment, though. For a simple system, though, NFS or SMB is the way to go. Someone has mentioned Rsync There is so much to think abou as a newbie i am confused were to start. Pleas help. I know i am asking alot of questions but any pointer are greatly recieved. The above is full of pointers, but here's what I would do: 1. Setup SAMBA. This is not trivial, there are quite a few rules. Be aware that anyone on the LAN has effectively unlimited access through sniffing passwords from the wire and so on. 2. Setup unison on the
Re: File Server Advice Required
Thank you sooo much for your reply. Its just the kind of thinking i am looking for. Some very valid and well constructed thoughts there. Its late here so i will read and analyse your post fully in the morning. I have a feeling that i will end up picking your brain further. Thank you for your time, its really appreciated. Until tomorrow then. Night Take Care G_N -- View this message in context: http://www.nabble.com/File-Server-Advice-Required-tf1891201.html#a5172343 Sent from the openbsd user - misc forum at Nabble.com.
Virus Warning!
BitDefender for Linux Mail Servers found an infected object in a message that was sent from your address Real receiver: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail System Error - Returned Mail Virus: [EMAIL PROTECTED] http://www.bitdefender.com/vfind/[EMAIL PROTECTED] Object: /opt/BitDefender/var/tmp/bdnp.milter.nztFXA=[Subject: Mail System Error - Returned Mail][Date: Tue, 4 Jul 2006 18:17:12 +0200]=(MIME part)=instruction.zip=instruction.scr Status: Infected Action: Dropped For more information about BitDefender for Linux Mail Servers please visit http://linux.bitdefender.com/ -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/
ftp-proxy suddenly exits (3.9-GENERIC, release)
Hi all, I have a problem with ftp-proxy on a OpenBSD 3.9-GENERIC (release) gateway - sometimes it suddenly dies for no apparent reason. I have enabled the highest debug level but the log tells me nothing. Any help is appreciated. ftp-proxy is started through rc.conf: ftpproxy_flags=-a external-ip -t 7200 -D 7 In pf.conf it is used like this: [...] # 6. TRANSLATION [...] # 6.x FTP THROUGH FTP-PROXY nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $internal_if proto tcp from any to ! lans port 21 - \ 127.0.0.1 port 8021 [...] # 7. PACKET FILTERING [...] # 7.y FTP-PROXY ANCHOR anchor ftp-proxy/* I have attached: - ftp-proxy-fix: Small, stupid script that are run from cron to restart ftp-proxy when it has died. - ftp-proxy-fix-mail: A mail sent by the ftp-proxy-fix script when it was run on the 4th of July at 17:05:01 +0200 (CEST) (due to ftp-proxy not running). - messages: Excerpt from the syslog around that time. - dmesg: Just a plain dmesg from last boot. I haven't been doing any kernel fiddling or system upgrading yet. It is a fresh install from a 3.9 cd set. -Martin Date: Tue, 4 Jul 2006 17:05:01 +0200 (CEST) From: Charlie Root [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ftp-proxy-fix This is the /root/ftp-proxy-fix script at gw.domain-x. ftp-proxy does NOT run at the moment! Since I am your friend, I will start it for you now. Have a nice day. #!/bin/ksh PS_OUTPUT=`ps ax | grep '/usr/sbin/ftp-proxy' | grep -v grep` if [ $PS_OUTPUT = ]; then echo -e 'This is the /root/ftp-proxy-fix script at gw.obelnet.dk.\n\n' \ 'ftp-proxy does NOT run at the moment! Since I am your friend, I will\n' \ 'start it for you now.\n\nHave a nice day.' | mail -s 'ftp-proxy-fix' \ [EMAIL PROTECTED] /usr/sbin/ftp-proxy -a 130.225.243.84 -t 7200 -D 7 fi Jul 4 16:31:48 gw ftp-proxy[14182]: #14688 client command too long or not clean Jul 4 16:32:32 gw ftp-proxy[14182]: #14689 client command too long or not clean Jul 4 16:33:15 gw ftp-proxy[14182]: #14690 client command too long or not clean Jul 4 16:40:47 gw ftp-proxy[14182]: #14691 server timeout Jul 4 16:41:18 gw ftp-proxy[14182]: #14692 server timeout Jul 4 16:41:48 gw ftp-proxy[14182]: #14693 server timeout Jul 4 16:42:18 gw ftp-proxy[14182]: #14695 server timeout Jul 4 16:42:48 gw ftp-proxy[14182]: #14696 server timeout Jul 4 17:05:01 gw ftp-proxy: using 130.225.243.84 to connect to servers Jul 4 17:05:01 gw ftp-proxy[8287]: listening on 127.0.0.1 port 8021 Jul 4 17:10:11 gw ftp-proxy[8287]: #1 client command too long or not clean Jul 4 17:12:07 gw ftp-proxy[8287]: #2 client command too long or not clean OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 1072996352 (1047848K) avail mem = 972369920 (949580K) using 4278 buffers containing 53751808 bytes (52492K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/01/04, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5de0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82865G/PE/P CPU-AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 3 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 11 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root
Re: ftp-proxy suddenly exits (3.9-GENERIC, release)
Martin Toft wrote: #!/bin/ksh PS_OUTPUT=`ps ax | grep '/usr/sbin/ftp-proxy' | grep -v grep` if [ $PS_OUTPUT = ]; then echo -e 'This is the /root/ftp-proxy-fix script at gw.obelnet.dk.\n\n' \ 'ftp-proxy does NOT run at the moment! Since I am your friend, I will\n' \ 'start it for you now.\n\nHave a nice day.' | mail -s 'ftp-proxy-fix' \ [EMAIL PROTECTED] /usr/sbin/ftp-proxy -a 130.225.243.84 -t 7200 -D 7 fi Heh, I _do_ realize that I didn't succeed in hiding all the details :-) Guess I'm tired... -Martin
X not found
I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence
Re: Preventing password reuse
On Tuesday 04 July 2006 08:45, Joachim Schipper wrote: On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote: Well, just to play the devil's advocate here ... One of the main functions of any password hygiene program 'should' be to prevent users from changing 'mypassword1' to 'mypassword2' and then 'mypassword3', etc. (Yes, we can force complex passwords, but the idea is the same.) It's fairly simple to compare 'newpassword' to 'existingpassword' and prevent this sort of behavior (I THINK that's what the -s option to passwdqc is for, but the man page is kind of ambiguous and I haven't had time to dive into the source yet - pam_passwdqc does it) but then the user can just do 'mypassword1', 'mydogsname1', 'mypassword2', mydogsname2', etc. and totally invalidate your carefully designed security policy. And hashes aren't gonna help. Don't get me wrong, I'm not knocking the idea completely. My assignment here is that I've been told that in order to get my client certified I have to avoid reuse of a password over a cycle of 4 90 day forced changes. My JOB is to assure that doing this doesn't open my client up to a whole new string of vulnerabilities. Mr. Rock, meet Mr. Hard Place. In conclusion the main thing we did wrong ... was to worry about criminals being clever; we should rather have worried about our customers ... being stupid. Ross Anderson, Security Engineering This suggests a rather fascist, and thus very effective approach: deny the users the right to create their own passwords, but institute some scheme that produces strong, but hopefully memorizable passwords. [snip] Oh Gods. If you do that with normal people, they will put those passwords on PostIts and leave them in safe places like monitors. MOST people have real real REAL problems remembering all but some very few passwords. People hate passwords, and even in secure institutions (like military environs) they circumvent them. Forcing a password on people results in a secure password, but in unsecure storage methods. We computer folks are weird in that we remember many of them. --STeve Andre'
Re: X not found
If you have no parts of X installed, then how do you expect to link against it? If you plan to use your OpenBSD machine as a headless X client, then you'll need to install the requisite libs. You'll save yourself a lot of time and headache if you just install the X set. On 7/4/06, Lawrence Horvath [EMAIL PROTECTED] wrote: I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence
Re: MD5
1. No, but you can certainly find the numerous citations on why it is weak hash. I know why it is a weak hash, I was not implying it was strong but it is still useful for many applications that still rely on it, for some protocols that use mixed hashes [md5/sha, ...]. Not to mention that a use coupled with salting for the master.passwd database isn't weak in my opinion. I think I missed the initial post as I thought the issue was tracking previously used passwords and someone had indicating that you were actually storing the passwords. Since it appeared to me they did not understand that hashes were involved I started down this path. I really was not trying to debate the strength of hashes in passwd mechanism. Sorry to get this off topic so far. 2. No, as you are not a customer, we do not have custody of the machine, and I have no desire to play games or to potentially provide you access to a machine that is not yours. haha, that was a good one :) I *really* hoped you would paste a collision and prove me wrong ... And yeah I *do* know it is possible but I was trying to make sure it wasn't just yet another crypto expert talking ... No just someone that does a lot of work with hashes. Mere mortals do not do crypto -- we just use it. The reason I had said anything is that when I do forensic work I used to just do MD5's of files, but it has gotten called to task in court so we now use both MD5 and SHA1 hashes as it is NP-complete to find a collision in both of them for the same file. I never said it should not have MD5, although if you follow the logic that removed telnet (as it should have been) then it should be scheduled at sometime in the near future for removal. read 1-, there is a difference between pro-active advocacy of new protocols to deprecate old ones, and removal of a key feature upon which many tools and protocols are still relying. You have a valid point and again as I have gotten off topic I am going to tap out. CU Chet Uber President and Principal Scientist SecurityPosture, Inc. 3718 N 113th Plaza, Omaha, NE 68164 vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211 [EMAIL PROTECTED] | www.securityposture.com 'It is vain to do with more what can be done with fewer' -- This communication is confidential to the parties it was intended to serve --
Re: OT: large, wireframe Puffy stickers
Thanks everyone, that is exactly what I was looking for!!!
Re: kernel settings for pf default block
Hello Matthew, block all in pf.conf is ok, but it will go away when the rules are flushed for known/unknown reasons. I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. murthy Matthew R. Dempsky wrote: On Mon, Jul 03, 2006 at 05:30:21PM -0700, c.s.r.c.murthy wrote: This seems to be widely discussed problem in openbsd pf. There is no kernel parameter that makes the pf to block all packets by default. Is something wrong with just putting ``block all'' in pf.conf? [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of murthy.3064DEFANGED-vcf]
Re: kernel settings for pf default block
On Thursday 06 July 2006 01:35, c.s.r.c.murthy wrote: I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. The developers think otherwise: http://www.benzedrine.cx/pf/msg07442.html --- Lars Hansson