Re: Can't install using pkg_add from FTP mirror and from Local Mirror
On Wed, Jul 09, 2008 at 07:45:01PM -0700, my mail wrote: --- On Wed, 7/9/08, Jacob Meuser [EMAIL PROTECTED] wrote: From: Jacob Meuser [EMAIL PROTECTED] Subject: Re: Can't install using pkg_add from FTP mirror and from Local Mirror To: misc@openbsd.org Date: Wednesday, July 9, 2008, 8:27 AM On Wed, Jul 09, 2008 at 01:04:38AM -0700, my mail wrote: I have success install OpenBSD 4.3, but when i want install packages using pkg_add, why i can't install it? first i try from local ssh server from my LAN --- # export PKG_PATH=scp://[EMAIL PROTECTED]/OpenBSD4.3/i386/ # pkg_add gdm [EMAIL PROTECTED]'s password: Can't install glib2-2.14.5: lib not found iconv.4.0 Dependencies for glib2-2.14.5 resolve to: libiconv-1.12, pcre-7.6, gettext-0.17 Full dependency tree is libiconv-1.12,pcre-7.6,gettext-0.17 iconv.4.0: partial match in /usr/local/lib: major=5, minor=0 (bad major) you have libiconv.so.5.0 installed, but you are trying to install something that wants libiconv.so.4.0. libiconv.so.5.0 is from -current (since May 28, 2008), but you appear to be pointing at a 4.3-release package repository, and you said you installed 4.3. looks like you are experiencing confusion with -release and snapshots. http://www.openbsd.org/faq/faq5.html#Flavors thanks for your reply, but i have download OpenBSD 4.3 from this address ftp://ftp.jaist.ac.jp/pub/OpenBSD/4.3/ and all packages i download from this ftp://ftp.jaist.ac.jp/pub/OpenBSD/4.3/packages/ so all of this i install OpenBSD release not snapshots why in my system have libiconv.so.5.0 because i never install it? it's possible this happen because i install bash from ports? after install openbsd, then i install bash from ports then i try to install gdm from packages i have download. my guess is you checked out or updated your ports tree incorrectly. you want 4.3 ports to match your 4.3 base, so you need to use the -rOPENBSD_4_3 tag with the cvs command. otherwise, you will get a -current ports tree, and you will have problems. http://www.openbsd.org/anoncvs.html thanks -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: how to undelete?
If I'm not mistaken, openbsd zeroes the data when you delete a file. I remember trying to recover a file and then receiving a 0Kb file =) If you still want to try, you could try using the sleuth kit (available in ports) to recover something.
Re: why pf log output to /var/log/messages /dev/console ?
Thank you, it's OK now ! 2008/7/10 Daniel Melameth [EMAIL PROTECTED]: On Wed, Jul 9, 2008 at 6:48 PM, Dongsheng Song [EMAIL PROTECTED] wrote: I searched /etc/syslog.conf, but can't find how to disable it. Jul 10 08:40:04 proxy /bsd: pf: loose state match: TCP in wire: 192.168.4.132:3833 58.253.67.248:80 stack: - [lo=3472355129 high=3472419308 win=65535 modulator=0] [lo=3167937694 high=3168002906 win=64857 modulator=0] 10:10 R seq=3472355129 (3472354451) ack=3167937694 len=0 ackskew=0 pkts=5:3 dir=in,fwd Jul 10 08:43:37 proxy /bsd: pf: wire key attach failed on all: TCP out wire: 219.149.124.163:80 210.21.12.116:50157 [lo=1492402397 high=1492402399 win=14600 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 Jul 10 08:43:37 proxy /bsd: pf: OK ICMP 3:1 192.168.1.2 - 192.168.2.51 state: TCP in wire: 192.168.2.51:2230 219.149.124.163:80 stack: - [lo=1492402397 high=1492402399 win=14600 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 seq=1492402397 Appears you turned pf debugging on--try 'pfctl -x none' to shut it off.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8 As Theo points out, patience is a virtue, and it's the + local tweaking above that is the reason I gratefully use OpenBSD. /Pete On 9 Jul 2008, at 16:45, Zamri Besar wrote: Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-miscm=118539211412877w=2 -- Thank you. Yours truly, Zamri Besar
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Pete Vickers [EMAIL PROTECTED] writes: looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: reading tea leaves^H^H^H^H^H^H^H^H^H^Hsource-changes has me thinking the BIND bug has spurred some activity in other parts of the tree, too (as in, bugs are never unique, in OpenBSD we look for patterns or whole classes of bugs and fix them). As Theo points out, patience is a virtue, and it's the + local tweaking above that is the reason I gratefully use OpenBSD. AOL! -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Can't install using pkg_add from FTP mirror and from Local Mirror
--- On Thu, 7/10/08, Jacob Meuser [EMAIL PROTECTED] wrote: From: Jacob Meuser [EMAIL PROTECTED] Subject: Re: Can't install using pkg_add from FTP mirror and from Local Mirror To: misc@openbsd.org Date: Thursday, July 10, 2008, 6:24 AM On Wed, Jul 09, 2008 at 07:45:01PM -0700, my mail wrote: --- On Wed, 7/9/08, Jacob Meuser [EMAIL PROTECTED] wrote: my guess is you checked out or updated your ports tree incorrectly. you want 4.3 ports to match your 4.3 base, so you need to use the -rOPENBSD_4_3 tag with the cvs command. otherwise, you will get a -current ports tree, and you will have problems. http://www.openbsd.org/anoncvs.html thank you all (Jacob Meuser, Markus Lude, Louis V. Lambrecht, James Hartley) for your help i have reinstall my openbsd 4.3 and then use this -rOPENBSD_4_3 for update ports, and now i have been able to install from packages and ports it's my faults because i remember, i have update ports without -rOPENBSD_4_3 tags i litle bit confused about release and stable, if i download ISO from OpenBSD/4.3 ftp, then this is a release, then if i want using --stable, i must using -rOPENBSD_4_3 tags for update ports, xenocara, src, and i been able using packages for 4.3 release. but what if i want using current tag, after i update ports, what packages i must using? because when i using 4.3 packages, it's not works thanks
Re: how to undelete?
* Leonardo Rodrigues [EMAIL PROTECTED] [2008-07-10 08:50]: If I'm not mistaken, openbsd zeroes the data when you delete a file. no, that would be pointless. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Ports dependencies
Hi misc@, When installing a package from the ports, there are build dependencies and runtime dependencies. In many cases, B-deps aren't used once the package is installed. Is there any other way than looking at the ports makefile to spot the B-deps installed on a system ?
sendmail STARTTLS
Dear list, running currently 4.3 generic with sendmail: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG -- did try to setup STARTTLS but I don't think that it works! here are the modifications in my .mc file: -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl - Following 'man starttls' I should get: # telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 localhost ESMTP Sendmail 8.12.1/8.12.1 ready EHLO localhost After typing EHLO localhost you should receive something like the follow- ing back. 250-localhost Hello localhost [IPv6:::1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP -- but I'm missing the '250 STARTTLS' entry from the above output! Any idea what might gone wrong? Thanks George
Re: Ports dependencies
Eric Dillenseger wrote: Hi misc@, When installing a package from the ports, there are build dependencies and runtime dependencies. In many cases, B-deps aren't used once the package is installed. Is there any other way than looking at the ports makefile to spot the B-deps installed on a system ? pkg_info -t might help you.
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 3:13 PM, giovanni [EMAIL PROTECTED] wrote: pkg_add cyrus-sasl-.tgz # vat /etc/mk.conf WANT_SMTPAUTH=yes rebuild sendmail -- see ya, giovanni Thanks for your reply but I thought that this is necessary only if SMTP_AUTH should be enabled! In my case I'll use an IMAP server instead! George
Re: how to undelete?
On Thu, 10 Jul 2008, Henning Brauer wrote: * Leonardo Rodrigues [EMAIL PROTECTED] [2008-07-10 08:50]: If I'm not mistaken, openbsd zeroes the data when you delete a file. no, that would be pointless. For the archives: unless it is specifically requested as rm -P Regards, David
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote: [...] did try to setup STARTTLS but I don't think that it works! here are the modifications in my .mc file: -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl - Do those files exist? Following 'man starttls' I should get: [...] but I'm missing the '250 STARTTLS' entry from the above output! Any idea what might gone wrong? Did you look in your maillogs? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]*
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 3:33 PM, giovanni [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 03:19:11PM +0200, GVG GVG wrote: On Thu, Jul 10, 2008 at 3:13 PM, giovanni [EMAIL PROTECTED] wrote: pkg_add cyrus-sasl-.tgz # vat /etc/mk.conf WANT_SMTPAUTH=yes rebuild sendmail -- see ya, giovanni Thanks for your reply but I thought that this is necessary only if SMTP_AUTH should be enabled! In my case I'll use an IMAP server instead! yup, I wrote one thing while I was thinking another... sorry! George -- see ya, giovanni :-) OK Thnaks George
VPN Failover
Hello List, I'm having some issues with IPSec VPN tunnels. Here is what I'm trying to do: I have a VPN 'server' with 2 internet connections (IP1, IP2) I have several remote locations which connect to the VPN server. When IP1 goes down on the VPN server I want the remote locations to negotiate the tunnel with IP2 What is the best way to accomplish this? I have tried a couple of different things, none successful. My ipsec.conf on the server looks like this: /#Remote Location 1/ / ike passive esp from 10.110.39.0/24 to 10.115.10.0 peer REMOTELOCATION1 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk psk #Remote Location 2 ////ike passive esp from 10.110.39.0/24 to 10.115.20.0 peer REMOTELOCATION2 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk psk /My ipsec.conf on one of the remote location machines looks like this: /#Main Office/ /ike esp from 10.115.20.0 to 10.110.39.0/24 peer MAIN-OFFICE-IP1 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk psk #Main Office Backup //ike esp from 10.115.20.0 to 10.110.39.0/24 peer MAIN-OFFICE-IP2 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk psk /This doesn't work. When I comment out the 'Backup' tunnel on the remote location machine the IP1 tunnel comes up just fine. When I try un-commenting it neither of the tunnels come up. I'm pretty sure that this is not SUPPOSED to work as the subnets are the same for both tunnels. I have played around with the various ike [mode] parameters, substituting dynamic,passive, etc in every possible combination. I have configured isakmpd to listen on both interfaces on the main office machine. ie. /[general] Listen-on=IP1,IP2 /I have also tried to just change the default routes on the main office machine and restart isakmpd. Can anyone recommend a way to do VPN failover in this manner? Is it possible to use the DPD of dynamic mode to somehow make isakmpd negotiate a backup tunnel when the main tunnel goes down? Thanks so much, Steve / /
note for faq, maybe
if you use pppoe(4) for internet, and want to do a remote update from 4.2 to 4.3, over said pppoe(4) link, then the normal update procedure will not work, because the 4.3 kernel and the 4.2 ifconfig binary can not work together. after rebooting the new 4.3 bsd kernel, the network will not be configure and you will walk/drive to the system (just like I did today). so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig binary from base43.tgz - Marc
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote: [...] did try to setup STARTTLS but I don't think that it works! here are the modifications in my .mc file: -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl - Do those files exist? Following 'man starttls' I should get: [...] but I'm missing the '250 STARTTLS' entry from the above output! Any idea what might gone wrong? Did you look in your maillogs? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]* Yes they do exist: -- -bash-3.2$ pwd /etc/mail/CA -bash-3.2$ ls -l total 56 -rw-r--r-- 1 root wheel 1229 Jun 23 17:02 cacert.pem -rw-r--r-- 1 root wheel 875 Jun 18 13:46 cacert.pm -rw--- 1 root wheel 3848 Jun 23 17:11 cert.pem drwxr-xr-x 2 root wheel 512 Jun 17 16:25 certs drwxr-xr-x 2 root wheel 512 Jun 23 17:17 crl -rw--- 1 root wheel 3 Jun 23 17:17 crlnumber -rw--- 1 root wheel68 Jun 23 17:11 index.txt -rw--- 1 root wheel21 Jun 23 17:11 index.txt.attr -rw-r--r-- 1 root wheel 0 Jun 23 16:46 index.txt.old -rw-r--r-- 1 root wheel 1679 Jun 23 17:04 key.pem drwxr-xr-x 2 root wheel 512 Jun 23 17:11 newcerts drwx-- 2 root wheel 512 Jun 23 16:53 private -rw--- 1 root wheel 3 Jun 23 17:11 serial -rw-r--r-- 1 root wheel 3 Jun 23 16:46 serial.old --- and in the mail_log there is nothing recorded! No errors or warnings! Thanks George
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 03:56:48PM +0200, GVG GVG wrote: On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote: -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl - [...] Yes they do exist: -- -bash-3.2$ pwd /etc/mail/CA -bash-3.2$ ls -l total 56 -rw-r--r-- 1 root wheel 1229 Jun 23 17:02 cacert.pem -rw-r--r-- 1 root wheel 875 Jun 18 13:46 cacert.pm -rw--- 1 root wheel 3848 Jun 23 17:11 cert.pem drwxr-xr-x 2 root wheel 512 Jun 17 16:25 certs drwxr-xr-x 2 root wheel 512 Jun 23 17:17 crl -rw--- 1 root wheel 3 Jun 23 17:17 crlnumber -rw--- 1 root wheel68 Jun 23 17:11 index.txt -rw--- 1 root wheel21 Jun 23 17:11 index.txt.attr -rw-r--r-- 1 root wheel 0 Jun 23 16:46 index.txt.old -rw-r--r-- 1 root wheel 1679 Jun 23 17:04 key.pem drwxr-xr-x 2 root wheel 512 Jun 23 17:11 newcerts drwx-- 2 root wheel 512 Jun 23 16:53 private -rw--- 1 root wheel 3 Jun 23 17:11 serial -rw-r--r-- 1 root wheel 3 Jun 23 16:46 serial.old --- You're missing my{cert,key}.pem. and in the mail_log there is nothing recorded! No errors or warnings! Did you restart sendmail? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]*
Re: how to undelete?
On Thu, Jul 10, 2008 at 02:03:12PM +0200, David Vasek wrote: For the archives: unless it is specifically requested as rm -P For some unknown reason this prompted me to look at the rm manpage for the hell of it (yeah, bored and tired at the moment). There's an odd comment in the STANDARDS section which says The interactive mode used to be a dsw command, a carryover from the an- cient past with an amusing etymology. That piqued my interest further (yeah, still bored and still tired at the moment) so I googled away and found this tidbit about the mysterious dsw command: http://dvlabs.tippingpoint.com/blog/2008/03/18/a-bit-of-history Gord
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
On 2008-07-09, mark reardon [EMAIL PROTECTED] wrote: doxpara.com reports no issues with unbound FWIW. right, unbound already randomises the source port (arc4random from guess where) and also the source address if you list more than one (assign aliases to the interfaces, and list all of the IP address in outgoing-interface lines in config). http://nlnetlabs.nl/publications/DNS_cache_poisoning_vulnerability.html they have their own methods to avoid stomping on ports used by other UDP services, but since they don't have control over the rest of the OS, it's a bunch of config parameters, not quite as elegant as using net.inet.udp.baddynamic populated from /etc/services entries (see recent commits in source- changes or in odc on www.squish.net/openbsd/)
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 4:12 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 03:56:48PM +0200, GVG GVG wrote: On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote: -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl - [...] Yes they do exist: -- -bash-3.2$ pwd /etc/mail/CA -bash-3.2$ ls -l total 56 -rw-r--r-- 1 root wheel 1229 Jun 23 17:02 cacert.pem -rw-r--r-- 1 root wheel 875 Jun 18 13:46 cacert.pm -rw--- 1 root wheel 3848 Jun 23 17:11 cert.pem drwxr-xr-x 2 root wheel 512 Jun 17 16:25 certs drwxr-xr-x 2 root wheel 512 Jun 23 17:17 crl -rw--- 1 root wheel 3 Jun 23 17:17 crlnumber -rw--- 1 root wheel68 Jun 23 17:11 index.txt -rw--- 1 root wheel21 Jun 23 17:11 index.txt.attr -rw-r--r-- 1 root wheel 0 Jun 23 16:46 index.txt.old -rw-r--r-- 1 root wheel 1679 Jun 23 17:04 key.pem drwxr-xr-x 2 root wheel 512 Jun 23 17:11 newcerts drwx-- 2 root wheel 512 Jun 23 16:53 private -rw--- 1 root wheel 3 Jun 23 17:11 serial -rw-r--r-- 1 root wheel 3 Jun 23 16:46 serial.old --- You're missing my{cert,key}.pem. and in the mail_log there is nothing recorded! No errors or warnings! Did you restart sendmail? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]* Sorry I did a mistake! The changes in the .mc file are: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl -- using the same certs for 'server' and 'client'! So the files do exist! And yes I did restart sendmail! I actually did restart the whole box! In a sendmail book I found following entry they suggested to put in the .mc file. Could be the reason for my problems? -- dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl - Thanks George
Re: note for faq, maybe
Yes, I can confirm that. I too got bitten by it before and I was considering proposing a patch for upgradeXX.html, but I got sidetracked. Mitja -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Balmer Sent: Thursday, July 10, 2008 3:55 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: note for faq, maybe if you use pppoe(4) for internet, and want to do a remote update from 4.2 to 4.3, over said pppoe(4) link, then the normal update procedure will not work, because the 4.3 kernel and the 4.2 ifconfig binary can not work together. after rebooting the new 4.3 bsd kernel, the network will not be configure and you will walk/drive to the system (just like I did today). so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig binary from base43.tgz - Marc
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote: In a sendmail book I found following entry they suggested to put in the .mc file. Could be the reason for my problems? -- dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl - No. So you updated your .mc file as above, installed it as /etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD, sendmail is started with the following flags: -L sm-mta -C/etc/mail/localhost.cf -bd -q30m If you installed your new .cf file as sendmail.cf, sendmail won't read it (unless you change or drop the -C flag). -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]*
sendmail Maildir
Dear List, having a 4.3 and sendmail installation, the default locations where the mails go is /var/mail/$USER. How can I change that and point to a Maildir formatted location? Thanks George
Re: sendmail STARTTLS
On Thu, Jul 10, 2008, GVG GVG wrote: -rw-r--r-- 1 root wheel 1679 Jun 23 17:04 key.pem ^ ^ and in the mail_log there is nothing recorded! No errors or warnings! 1. man starttls (and see the referenced website). 2. increase the LogLevel (even though those errors should be logged at the default level.)
Re: sendmail Maildir
On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote: Dear List, having a 4.3 and sendmail installation, the default locations where the mails go is /var/mail/$USER. How can I change that and point to a Maildir formatted location? Thanks George You need a local delivery agent that can understand Maildir. e.g. procmail, maildrop, Dovecot's deliver, [..]
Re: sendmail STARTTLS
On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote: Sorry I did a mistake! The changes in the .mc file are: You did rebuild the .cf file from the .mc file, right? STARTTLS(8) OpenBSD System Manager's ManualSTARTTLS(8) [...] Now that you have the TLS-enabled versions of the .mc files you must gen- erate .cf files from them and install the .cf files in /etc/mail. [...]
Re: sendmail Maildir
On Thu, Jul 10, 2008 at 04:56:07PM +0200, GVG GVG wrote: Dear List, having a 4.3 and sendmail installation, the default locations where the mails go is /var/mail/$USER. How can I change that and point to a Maildir formatted location? Thanks George Hi George - You need to use a mail delivery agent (MDA), such as procmail, maildrop, or dovecot's deliver. - David
Re: sendmail Maildir
On Thu, Jul 10, 2008 at 5:07 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote: Dear List, having a 4.3 and sendmail installation, the default locations where the mails go is /var/mail/$USER. How can I change that and point to a Maildir formatted location? Thanks George You need a local delivery agent that can understand Maildir. e.g. procmail, maildrop, Dovecot's deliver, [..] I intend to install Dovecot! So obviously that will do the job! Thanks for your prompt reply George
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 4:55 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote: In a sendmail book I found following entry they suggested to put in the .mc file. Could be the reason for my problems? -- dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl - No. So you updated your .mc file as above, installed it as /etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD, sendmail is started with the following flags: -L sm-mta -C/etc/mail/localhost.cf -bd -q30m If you installed your new .cf file as sendmail.cf, sendmail won't read it (unless you change or drop the -C flag). -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]* correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server does accept mails from the outside world! After that I did restart the box! Sendmail gets started as: sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /[$HOME]/mail_log
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 5:05 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote: Sorry I did a mistake! The changes in the .mc file are: You did rebuild the .cf file from the .mc file, right? STARTTLS(8) OpenBSD System Manager's Manual STARTTLS(8) [...] Now that you have the TLS-enabled versions of the .mc files you must gen- erate .cf files from them and install the .cf files in /etc/mail. [...] exaclly! That's what I did. Below is a extract from my current sendmail.cfmail: --- # CA directory O CACertPath=/etc/mail/CA # CA file O CACertFile=/etc/mail/CA/cacert.pem # Server Cert O ServerCertFile=/etc/mail/CA/cert.pem # Server private key O ServerKeyFile=/etc/mail/CA/key.pem # Client Cert O ClientCertFile=/etc/mail/CA/cert.pem # Client private key O ClientKeyFile=/etc/mail/CA/key.pem # File containing certificate revocation lists #O CRLFile -- Thanks George
Re: 4.4 beta wont shut down properly
On 7/9/08, Josh [EMAIL PROTECTED] wrote: On two machines now, recent snapshots are not powering off properly on machines which used to, when I run shutdown -p -h now. It stops at syncing disks, and stays there forever. After a hard reset, / comes up as not being unmounted successfully. I am a quite busy right now, but if someone could tell me what src files deal with this area, So I can perhaps back track to a time when shutdowns worked ok after work. One thing to rule out would be the buffer cache changes. These were committed over a little time, but you could check a kernel from june 9th (before) and june 15th (after). of course, that's the week of the hackathon, so lots of other changes occurred as well. but try those dates.
sshd_config(5) PermitRootLogin yes
Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: Can't install using pkg_add from FTP mirror and from Local Mirror
my mail wrote: --- On Thu, 7/10/08, Jacob Meuser [EMAIL PROTECTED] wrote: From: Jacob Meuser [EMAIL PROTECTED] Subject: Re: Can't install using pkg_add from FTP mirror and from Local Mirror To: misc@openbsd.org Date: Thursday, July 10, 2008, 6:24 AM On Wed, Jul 09, 2008 at 07:45:01PM -0700, my mail wrote: --- On Wed, 7/9/08, Jacob Meuser [EMAIL PROTECTED] wrote: my guess is you checked out or updated your ports tree incorrectly. you want 4.3 ports to match your 4.3 base, so you need to use the -rOPENBSD_4_3 tag with the cvs command. otherwise, you will get a -current ports tree, and you will have problems. http://www.openbsd.org/anoncvs.html thank you all (Jacob Meuser, Markus Lude, Louis V. Lambrecht, James Hartley) for your help i have reinstall my openbsd 4.3 and then use this -rOPENBSD_4_3 for update ports, and now i have been able to install from packages and ports it's my faults because i remember, i have update ports without -rOPENBSD_4_3 tags i litle bit confused about release and stable, if i download ISO from OpenBSD/4.3 ftp, then this is a release, then if i want using --stable, i must using -rOPENBSD_4_3 tags for update ports, xenocara, src, and i been able using packages for 4.3 release. but what if i want using current tag, after i update ports, what packages i must using? because when i using 4.3 packages, it's not works thanks Frankly, re-re-re-re-read the FAQ. Since you just re-installed and still want -current packages, the best way would be to grab a snapshot and do a fresh install. Do this on a date at which your mirror has packages with the same date than the snapshots. (or a day or two off). Release updates are almost foolproof, updating from snapshots might break, while a snapshot of the next day would be perfect. My personal opinion: when you have both the stock OS and sources and started installing packages, I experienced it to be safe to keep pkg_add'ing for a week or two. Certainly not do a cvs. When packages fail to install, switch to installing the ports from source (still without having done a cvs: keep OS. sources, ports tree at the same date). Actually, I have 2 slices, one with a working environment, one with a testing environment. Yet another slice with my server's data, archives, distfiles, ... Every 2 months or so I install a snapshot and most used packages on the testing slice and switch the boot slice when all is well. To be honest, I have a third installation on an USB key where I test the snapshot. First an upgrade, and if it is OK, I upgrade the testing slice. If not OK, I read misc@ and undeadly for hints and wait a couple of weeks to try another snapshot. Doing so, I have 2 (eventually 3) OSes to boot from and access my data and archives. Current is where the team is developing, what works now can break in the next minutes, and work perfectly half an hour later. If you really need current, test it on a separate slice. Don't touch a good working installation. Before I forget: mighty important! keep copies of /var/backups on a safe place before upgrading/re-installing. Time-saver.
Re: sshd_config(5) PermitRootLogin yes
My 4.3 installs defaulted to PermitRootLogin yes after install. -HKS On Thu, Jul 10, 2008 at 10:35 AM, Brian A. Seklecki [EMAIL PROTECTED] wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? Yes. [...] I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... This has been discussed. Check the archives if you'd like. -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]*
Re: sshd_config(5) PermitRootLogin yes
Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS Hi Brian, The default is: PermitRootLogin yes As illustrated on below. HTH Fred bsd:fred /home/fred ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Wed Mar 5 19:08:20 2008 OpenBSD 4.4-beta (GENERIC) #232: Wed Jul 2 12:31:55 MDT 2008 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. Terminal type? [rxvt] # uname -a OpenBSD zaurus.crowsons.com 4.4 GENERIC#232 zaurus #
Re: sshd_config(5) PermitRootLogin yes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. Seklecki Sent: Thursday, July 10, 2008 10:35 AM To: misc@openbsd.org Subject: sshd_config(5) PermitRootLogin yes Am I reading this right? http://www.openbsd.org/cgi- bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content- type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS afterboot(8) covers this http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma npath=OpenBSD+Currentarch=i386format=html
Re: sendmail STARTTLS
On Thu, Jul 10, 2008 at 5:01 PM, Claus Assmann [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008, GVG GVG wrote: -rw-r--r-- 1 root wheel 1679 Jun 23 17:04 key.pem ^ ^ and in the mail_log there is nothing recorded! No errors or warnings! 1. man starttls (and see the referenced website). 2. increase the LogLevel (even though those errors should be logged at the default level.) I first have to excuse myself cause I claimed that there were no errors in the log file! Well, there was no debugging output enabled. Now I did that with '-d0-17.4' flags! Still I don't see anything weird in there! I don't know if you can provide with an example of such an error or warning? Thanks George
Re: sendmail STARTTLS
Off topic to this thread, but: On Thu, Jul 10, 2008 at 8:24 AM, GVG GVG [EMAIL PROTECTED] wrote: ... Sendmail gets started as: sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /[$HOME]/mail_log Remove -B8BITMIME from that: the -B option is only applicable when sending email. Indeed, you should be seeing this error at boot time: WARNING: Ignoring submission mode -B option (not in submission mode) What docs suggested that you add that? (For the topic of this thread, you did eyeball /var/log/maillog after restarting, right?) Philip Guenther
Re: sshd_config(5) PermitRootLogin yes
Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
* Stuart Henderson [EMAIL PROTECTED] [080709 07:15]: mcbride@ pointed out that you can give named some more protection by natting outbound udp traffic destined for port 53 (even just on the box running the resolver, it doesn't have to be on a firewall in front). something like, nat on egress proto udp from (self) to any port 53 - (self) there - if you need to tell people you're doing something while you wait for a better solution, you have an option. check this with tcpdump and requests from multiple NS, the doxpara.com checker will not notice this as an improvement. It doesn't notice this as an improvement because it is making multiple requests to the same name server, and pf will map all these requests using the same outgoing port. David
Re: sendmail STARTTLS
On July 10, 2008 10:24:08 am GVG GVG wrote: On Thu, Jul 10, 2008 at 4:55 PM, Will Maier [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote: In a sendmail book I found following entry they suggested to put in the .mc file. Could be the reason for my problems? -- dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl - No. So you updated your .mc file as above, installed it as /etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD, sendmail is started with the following flags: -L sm-mta -C/etc/mail/localhost.cf -bd -q30m If you installed your new .cf file as sendmail.cf, sendmail won't read it (unless you change or drop the -C flag). -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *-[ BSD: Live Free or Die ]* correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server does accept mails from the outside world! After that I did restart the box! Sendmail gets started as: sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /[$HOME]/mail_log I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does not on my 4.3 i386 from CD and on 4.4 -current. Were you thinking of EightBitMode=mode or do you have any errors on /var/log/maillog with this flag? -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: sshd_config(5) PermitRootLogin yes
The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. I believe the developers decision is the best one in this case, it's one of the first thing I disable though.
sendmail -B option
On Thu, Jul 10, 2008 at 9:59 AM, Vijay Sankar [EMAIL PROTECTED] wrote: ... I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does not on my 4.3 i386 from CD and on 4.4 -current. sigh What do you think it does, how did you use it, and how did you determine that it has no effect? I've already noted that the -B option only affects submission and is ignored when running sendmail as a daemon, making GVG's usage of it incorrect. If you aren't feeding the sendmail command an email message on stdin, then the -B option isn't for you. Philip Guenther
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. Note that you can already create this account and edit sudoers while still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and you are in your new system where you can change basic things (such as adding users and editing config files, do not expect to be able to do more fancy stuff like firewalling (so you can edit pf.conf, you just can not load it until after rebooting), you're still in the install kernel which lacks several key features provided by the regular kernel). root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
yacc rebuild
Good afternoon! So, before the next make build I must rebuild the yacc alone. I would like to know how can I rebuild yacc. I searched in old errata patches, Makefiles, bsd.*.mk files. In my previous logfile (2008.07.07/src_make_build) I see, that by yacc the make cleandir is used: rm -f yacc.cat1 ... rm -f .depend ...tags So is this correct? cd usr.bin/yacc make obj make cleandir make depend make make install In general, how can I ascertain, what kind of make Phony Targets must I use? I didn't read through the whole stuff (docs, all Makefiles, etc) yet, so I rejoice at a link too. Thank You!
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 07:40:47PM +0200, Paul de Weerd wrote: root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. I usually leave it enabled, but with the 'without-password' setting so that keys must be used. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, On Soekris, does the first boot console access not function properly until ttys(5) or boot.conf(5) are edited? Do you need to run headless, but with stored network configuration from the installer? ~BAS edit the sudoers file.. and disable root logins in sshd_config. I believe the developers decision is the best one in this case, it's one of the first thing I disable though.
Re: sshd_config(5) PermitRootLogin yes
afterboot(8) covers this Works for me, I guess. =/ ~BAS http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma npath=OpenBSD+Currentarch=i386format=html
Re: sshd_config(5) PermitRootLogin yes
Paul de Weerd escreveu: On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. Note that you can already create this account and edit sudoers while still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and you are in your new system where you can change basic things (such as adding users and editing config files, do not expect to be able to do more fancy stuff like firewalling (so you can edit pf.conf, you just can not load it until after rebooting), you're still in the install kernel which lacks several key features provided by the regular kernel). root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. Cheers, Paul 'WEiRD' de Weerd I do prefer to use the siteXX.tgz and the install.site script to do this, since it is the recommended way to customize the install process: http://www.openbsd.org/faq/faq4.html#site I remember other thread on this list about this. At some point someone asked Why not ask the installing user to create an unprivileged account during the install process?. The answer was simple and very coherent: Because we want the user to give root user a strong password. If we prompt for another user creation, it will tend to pick a weak password. I agreed with that and prefer having things like this. The portable ssh version also come with PermitRootLogin defaulted to yes. I don't see this as a security breach. Just pick a strong root password, create a user, edit sudoers, disable root login and you are done. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Herom 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. This is how I normally do it. I don't like to stand at a crash cart kvm when I can sit at my desk. ;-) If you have a good root password then it's not much of an issue anyway. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: note for faq, maybe
Sounds good, but as I've successfully avoided both PPP and PPPoE for well over ten years now, I have no way to completely test, a diff would be nice. Nick. Mitja Muenih / Kerberos.si / wrote: Yes, I can confirm that. I too got bitten by it before and I was considering proposing a patch for upgradeXX.html, but I got sidetracked. Mitja -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Balmer Sent: Thursday, July 10, 2008 3:55 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: note for faq, maybe if you use pppoe(4) for internet, and want to do a remote update from 4.2 to 4.3, over said pppoe(4) link, then the normal update procedure will not work, because the 4.3 kernel and the 4.2 ifconfig binary can not work together. after rebooting the new 4.3 bsd kernel, the network will not be configure and you will walk/drive to the system (just like I did today). so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig binary from base43.tgz - Marc
Re: sshd_config(5) PermitRootLogin yes
And they got it all wrong. It is all for the perceived sense of security. Not being able to login over ssh right after install sucks. I am that guy that ends up enabling it on all other boxes that use a different default. The machine I install and then deploy to be hostile network connected gets some extra love in that department however crippling every box by default for no gain is counter productive. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: note for faq, maybe
On Thu, Jul 10, 2008 at 2:26 PM, Nick Holland [EMAIL PROTECTED] wrote: Sounds good, but as I've successfully avoided both PPP and PPPoE for well over ten years now, I have no way to completely test, a diff would be nice. We will also need one for UUCP over RFC1149. :) (through a bitnet gateway)... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: sendmail -B option
On July 10, 2008 12:21:59 pm Philip Guenther wrote: On Thu, Jul 10, 2008 at 9:59 AM, Vijay Sankar [EMAIL PROTECTED] wrote: ... I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does not on my 4.3 i386 from CD and on 4.4 -current. sigh What do you think it does, how did you use it, and how did you determine that it has no effect? I've already noted that the -B option only affects submission and is ignored when running sendmail as a daemon, making GVG's usage of it incorrect. If you aren't feeding the sendmail command an email message on stdin, then the -B option isn't for you. Philip Guenther Sorry for the noise. I should not have sent that message. What happened was, in a misguided attempt to help, I tried running sendmail with the various options GVG had mentioned. /usr/sbin/sendmail -L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /$HOME/mail_log and got the error Jul 10 11:54:09 vijay sm-mta[22142]: NOQUEUE:SYSERR(root): /etc/mail/sendmail.cf: line 0: cannot open: No such file or directory on my desktop. Obviously this had nothing to do with -B8BITMIME and was due to my having renamed /etc/mail/sendmail.cf sometime ago to /etc/mail/sendmail.cf.original. But I misunderstood the error because I was in a rush and thought it was due to the flag -B8BITMIME. Thanks very much for taking the time to correct my mistake. Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: Digital IO - Phidgets support? alternatives?
Hi, here's the Barix voice :) The products are quite different in that the Barionet can be programmed in a basic dialect for quite sophisticated functions (if required), connects via IP, and can be polled by SNMP, CGI, UDP or TCP (ascii protocols). You could also use much cheaper products from our range (see http://www.barix.com barix website ) like the X8 or IO12 (industrial I/O), but these have an RS-485 interface so you need to poll them with Modbus/RTU - or have the Barionet do this for you .. Greetings ! Johannes Tom Le Page wrote: Are there any alternative solutions that I should look at? I've used an alternate standalone solution. Do a search for Barix Barionet. Per unit it may appear to be more expensive, but Thanks for that, I had not come across the Barix range of devices before. Indeed, it does appear more expensive per unit! But it should be simpler to query (http) than the Phidgets... -- View this message in context: http://www.nabble.com/Digital-IO---Phidgets-support--alternatives--tp18336166p18391151.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: trouble with running spamd on 4.4 BETA [SOLVED]
Hi again, It seems that I needed: set skip on lo0 Funny thing is that the same ruleset works on 4.3 without the need for this statement. Was there some change in the route-to logic from 4.3 to 4.4? This may be of interest for someone running spamd in a bridge setup. Kind regards, Jose. -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com
Re: Iwi, wireless bad behavior
On Thu, 3 Jul 2008, Edd Barrett wrote: Hi, If you get the wep key (or network name) wrong when configuring iwi network drivers the card becomes useless until you reboot. This is annoying when at a friends house and I mistype the key for example. I have tried taking the interface down and back up, it makes no difference. Is there a way of resetting the card altogether? thinky% ifconfig iwi0 iwi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:f0:79:36:41 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid 100dBm thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey 0xedd1edd2edd3edd4edd5edd666 thinky% sudo dhclient iwi0 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 9 DHCPOFFER from 192.168.1.254 DHCPREQUEST on iwi0 to 255.255.255.255 port 67 DHCPACK from 192.168.1.254 bound to 192.168.1.69 -- renewal in 43200 seconds. thinky% ifconfig iwi0 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:f0:79:36:41 groups: wlan egress media: IEEE802.11 autoselect status: active ieee80211: nwid SquishMitten chan 1 bssid 00:11:95:54:90:97 77dB nwkey not displayed 100dBm inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1 inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255 thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey 0xedd1edd2edd3edd4edd5edd667 thinky% sudo dhclient iwi0 DHCPREQUEST on iwi0 to 255.255.255.255 port 67 DHCPREQUEST on iwi0 to 255.255.255.255 port 67 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 8 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 15 ^C thinky% ifconfig iwi0 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:f0:79:36:41 groups: wlan egress media: IEEE802.11 autoselect status: no network ieee80211: nwid SquishMitten nwkey not displayed 100dBm inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1 inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255 thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey 0xedd1edd2edd3edd4edd5edd666 thinky% sudo dhclient iwi0 DHCPREQUEST on iwi0 to 255.255.255.255 port 67 DHCPREQUEST on iwi0 to 255.255.255.255 port 67 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 13 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 19 ^C thinky% ifconfig iwi0 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:f0:79:36:41 groups: wlan egress media: IEEE802.11 autoselect status: no network ieee80211: nwid SquishMitten nwkey not displayed 100dBm inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1 inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255 Thanks I have similar behavior using bwi(4) driver, although I'm using WPA2. But it's something worst since I can use for some minutes when I lost the connection. After that, I can't even make nfe(4) run. The only solution I found is reboot. Since this isn't a solution, when possible, I prefer to use nfe(4) Ethernet connection. Cheers,
Re: sendmail STARTTLS
On Thu, Jul 10, 2008, GVG GVG wrote: I first have to excuse myself cause I claimed that there were no errors in the log file! Well, there was no debugging output enabled. Now I did that with '-d0-17.4' flags! You do NOT need to enable debugging to get logging... Still I don't see anything weird in there! I don't know if you can provide with an example of such an error or warning? STARTTLS=server: file /etc/mail/smkey.pem unsafe: Group readable file Either you aren't running sendmail or you broke logging...
Celluless - Hit cena na internetu- samo do 12. 07.
Top Shop Ekskluzivna pretprodaja - samo na internetu! 80-95% ženske populacije u svetu ima problem sa celulitom. ReÅ¡ite ga se uz Celluless...Samo do 12. jula po Äak 38% nižoj ceni! HIT proizvod! HIT cena! Celluless Celluless Bikiniji, mini suknje i kratki Å¡orcevi su ponovo u modi, a vi ne smete ni da ih pogledate? OseÄate se nesigurno kad morate da otkrijete i centimetar svoga tela? Celluless - anticelulit masažer je pravo reÅ¡enje za povratak vaÅ¡eg samopouzdanja. Zaboravite na skupe tretmane i oslobodite se celulita u udobnosti svog doma! Redovna cena: 3.990,00 RSD VaÅ¡a cena -2.490,00 RSD SAMO U NAREDNIH 48 SATI! Kliknite ovde i poruÄite odmah! SAMO DO 12. JULA! NE PROPUSTITE OVU PRILIKU Celluless Efekat Celluless-a * Vidno smanjuje celulit * Stimuliže proizvodnju kolagena i elastina * PoboljÅ¡ava teksturu i zateže kožu * Oblikuje podruÄje stomaka i zateže miÅ¡iÄe zadnjice * Jednostavna upotreba * Neagresivno i bezbolno KoliÄine su ograniÄene! Samo u narednih 48 sati proizvod Vam je dostupan po ovoj ceni! Kako deluje Celluless: * Vakuumska masaža je dokazano meÄu najboljim terapijama za problematiÄnu kožu * Masaža Cellulessom podstiÄe cirkulaciju na povrÅ¡inskom i ispodpovrÅ¡inskom delu kože * PojaÄava se proizvodnja kolagena i elastina Å¡to poboljÅ¡ava teksturu i zateže kožu * Neagresivna i bezbolna terapija PoÄetna | Budi fit | Lepota | Zdravlje Ovu elektronsku poÅ¡tu primate ukoliko ste svojevoljno ostavili svoju e-mail adresu ili uÄestvovalu u posebnim akcijama na www.e-topshop.tv Uslovi ponude iz ovog e-maila važe iskljuÄivo za porudžbine izvrÅ¡ene putem Interneta ili na broj telefona 021 489 26 60. Ukoliko ne želite viÅ¡e da primate naÅ¡e elektronske poruke, molimo Vas kliknite ovde . U obrazac na web stranici upiÅ¡ite svoju taÄnu e-mail adresu i odjavu potvrdite. STUDIO MODERNA d.o.o., Laze NanÄiÄa 50, 21 000 Novi Sad, tel: 021 489 26 60 fax: 021 489 26 08 [IMAGE]If you would no longer like to receive our emails please unsubscribe by clicking here.
Re: sshd_config(5) PermitRootLogin yes
Marco Peereboom wrote: And they got it all wrong. It is all for the perceived sense of security. Not being able to login over ssh right after install sucks. I am that guy that ends up enabling it on all other boxes that use a different default. The machine I install and then deploy to be hostile network connected gets some extra love in that department however crippling every box by default for no gain is counter productive. maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: Iwi, wireless bad behavior
On Thu, Jul 10, 2008 at 7:43 PM, Daniel B. [EMAIL PROTECTED] wrote: After that, I can't even make nfe(4) run. After iwi is boned, also my fxp is boned. Same situation different hardware. I mailed damien pointing at this thread, but no reply. -- Best Regards Edd http://students.dec.bournemouth.ac.uk/ebarrett
Re: sshd_config(5) PermitRootLogin yes
Dude, Why do you let them tell you because the source blah blah? Isn't that why you pay them lots of $$? On 7/10/08, Brian A. Seklecki [EMAIL PROTECTED] wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Transparent OpenBSD firewall rules for Retrospect
Hi OpenBSD PF experts, I am managing a private network 192.168.1.0/24, 192.168.1.2 is my Retrospect backup server running on OS X 10.5 to back up the rest of computers. To add another layer to protect my backup server, I add an OpenBSD4.3 PF transparent firewall in front of 192.168.1.2, Since it is transparent, all my current private network setting keeps the same. my /etc/bridgename.bridge0: add sis0 add sis1 blocknoip sis0 blocknoip sis1 up my /etc/pf.conf: ext_if=sis0 int_if=sis1 localnet=192.168.1.0/24 #only filter ext_if interface, so pass everything on int_if pass in quick on $int_if all pass out quick on $int_if all #pass out everything by default on ext_if, block in everything on ext_if pass out log on $ext_if all block in log on $ext_if all #Allow incoming Retrospect client tcp port pass in log quick on $ext_if proto tcp from any to $localnet \ port { 497 } modulate state pass in log quick on $ext_if proto udp from any to $localnet \ port { 497 } modulate state Now the problem: It seems random problem that Retrospect server could not locate the Retrospect client computer. I googled, Retrospect server is sending udp packet to IP Multicast address 224.1.0.38 to locate the client computer listening on port 497, here is the tcpdump I ran on OpenBSD to catch the udp traffic when Retrospect has problem contacting client: # tcpdump -n -i sis0 port 497 tcpdump: listening on sis0, link-type EN10MB 13:45:34.032842 192.168.1.2.49816 224.1.0.38.497: udp 196 [ttl 1] 13:45:34.033865 192.168.1.3.497 192.168.1.2.49816: udp 196 13:45:36.047369 192.168.1.2.49817 224.1.0.38.497: udp 196 [ttl 1] 13:45:36.048391 192.168.1.3.497 192.168.1.2.49817: udp 196 13:45:38.064087 192.168.1.2.49818 224.1.0.38.497: udp 196 [ttl 1] 13:45:38.065113 192.168.1.3.497 192.168.1.2.49818: udp 196 The server ip 192.168.1.2 does locate the client 192.168.1.3, but Retrospect still complains that the client is not visable from network. If I change firewall rules to pass in log on $ext_if all and load it immediately, The retrospect server would find the client immediately. I am lost on how to properly configure PF rules to enable Retrospect server locate the client reliably.
Re: Digital IO - Phidgets support? alternatives?
There is also the Tini from Dallas. This is a more low level approach, but it comes with a lightweight unix-like shell, and supports a variety of interface busses and protocols, http, ppp, ftp and others, and can be programmed in c, java or assembly. I've used it extensively, and while there's things I dislike about it, I've simply found nothing better for my use. I've set up some fairly extensive networks performing a plethora of tasks - instrumentation, data aquisition, control, security, automation etc etc. If you want a plug and play solution, the barix is probably better, but if you want the flexibilty, power and control of a lower level implimentation, then the tini is hard to beat. On 9/07/2008, at 8:46 PM, Tom Le Page wrote: Are there any alternative solutions that I should look at? I've used an alternate standalone solution. Do a search for Barix Barionet. Per unit it may appear to be more expensive, but Thanks for that, I had not come across the Barix range of devices before. Indeed, it does appear more expensive per unit! But it should be simpler to query (http) than the Phidgets...
Re: yacc rebuild
Charles Smith wrote: Good afternoon! So, before the next make build I must rebuild the yacc alone. I would like to know how can I rebuild yacc. I searched in old errata patches, Makefiles, bsd.*.mk files. In my previous logfile (2008.07.07/src_make_build) I see, that by yacc the make cleandir is used: rm -f yacc.cat1 ... rm -f .depend ...tags So is this correct? cd usr.bin/yacc make obj make cleandir make depend make make install In general, how can I ascertain, what kind of make Phony Targets must I use? I didn't read through the whole stuff (docs, all Makefiles, etc) yet, so I rejoice at a link too. Start with a snapshot, then you don't have to worry about this at all. Don't make your life more difficult than it needs to be... Nick.
Re: Can't install using pkg_add [SOLVED]
--- On Thu, 7/10/08, Louis V. Lambrecht [EMAIL PROTECTED] wrote: Frankly, re-re-re-re-read the FAQ. Since you just re-installed and still want -current packages, the best way would be to grab a snapshot and do a fresh install. Do this on a date at which your mirror has packages with the same date than the snapshots. (or a day or two off). Release updates are almost foolproof, updating from snapshots might break, while a snapshot of the next day would be perfect. My personal opinion: when you have both the stock OS and sources and started installing packages, I experienced it to be safe to keep pkg_add'ing for a week or two. Certainly not do a cvs. When packages fail to install, switch to installing the ports from source (still without having done a cvs: keep OS. sources, ports tree at the same date). Actually, I have 2 slices, one with a working environment, one with a testing environment. Yet another slice with my server's data, archives, distfiles, ... Every 2 months or so I install a snapshot and most used packages on the testing slice and switch the boot slice when all is well. To be honest, I have a third installation on an USB key where I test the snapshot. First an upgrade, and if it is OK, I upgrade the testing slice. If not OK, I read misc@ and undeadly for hints and wait a couple of weeks to try another snapshot. Doing so, I have 2 (eventually 3) OSes to boot from and access my data and archives. Current is where the team is developing, what works now can break in the next minutes, and work perfectly half an hour later. If you really need current, test it on a separate slice. Don't touch a good working installation. Before I forget: mighty important! keep copies of /var/backups on a safe place before upgrading/re-installing. Time-saver. thanks for you help and advice. Now i have been able using OpenBSD 4.3 stable and running desktop with gnome[1]. yes, i have a plan for dual boot OpenBSD, one for stable and one for current, but at now i'll stick using OpenBSD 4.3 Stable branch. thanks you all for helping me using OpenBSD for the first time :) this is a big experience for me :) [1]http://img2.freeimagehosting.net/uploads/673111fb18.jpg
Another way to help OpenBSD
All the developers are great, but even so some stand out. Otto writes a lot of very good code, fixed ancient bugs, is nice to random idiots like me here on misc@openbsd.org, and a lot of other good things. A little bird (not Otto) told me he's got a wishlist with a couple of books. If someone were to buy these for him perhaps he could use one or two things from them in upcoming code. ;-) If anyone is feeling generous please see: http://www.amazon.com/gp/registry/P6RBCK0YFTZ -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: CVS: cvs.openbsd.org: src
On Jun 14, 2008, at 1:47 PM, Damien Miller wrote: Just to reinforce the experimental thing: There are some big softraid changes coming that will alter the on-disk metadata format (for all softraid disciplines, not just crypto). Volumes created with the current tools will be unreadable afterwards. In the meantime, we appreciate test reports but please don't complain about incompatibility after cvs up. We will announce when the format has stabilised. I don't see a lot of changes to softraid.c since June, and am not expert enough to tell if these would be affecting the on-disk format. I also don't see anything in current.html about softtraid. should i just hold off updating my machines? should I update weekly with lots of dump restore? I'm uncomfortable getting too far behind the curve. thanks, Ben -d
Re: CVS: cvs.openbsd.org: src
I currently have a 3500 line diff in my tree that completely rewrites softraid metadata handling. The idea is that when this goes in we can start adding foreign raid formats as sub-drivers to softraid. This also fixes issues of power failures and crashes where the checksums are no longer correct. To top it all the code is far cleaner now. I am about 95% done so hang in there. When this change goes in old softraid metadata formats will no longer work! So now is a good time to get dumps going. I am _not_ planning on adding a metadata driver for the previous versions. I will be soliciting tests soonish to get the diff production ready so that we can officially support RAID 0 and CRYPTO for the 4.4 release. RAID 1 will continue to be experimental until I get a chance to work out the rebuild mechanics (hi henning!!). /marco On Thu, Jul 10, 2008 at 08:20:29PM -0700, Ben Calvert wrote: On Jun 14, 2008, at 1:47 PM, Damien Miller wrote: Just to reinforce the experimental thing: There are some big softraid changes coming that will alter the on-disk metadata format (for all softraid disciplines, not just crypto). Volumes created with the current tools will be unreadable afterwards. In the meantime, we appreciate test reports but please don't complain about incompatibility after cvs up. We will announce when the format has stabilised. I don't see a lot of changes to softraid.c since June, and am not expert enough to tell if these would be affecting the on-disk format. I also don't see anything in current.html about softtraid. should i just hold off updating my machines? should I update weekly with lots of dump restore? I'm uncomfortable getting too far behind the curve. thanks, Ben -d
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. Also, I think there is a false premise to the argument by Marco and Jacob that disabling remote root login by default does not provide real security, only a false illusion. That sounds like a slippery slope. We all know that security is a process. There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config(5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: sshd_config(5) PermitRootLogin yes
On Jul 10, 2008, at 9:19 PM, Brian A. Seklecki [EMAIL PROTECTED] wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. Don't be stupid. Problem solved. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config (5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: sshd_config(5) PermitRootLogin yes
On Fri, Jul 11, 2008 at 12:19:27AM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. ... Either way, its a healthy discussion worth having. I believe you may be overlooking the fact that while we might have a healthy discussion on this subject and decide what the default will be for BASBSD, the people who make the decisions for OpenBSD have already decided. We don't get to vote on that. We may decide how to handle our own installations, but unless you've read through the archives and found an argument that has not been considered, it is best to leave it at that.
Re: Another way to help OpenBSD
On Fri, Jul 11, 2008 at 3:07 AM, Darrin Chandler [EMAIL PROTECTED] wrote: All the developers are great, but even so some stand out. Otto writes a lot of very good code, fixed ancient bugs, is nice to random idiots like me here on misc@openbsd.org, and a lot of other good things. A little bird (not Otto) told me he's got a wishlist with a couple of books. If someone were to buy these for him perhaps he could use one or two things from them in upcoming code. ;-) If anyone is feeling generous please see: http://www.amazon.com/gp/registry/P6RBCK0YFTZ Happy early birthday Otto. A little bird told me that your book will be at your door in 6-22 days...