date:20080710

Dear list,

running currently 4.3 generic with sendmail:
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SCANF
STARTTLS TCPWRAPPERS USERDB XDEBUG
--

did try to setup STARTTLS but I don't think that it works! here are the
modifications in my .mc file:

--
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
-

Following 'man starttls' I should get:


 # telnet localhost 25
   Trying ::1...
   Connected to localhost.
   Escape character is '^]'.
   220 localhost ESMTP Sendmail 8.12.1/8.12.1 ready
   EHLO localhost

 After typing EHLO localhost you should receive something like the
follow-
 ing back.

   250-localhost Hello localhost [IPv6:::1], pleased to meet you
   250-ENHANCEDSTATUSCODES
   250-PIPELINING
   250-8BITMIME
   250-SIZE
   250-DSN
   250-ETRN
   250-STARTTLS
   250-DELIVERBY
   250 HELP
--

but I'm missing the '250 STARTTLS' entry from the above output!

Any idea what might gone wrong?

Thanks

George

Re: Ports dependencies

2008-07-10 Thread Dawe


Eric Dillenseger wrote:

Hi misc@,

When installing a package from the ports, there are build dependencies
and runtime dependencies.
In many cases, B-deps aren't used once the package is installed.

Is there any other way than looking at the ports makefile to spot the
B-deps installed on a system ?



pkg_info -t might help you.

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 3:13 PM, giovanni [EMAIL PROTECTED] wrote:

 pkg_add cyrus-sasl-.tgz

 # vat /etc/mk.conf
 WANT_SMTPAUTH=yes

 rebuild sendmail

 --
 see ya,
 giovanni


Thanks for your reply but I thought that this is necessary only if SMTP_AUTH
should be enabled! In my case I'll use an IMAP server instead!

George

Re: how to undelete?

2008-07-10 Thread David Vasek


On Thu, 10 Jul 2008, Henning Brauer wrote:


* Leonardo Rodrigues [EMAIL PROTECTED] [2008-07-10 08:50]:

If I'm not mistaken, openbsd zeroes the data when you delete a file.


no, that would be pointless.


For the archives: unless it is specifically requested as
rm -P

Regards,
David

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote:
[...]
 did try to setup STARTTLS but I don't think that it works! here are the
 modifications in my .mc file:
 
 --
 define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
 define(`confCACERT_PATH', `CERT_DIR')dnl
 define(`confCACERT', `CERT_DIR/cacert.pem')dnl
 define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
 define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
 define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
 define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
 -

Do those files exist?

 Following 'man starttls' I should get:
[...]
 but I'm missing the '250 STARTTLS' entry from the above output!
 
 Any idea what might gone wrong?

Did you look in your maillogs?

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*-[ BSD: Live Free or Die ]*

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 3:33 PM, giovanni [EMAIL PROTECTED] wrote:

 On Thu, Jul 10, 2008 at 03:19:11PM +0200, GVG GVG wrote:
On Thu, Jul 10, 2008 at 3:13 PM, giovanni [EMAIL PROTECTED] wrote:
 
  pkg_add cyrus-sasl-.tgz
 
  # vat /etc/mk.conf
  WANT_SMTPAUTH=yes
 
  rebuild sendmail
 
  --
  see ya,
  giovanni
 
Thanks for your reply but I thought that this is necessary only if
SMTP_AUTH should be enabled! In my case I'll use an IMAP server
 instead!
 yup, I wrote one thing while I was thinking another... sorry!

George

 --
 see ya,
 giovanni


:-) OK

Thnaks

George

VPN Failover

2008-07-10 Thread mail-lists


Hello List,

I'm having some issues with IPSec VPN tunnels.

Here is what I'm trying to do:


 I have a VPN 'server' with 2 internet connections (IP1, IP2)

 I have several remote locations which connect to the VPN server.

 When IP1 goes down on the VPN server I want the remote 
locations to negotiate the tunnel with IP2



What is the best way to accomplish this? I have tried a couple of 
different things, none successful.



My ipsec.conf on the server looks like this:
   /#Remote Location 1/
  / ike passive esp from 10.110.39.0/24 to 
10.115.10.0 peer REMOTELOCATION1 main auth hmac-sha1 enc 3des quick 
auth hmac-sha1 enc 3des group none psk psk


   #Remote Location 2
////ike passive esp from 10.110.39.0/24 to 
10.115.20.0 peer REMOTELOCATION2 main auth hmac-sha1 enc 3des quick 
auth hmac-sha1 enc 3des group none psk psk


/My ipsec.conf on one of the remote location machines looks like this:

   /#Main Office/
   /ike esp from  10.115.20.0 to 10.110.39.0/24 
peer MAIN-OFFICE-IP1 main auth hmac-sha1 enc 3des quick auth hmac-sha1 
enc 3des group none psk psk


   #Main Office Backup
//ike esp from  10.115.20.0 to 
10.110.39.0/24 peer MAIN-OFFICE-IP2 main auth hmac-sha1 enc 3des quick 
auth hmac-sha1 enc 3des group none psk psk


/This doesn't work. When I comment out the 'Backup' tunnel on the remote 
location machine the IP1 tunnel comes up just fine. When I try 
un-commenting it neither of the tunnels come up. I'm pretty sure that 
this is not SUPPOSED to work as the subnets are the same for both 
tunnels. I have played around with the various ike [mode] parameters, 
substituting dynamic,passive, etc in every possible combination.


I have configured isakmpd to listen on both interfaces on the main 
office machine.


ie.

   /[general]
  Listen-on=IP1,IP2

/I have also tried to just change the default routes on the main office 
machine and restart isakmpd. Can anyone recommend a way to do VPN 
failover in this manner? Is it possible to use the DPD of dynamic mode 
to somehow make isakmpd negotiate a backup tunnel when the main tunnel 
goes down?



Thanks so much,


Steve
/

/

note for faq, maybe

2008-07-10 Thread Marc Balmer

if you use pppoe(4) for internet, and want to do a remote
update from 4.2 to 4.3, over said pppoe(4) link, then the
normal update procedure will not work, because the 4.3
kernel and the 4.2 ifconfig binary can not work together.

after rebooting the new 4.3 bsd kernel, the network will
not be configure and you will walk/drive to the system (just
like I did today).

so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig
binary from base43.tgz

- Marc

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote:

 On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote:
 [...]
  did try to setup STARTTLS but I don't think that it works! here are the
  modifications in my .mc file:
 
  --
  define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
  define(`confCACERT_PATH', `CERT_DIR')dnl
  define(`confCACERT', `CERT_DIR/cacert.pem')dnl
  define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
  define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
  define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
  define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
  -

 Do those files exist?

  Following 'man starttls' I should get:
 [...]
  but I'm missing the '250 STARTTLS' entry from the above output!
 
  Any idea what might gone wrong?

 Did you look in your maillogs?

 --

 o--{ Will Maier }--o
 | web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
 *-[ BSD: Live Free or Die ]*


Yes they do exist:

--
-bash-3.2$ pwd
/etc/mail/CA
-bash-3.2$ ls -l
total 56
-rw-r--r--  1 root  wheel  1229 Jun 23 17:02 cacert.pem
-rw-r--r--  1 root  wheel   875 Jun 18 13:46 cacert.pm
-rw---  1 root  wheel  3848 Jun 23 17:11 cert.pem
drwxr-xr-x  2 root  wheel   512 Jun 17 16:25 certs
drwxr-xr-x  2 root  wheel   512 Jun 23 17:17 crl
-rw---  1 root  wheel 3 Jun 23 17:17 crlnumber
-rw---  1 root  wheel68 Jun 23 17:11 index.txt
-rw---  1 root  wheel21 Jun 23 17:11 index.txt.attr
-rw-r--r--  1 root  wheel 0 Jun 23 16:46 index.txt.old
-rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
drwxr-xr-x  2 root  wheel   512 Jun 23 17:11 newcerts
drwx--  2 root  wheel   512 Jun 23 16:53 private
-rw---  1 root  wheel 3 Jun 23 17:11 serial
-rw-r--r--  1 root  wheel 3 Jun 23 16:46 serial.old
---

and in the mail_log there is nothing recorded! No errors or warnings!

Thanks

George

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 03:56:48PM +0200, GVG GVG wrote:
 On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote:
  On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote:
   --
   define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
   define(`confCACERT_PATH', `CERT_DIR')dnl
   define(`confCACERT', `CERT_DIR/cacert.pem')dnl
   define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
   define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
   define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
   define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
   -
[...]
 Yes they do exist:
 
 --
 -bash-3.2$ pwd
 /etc/mail/CA
 -bash-3.2$ ls -l
 total 56
 -rw-r--r--  1 root  wheel  1229 Jun 23 17:02 cacert.pem
 -rw-r--r--  1 root  wheel   875 Jun 18 13:46 cacert.pm
 -rw---  1 root  wheel  3848 Jun 23 17:11 cert.pem
 drwxr-xr-x  2 root  wheel   512 Jun 17 16:25 certs
 drwxr-xr-x  2 root  wheel   512 Jun 23 17:17 crl
 -rw---  1 root  wheel 3 Jun 23 17:17 crlnumber
 -rw---  1 root  wheel68 Jun 23 17:11 index.txt
 -rw---  1 root  wheel21 Jun 23 17:11 index.txt.attr
 -rw-r--r--  1 root  wheel 0 Jun 23 16:46 index.txt.old
 -rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
 drwxr-xr-x  2 root  wheel   512 Jun 23 17:11 newcerts
 drwx--  2 root  wheel   512 Jun 23 16:53 private
 -rw---  1 root  wheel 3 Jun 23 17:11 serial
 -rw-r--r--  1 root  wheel 3 Jun 23 16:46 serial.old
 ---

You're missing my{cert,key}.pem.

 and in the mail_log there is nothing recorded! No errors or
 warnings!

Did you restart sendmail?

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*-[ BSD: Live Free or Die ]*

Re: how to undelete?

2008-07-10 Thread Gordon Grieder

On Thu, Jul 10, 2008 at 02:03:12PM +0200, David Vasek wrote:
 
 For the archives: unless it is specifically requested as
 rm -P

For some unknown reason this prompted me to look at the rm manpage for the
hell of it (yeah, bored and tired at the moment). There's an odd comment in
the STANDARDS section which says

The interactive mode used to be a dsw command, a carryover from the an-
cient past with an amusing etymology.

That piqued my interest further (yeah, still bored and still tired at the
moment) so I googled away and found this tidbit about the mysterious dsw
command: http://dvlabs.tippingpoint.com/blog/2008/03/18/a-bit-of-history

 Gord

Re: Actual BIND error - Patching OpenBSD 4.3 named ?

2008-07-10 Thread Stuart Henderson

On 2008-07-09, mark reardon [EMAIL PROTECTED] wrote:
 doxpara.com reports no issues with unbound FWIW.

right, unbound already randomises the source port (arc4random
from guess where) and also the source address if you list more
than one (assign aliases to the interfaces, and list all of
the IP address in outgoing-interface lines in config).

http://nlnetlabs.nl/publications/DNS_cache_poisoning_vulnerability.html

they have their own methods to avoid stomping on ports used
by other UDP services, but since they don't have control over
the rest of the OS, it's a bunch of config parameters, not
quite as elegant as using net.inet.udp.baddynamic populated
from /etc/services entries (see recent commits in source-
changes or in odc on www.squish.net/openbsd/)

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 4:12 PM, Will Maier [EMAIL PROTECTED] wrote:

 On Thu, Jul 10, 2008 at 03:56:48PM +0200, GVG GVG wrote:
  On Thu, Jul 10, 2008 at 3:33 PM, Will Maier [EMAIL PROTECTED] wrote:
   On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote:
--
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
-
 [...]
  Yes they do exist:
 
  --
  -bash-3.2$ pwd
  /etc/mail/CA
  -bash-3.2$ ls -l
  total 56
  -rw-r--r--  1 root  wheel  1229 Jun 23 17:02 cacert.pem
  -rw-r--r--  1 root  wheel   875 Jun 18 13:46 cacert.pm
  -rw---  1 root  wheel  3848 Jun 23 17:11 cert.pem
  drwxr-xr-x  2 root  wheel   512 Jun 17 16:25 certs
  drwxr-xr-x  2 root  wheel   512 Jun 23 17:17 crl
  -rw---  1 root  wheel 3 Jun 23 17:17 crlnumber
  -rw---  1 root  wheel68 Jun 23 17:11 index.txt
  -rw---  1 root  wheel21 Jun 23 17:11 index.txt.attr
  -rw-r--r--  1 root  wheel 0 Jun 23 16:46 index.txt.old
  -rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
  drwxr-xr-x  2 root  wheel   512 Jun 23 17:11 newcerts
  drwx--  2 root  wheel   512 Jun 23 16:53 private
  -rw---  1 root  wheel 3 Jun 23 17:11 serial
  -rw-r--r--  1 root  wheel 3 Jun 23 16:46 serial.old
  ---

 You're missing my{cert,key}.pem.

  and in the mail_log there is nothing recorded! No errors or
  warnings!

 Did you restart sendmail?

 --

 o--{ Will Maier }--o
 | web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
 *-[ BSD: Live Free or Die ]*


Sorry I did a mistake! The changes in the .mc file are:


define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
--

using the same certs for 'server' and 'client'! So the files do exist!

And yes I did restart sendmail! I actually did restart the whole box!

In a sendmail book I found following entry they suggested to put in the .mc
file. Could be the reason for my problems?

--
dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl
-

Thanks

George

Re: note for faq, maybe

2008-07-10 Thread Mitja Muženič / Kerberos.si /

Yes, I can confirm that. I too got bitten by it before and I was considering
proposing a patch for upgradeXX.html, but I got sidetracked.

Mitja

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 On Behalf Of Marc Balmer
 Sent: Thursday, July 10, 2008 3:55 PM
 To: [EMAIL PROTECTED]
 Cc: misc@openbsd.org
 Subject: note for faq, maybe

 if you use pppoe(4) for internet, and want to do a remote
 update from 4.2 to 4.3, over said pppoe(4) link, then the
 normal update procedure will not work, because the 4.3
 kernel and the 4.2 ifconfig binary can not work together.

 after rebooting the new 4.3 bsd kernel, the network will
 not be configure and you will walk/drive to the system (just
 like I did today).

 so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig
 binary from base43.tgz

 - Marc

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote:
 In a sendmail book I found following entry they suggested to put
 in the .mc file. Could be the reason for my problems?
 
 --
 dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl
 -

No. So you updated your .mc file as above, installed it as
/etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD,
sendmail is started with the following flags:

-L sm-mta -C/etc/mail/localhost.cf -bd -q30m

If you installed your new .cf file as sendmail.cf, sendmail won't
read it (unless you change or drop the -C flag).

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*-[ BSD: Live Free or Die ]*

sendmail Maildir

Dear List,

having a 4.3 and sendmail installation, the default locations where the
mails go is /var/mail/$USER. How can I change that and point to a Maildir
formatted location?

Thanks

George

Re: sendmail STARTTLS

2008-07-10 Thread Claus Assmann

On Thu, Jul 10, 2008, GVG GVG wrote:

 -rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
  ^  ^

 and in the mail_log there is nothing recorded! No errors or warnings!

1. man starttls (and see the referenced website).
2. increase the LogLevel (even though those errors should be logged
at the default level.)

Re: sendmail Maildir

2008-07-10 Thread Stuart Henderson

On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote:
 Dear List,

 having a 4.3 and sendmail installation, the default locations where the
 mails go is /var/mail/$USER. How can I change that and point to a Maildir
 formatted location?

 Thanks

 George



You need a local delivery agent that can understand Maildir.
e.g. procmail, maildrop, Dovecot's deliver, [..]

Re: sendmail STARTTLS

2008-07-10 Thread Stuart Henderson

On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote:

 Sorry I did a mistake! The changes in the .mc file are:

You did rebuild the .cf file from the .mc file, right?

STARTTLS(8) OpenBSD System Manager's ManualSTARTTLS(8)

 [...]

 Now that you have the TLS-enabled versions of the .mc files you must gen-
 erate .cf files from them and install the .cf files in /etc/mail.

 [...]

Re: sendmail Maildir

2008-07-10 Thread David Hill

On Thu, Jul 10, 2008 at 04:56:07PM +0200, GVG GVG wrote:
 Dear List,
 
 having a 4.3 and sendmail installation, the default locations where the
 mails go is /var/mail/$USER. How can I change that and point to a Maildir
 formatted location?
 
 Thanks
 
 George
 

Hi George -

You need to use a mail delivery agent (MDA), such as procmail, maildrop,
or dovecot's deliver.

- David

Re: sendmail Maildir

On Thu, Jul 10, 2008 at 5:07 PM, Stuart Henderson [EMAIL PROTECTED]
wrote:

 On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote:
  Dear List,
 
  having a 4.3 and sendmail installation, the default locations where the
  mails go is /var/mail/$USER. How can I change that and point to a Maildir
  formatted location?
 
  Thanks
 
  George
 
 

 You need a local delivery agent that can understand Maildir.
 e.g. procmail, maildrop, Dovecot's deliver, [..]


I intend to install Dovecot! So obviously that will do the job!

Thanks for your prompt reply

George

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 4:55 PM, Will Maier [EMAIL PROTECTED] wrote:

 On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote:
  In a sendmail book I found following entry they suggested to put
  in the .mc file. Could be the reason for my problems?
 
  --
  dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl
  -

 No. So you updated your .mc file as above, installed it as
 /etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD,
 sendmail is started with the following flags:

-L sm-mta -C/etc/mail/localhost.cf -bd -q30m

 If you installed your new .cf file as sendmail.cf, sendmail won't
 read it (unless you change or drop the -C flag).

 --

 o--{ Will Maier }--o
 | web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
 *-[ BSD: Live Free or Die ]*


correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server
does accept mails from the outside world! After that I did restart the box!
Sendmail gets started as:

sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X
/[$HOME]/mail_log

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 5:05 PM, Stuart Henderson [EMAIL PROTECTED]
wrote:

 On 2008-07-10, GVG GVG [EMAIL PROTECTED] wrote:
 
  Sorry I did a mistake! The changes in the .mc file are:

 You did rebuild the .cf file from the .mc file, right?

 STARTTLS(8) OpenBSD System Manager's Manual
  STARTTLS(8)

 [...]

 Now that you have the TLS-enabled versions of the .mc files you must
 gen-
 erate .cf files from them and install the .cf files in /etc/mail.

 [...]


exaclly! That's what I did. Below is a extract from my current sendmail.cfmail:

---
# CA directory
O CACertPath=/etc/mail/CA
# CA file
O CACertFile=/etc/mail/CA/cacert.pem
# Server Cert
O ServerCertFile=/etc/mail/CA/cert.pem
# Server private key
O ServerKeyFile=/etc/mail/CA/key.pem
# Client Cert
O ClientCertFile=/etc/mail/CA/cert.pem
# Client private key
O ClientKeyFile=/etc/mail/CA/key.pem
# File containing certificate revocation lists
#O CRLFile
--

Thanks

George

Re: 4.4 beta wont shut down properly

2008-07-10 Thread Ted Unangst

On 7/9/08, Josh [EMAIL PROTECTED] wrote:

  On two machines now, recent snapshots are not powering off properly on 
 machines which used to, when I run shutdown -p -h now.

  It stops at syncing disks, and stays there forever. After a hard reset, / 
 comes up as not being unmounted successfully.

  I am a quite busy right now, but if someone could tell me what src files 
 deal with this area, So I can perhaps back track to a time when shutdowns 
 worked ok after work.

One thing to rule out would be the buffer cache changes.  These were
committed over a little time, but you could check a kernel from june
9th (before) and june 15th (after).  of course, that's the week of the
hackathon, so lots of other changes occurred as well.  but try those
dates.

sshd_config(5) PermitRootLogin yes


Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt 
default to PermitRootLogin yes after the install.


I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get 
this changed, but Redhat Support is giving some some noise about:


Well the source vendor doesn't disable it by default ...

~BAS

Re: Can't install using pkg_add from FTP mirror and from Local Mirror

2008-07-10 Thread Louis V. Lambrecht

my mail wrote:

--- On Thu, 7/10/08, Jacob Meuser [EMAIL PROTECTED] wrote:

From: Jacob Meuser [EMAIL PROTECTED]
Subject: Re: Can't install using pkg_add from FTP mirror and from Local Mirror
To: misc@openbsd.org
Date: Thursday, July 10, 2008, 6:24 AM
On Wed, Jul 09, 2008 at 07:45:01PM -0700, my mail wrote:

--- On Wed, 7/9/08, Jacob Meuser

[EMAIL PROTECTED] wrote:

my guess is you checked out or updated your ports tree

incorrectly.
you want 4.3 ports to match your 4.3 base, so you need to
use the
-rOPENBSD_4_3 tag with the cvs command.  otherwise, you
will get a
-current ports tree, and you will have problems.

http://www.openbsd.org/anoncvs.html

thank you all (Jacob Meuser, Markus Lude, Louis V. Lambrecht, James Hartley) 
for your help

i have reinstall my openbsd 4.3 and then use this -rOPENBSD_4_3 for update 
ports, and now i have been able to install from packages and ports

it's my faults because i remember, i have update ports without -rOPENBSD_4_3 
tags

i litle bit confused about release and stable, if i download ISO from 
OpenBSD/4.3 ftp, then this is a release, then if i want using --stable, i must 
using -rOPENBSD_4_3 tags for update ports, xenocara, src, and i been able using 
packages for 4.3 release.

but what if i want using current tag, after i update ports, what packages i 
must using? because when i using 4.3 packages, it's not works

thanks

Frankly, re-re-re-re-read the FAQ.
Since you just re-installed and still want -current packages, the best 
way would

be to grab a snapshot and do a fresh install.
Do this on a date at which your mirror has packages with the same date than
the snapshots. (or a day or two off).
Release updates are almost foolproof, updating from snapshots might break,
while a snapshot of the next day would be perfect.

My personal opinion:
when you have both the stock OS and sources and started installing 
packages,

I experienced it to be safe to keep pkg_add'ing for a week or two.
Certainly not do a cvs.
When packages fail to install, switch to installing the ports from 
source (still without

having done a cvs: keep OS. sources, ports tree at the same date).

Actually, I have 2 slices, one with a working environment, one with a 
testing
environment. Yet another slice with my server's data, archives, 
distfiles, ...

Every 2 months or so I install a snapshot and most used packages on the
testing slice and switch the boot slice when all is well.

To be honest, I have a third installation on an USB key where I test the
snapshot. First an upgrade, and if it is OK, I upgrade the testing slice.
If not OK, I read misc@ and undeadly for hints and wait a couple of
weeks to try another snapshot.
Doing so, I have 2 (eventually 3) OSes to boot from and access my data 
and archives.

Current is where the team is developing, what works now can break in the 
next minutes,

and work perfectly half an hour later.

If you really need current, test it on a separate slice.
Don't touch a good working installation.

Before I forget:
mighty important!
keep copies of /var/backups on a safe place before upgrading/re-installing.
Time-saver.

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread (private) HKS

My 4.3 installs defaulted to PermitRootLogin yes after install.
-HKS

On Thu, Jul 10, 2008 at 10:35 AM, Brian A. Seklecki
[EMAIL PROTECTED] wrote:
 Am I reading this right?

 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

 I dont have a fresh install anywhere -- but I want to say that it doesnt
 default to PermitRootLogin yes after the install.

 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
 changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

 ~BAS

Re: sshd_config(5) PermitRootLogin yes

On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:
 Am I reading this right?

Yes.

[...]
 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get  
 this changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

This has been discussed. Check the archives if you'd like.

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*-[ BSD: Live Free or Die ]*

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Fred Crowson


Brian A. Seklecki wrote:

Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup 



I dont have a fresh install anywhere -- but I want to say that it doesnt 
default to PermitRootLogin yes after the install.


I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get 
this changed, but Redhat Support is giving some some noise about:


Well the source vendor doesn't disable it by default ...

~BAS



Hi Brian,

The default is: PermitRootLogin yes

As illustrated on below.

HTH

Fred

bsd:fred /home/fred ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Wed Mar  5 19:08:20 2008
OpenBSD 4.4-beta (GENERIC) #232: Wed Jul  2 12:31:55 MDT 2008

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

Terminal type? [rxvt]
# uname -a
OpenBSD zaurus.crowsons.com 4.4 GENERIC#232 zaurus
#

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Wade, Daniel

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Brian A. Seklecki
 Sent: Thursday, July 10, 2008 10:35 AM
 To: misc@openbsd.org
 Subject: sshd_config(5) PermitRootLogin yes

 Am I reading this right?

 http://www.openbsd.org/cgi-
 bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-
 type=text/x-cvsweb-markup

 I dont have a fresh install anywhere -- but I want to say that it
 doesnt
 default to PermitRootLogin yes after the install.

 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to
 get
 this changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

 ~BAS


afterboot(8) covers this

http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma
npath=OpenBSD+Currentarch=i386format=html

Re: sendmail STARTTLS

On Thu, Jul 10, 2008 at 5:01 PM, Claus Assmann 
[EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:

 On Thu, Jul 10, 2008, GVG GVG wrote:

  -rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
   ^  ^

  and in the mail_log there is nothing recorded! No errors or warnings!

 1. man starttls (and see the referenced website).
 2. increase the LogLevel (even though those errors should be logged
 at the default level.)


I first have to excuse myself cause I claimed that there were no errors in
the log file!

Well, there was no debugging output enabled. Now I did that with '-d0-17.4'
flags!

Still I don't see anything weird in there! I don't know if you can provide
with an example of such an error or warning?

Thanks

George

Re: sendmail STARTTLS

2008-07-10 Thread Philip Guenther

Off topic to this thread, but:

On Thu, Jul 10, 2008 at 8:24 AM, GVG GVG [EMAIL PROTECTED] wrote:
...
 Sendmail gets started as:

 sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X
 /[$HOME]/mail_log

Remove -B8BITMIME from that: the -B option is only applicable when
sending email.  Indeed, you should be seeing this error at boot time:
WARNING: Ignoring submission mode -B option (not in submission mode)

What docs suggested that you add that?

(For the topic of this thread, you did eyeball /var/log/maillog after
restarting, right?)


Philip Guenther

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Marco Peereboom

Of course it is enabled by default.  Why do I want a box that is
freshly installed and unreachable?

On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:
 Am I reading this right?

 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

 I dont have a fresh install anywhere -- but I want to say that it doesnt 
 default to PermitRootLogin yes after the install.

 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this 
 changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

 ~BAS

Re: Actual BIND error - Patching OpenBSD 4.3 named ?

2008-07-10 Thread David Krause

* Stuart Henderson [EMAIL PROTECTED] [080709 07:15]:
 mcbride@ pointed out that you can give named some more protection
 by natting outbound udp traffic destined for port 53 (even just on
 the box running the resolver, it doesn't have to be on a firewall
 in front). something like,
 
 nat on egress proto udp from (self) to any port 53 - (self)
 
 there - if you need to tell people you're doing something
 while you wait for a better solution, you have an option.
 check this with tcpdump and requests from multiple NS, the
 doxpara.com checker will not notice this as an improvement.

It doesn't notice this as an improvement because it is making multiple
requests to the same name server, and pf will map all these requests
using the same outgoing port.

David

Re: sendmail STARTTLS

2008-07-10 Thread Vijay Sankar

On July 10, 2008 10:24:08 am GVG GVG wrote:
 On Thu, Jul 10, 2008 at 4:55 PM, Will Maier [EMAIL PROTECTED] wrote:
  On Thu, Jul 10, 2008 at 04:26:38PM +0200, GVG GVG wrote:
   In a sendmail book I found following entry they suggested to put
   in the .mc file. Could be the reason for my problems?
  
   --
   dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl
   -
 
  No. So you updated your .mc file as above, installed it as
  /etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD,
  sendmail is started with the following flags:
 
 -L sm-mta -C/etc/mail/localhost.cf -bd -q30m
 
  If you installed your new .cf file as sendmail.cf, sendmail won't
  read it (unless you change or drop the -C flag).
 
  --
 
  o--{ Will Maier }--o
 
  | web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
 
  *-[ BSD: Live Free or Die ]*

 correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server
 does accept mails from the outside world! After that I did restart the box!
 Sendmail gets started as:

 sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X
 /[$HOME]/mail_log

I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does 
not on my 4.3 i386 from CD and on 4.4 -current. Were you thinking of 
EightBitMode=mode or do you have any errors on /var/log/maillog with this 
flag?


-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Brynet


The keyword here is *default*.

Say you installed OpenBSD on a soekris, it's nice having root enabled 
temporarily.


That way you can login at a later time, create a lesser privledged 
account, edit the sudoers file.. and disable root logins in sshd_config.


I believe the developers decision is the best one in this case, it's one 
of the first thing I disable though.

sendmail -B option

2008-07-10 Thread Philip Guenther

On Thu, Jul 10, 2008 at 9:59 AM, Vijay Sankar [EMAIL PROTECTED] wrote:
...
 I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does
 not on my 4.3 i386 from CD and on 4.4 -current.

sigh  What do you think it does, how did you use it, and how did you
determine that it has no effect?

I've already noted that the -B option only affects submission and is
ignored when running sendmail as a daemon, making GVG's usage of it
incorrect.  If you aren't feeding the sendmail command an email
message on stdin, then the -B option isn't for you.


Philip Guenther

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Paul de Weerd

On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote:
 The keyword here is *default*.

 Say you installed OpenBSD on a soekris, it's nice having root enabled 
 temporarily.

 That way you can login at a later time, create a lesser privledged account, 
 edit the sudoers file.. and disable root logins in sshd_config.

Note that you can already create this account and edit sudoers while
still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and
you are in your new system where you can change basic things (such as
adding users and editing config files, do not expect to be able to do
more fancy stuff like firewalling (so you can edit pf.conf, you just
can not load it until after rebooting), you're still in the install
kernel which lacks several key features provided by the regular
kernel).

root logins are also quite useful when /home is on NFS and NFS is
broken somehow and you need to log in to fix stuff. Myself, I keep it
enabled, even if I don't have /home on NFS and already have my
less-privileged user for sudo access setup.

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

yacc rebuild

2008-07-10 Thread Charles Smith

Good afternoon!

So, before the next make build I must rebuild the yacc alone.
I would like to know how can I rebuild yacc.
I searched in old errata patches, Makefiles, bsd.*.mk files.
In my previous logfile (2008.07.07/src_make_build) I see, that by
yacc the make cleandir is used:
rm -f yacc.cat1 ...
rm -f .depend ...tags

So is this correct?
cd usr.bin/yacc
make obj
make cleandir
make depend
make
make install

In general, how can I ascertain, what kind of make Phony Targets must
I use?
I didn't read through the whole stuff (docs, all Makefiles, etc) yet,
so I rejoice at a link too.

Thank You!

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Darrin Chandler

On Thu, Jul 10, 2008 at 07:40:47PM +0200, Paul de Weerd wrote:
 root logins are also quite useful when /home is on NFS and NFS is
 broken somehow and you need to log in to fix stuff. Myself, I keep it
 enabled, even if I don't have /home on NFS and already have my
 less-privileged user for sudo access setup.

I usually leave it enabled, but with the 'without-password' setting so
that keys must be used.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: sshd_config(5) PermitRootLogin yes


On Thu, 10 Jul 2008, Brynet wrote:


The keyword here is *default*.

Say you installed OpenBSD on a soekris, it's nice having root enabled 
temporarily.


That way you can login at a later time, create a lesser privledged account,


On Soekris, does the first boot console access not function properly until 
ttys(5) or boot.conf(5) are edited?  Do you need to run headless, but with 
stored network configuration from the installer?


~BAS


edit the sudoers file.. and disable root logins in sshd_config.

I believe the developers decision is the best one in this case, it's one of 
the first thing I disable though.

Re: sshd_config(5) PermitRootLogin yes


afterboot(8) covers this



Works for me, I guess. =/

~BAS


http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma
npath=OpenBSD+Currentarch=i386format=html

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Giancarlo Razzolini

Paul de Weerd escreveu:
 On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote:
   
 The keyword here is *default*.

 Say you installed OpenBSD on a soekris, it's nice having root enabled 
 temporarily.

 That way you can login at a later time, create a lesser privledged account, 
 edit the sudoers file.. and disable root logins in sshd_config.
 

 Note that you can already create this account and edit sudoers while
 still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and
 you are in your new system where you can change basic things (such as
 adding users and editing config files, do not expect to be able to do
 more fancy stuff like firewalling (so you can edit pf.conf, you just
 can not load it until after rebooting), you're still in the install
 kernel which lacks several key features provided by the regular
 kernel).

 root logins are also quite useful when /home is on NFS and NFS is
 broken somehow and you need to log in to fix stuff. Myself, I keep it
 enabled, even if I don't have /home on NFS and already have my
 less-privileged user for sudo access setup.

 Cheers,

 Paul 'WEiRD' de Weerd

   
I do prefer to use the siteXX.tgz and the install.site script to do
this, since it is the recommended way to customize the install process:
http://www.openbsd.org/faq/faq4.html#site

I remember other thread on this list about this. At some point someone
asked Why not ask the installing user to create an unprivileged account
during the install process?. The answer was simple and very coherent:
Because we want the user to give root user a strong password. If we
prompt for another user creation, it will tend to pick a weak password.
I agreed with that and prefer having things like this. The portable ssh
version also come with PermitRootLogin defaulted to yes. I don't see
this as a security breach. Just pick a strong root password, create a
user, edit sudoers, disable root login and you are done.

My regards,

-- 
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Herom
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: sshd_config(5) PermitRootLogin yes


On Thu, 10 Jul 2008, Marco Peereboom wrote:


Of course it is enabled by default.  Why do I want a box that is
freshly installed and unreachable?


No -- I just find that most of afterboot(8) can be done from the console; 
even serial console, at first boot, configure the network, add a non-root 
user, add them to wheel, enable sshd.


I guess I'm just having trouble imagining the situation where you have 
console access, but need to do basic post-install configuration via the 
network, as root, remotely.


Even with CF/Embedded, you ship out master.passwd prepopualted.

And this is likely the rationel why the rest of the projects changed it.

~~BAS


On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:

Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt
default to PermitRootLogin yes after the install.

I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
changed, but Redhat Support is giving some some noise about:

Well the source vendor doesn't disable it by default ...

~BAS

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Darrin Chandler

On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote:
 I guess I'm just having trouble imagining the situation where you have 
 console access, but need to do basic post-install configuration via the 
 network, as root, remotely.

This is how I normally do it. I don't like to stand at a crash cart kvm
when I can sit at my desk. ;-)

If you have a good root password then it's not much of an issue anyway.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: note for faq, maybe

2008-07-10 Thread Nick Holland


Sounds good, but as I've successfully avoided both PPP and PPPoE for
well over ten years now, I have no way to completely test, a diff
would be nice.

Nick.

Mitja Muenih / Kerberos.si / wrote:

Yes, I can confirm that. I too got bitten by it before and I was considering
proposing a patch for upgradeXX.html, but I got sidetracked.

Mitja


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Marc Balmer

Sent: Thursday, July 10, 2008 3:55 PM
To: [EMAIL PROTECTED]
Cc: misc@openbsd.org
Subject: note for faq, maybe

if you use pppoe(4) for internet, and want to do a remote
update from 4.2 to 4.3, over said pppoe(4) link, then the
normal update procedure will not work, because the 4.3
kernel and the 4.2 ifconfig binary can not work together.

after rebooting the new 4.3 bsd kernel, the network will
not be configure and you will walk/drive to the system (just
like I did today).

so, brefore rebooting to 4.3, at least unpack the 4.3 ifconfig
binary from base43.tgz

- Marc

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Marco Peereboom

And they got it all wrong. It is all for the perceived sense of
security. Not being able to login over ssh right after install sucks.
I am that guy that ends up enabling it on all other boxes that use a
different default.

The machine I install and then deploy to be hostile network connected
gets some extra love in that department however crippling every box by
default for no gain is counter productive.

On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote:
On Thu, 10 Jul 2008, Marco Peereboom wrote:

Of course it is enabled by default. Why do I want a box that is
freshly installed and unreachable?

No -- I just find that most of afterboot(8) can be done from the console;
even serial console, at first boot, configure the network, add a non-root
user, add them to wheel, enable sshd.

I guess I'm just having trouble imagining the situation where you have
console access, but need to do basic post-install configuration via the
network, as root, remotely.

Even with CF/Embedded, you ship out master.passwd prepopualted.

And this is likely the rationel why the rest of the projects changed it.

~~BAS

On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:
Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt
default to PermitRootLogin yes after the install.

I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
changed, but Redhat Support is giving some some noise about:

Well the source vendor doesn't disable it by default ...

~BAS

Re: note for faq, maybe

2008-07-10 Thread bofh

On Thu, Jul 10, 2008 at 2:26 PM, Nick Holland [EMAIL PROTECTED]
wrote:

 Sounds good, but as I've successfully avoided both PPP and PPPoE for
 well over ten years now, I have no way to completely test, a diff
 would be nice.


We will also need one for UUCP over RFC1149.

:)

(through a bitnet gateway)...


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity. --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted. -- Gene Spafford
learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

Re: sendmail -B option

2008-07-10 Thread Vijay Sankar

On July 10, 2008 12:21:59 pm Philip Guenther wrote:
 On Thu, Jul 10, 2008 at 9:59 AM, Vijay Sankar [EMAIL PROTECTED] wrote:
 ...

  I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it
  does not on my 4.3 i386 from CD and on 4.4 -current.

 sigh  What do you think it does, how did you use it, and how did you
 determine that it has no effect?

 I've already noted that the -B option only affects submission and is
 ignored when running sendmail as a daemon, making GVG's usage of it
 incorrect.  If you aren't feeding the sendmail command an email
 message on stdin, then the -B option isn't for you.


 Philip Guenther

Sorry for the noise. I should not have sent that message. 

What happened was, in a misguided attempt to help, I tried running sendmail 
with the various options GVG had mentioned.

/usr/sbin/sendmail -L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X
/$HOME/mail_log 

and got the error

Jul 10 11:54:09 vijay sm-mta[22142]: 
NOQUEUE:SYSERR(root): /etc/mail/sendmail.cf: line 0: cannot open: No such 
file or directory

on my desktop. Obviously this had nothing to do with -B8BITMIME and was due to 
my having renamed /etc/mail/sendmail.cf sometime ago 
to /etc/mail/sendmail.cf.original. But I misunderstood the error because I 
was in a rush and thought it was due to the flag -B8BITMIME.

Thanks very much for taking the time to correct my mistake.

Vijay

-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: Digital IO - Phidgets support? alternatives?

2008-07-10 Thread Johannes (Barix)

Hi, here's the Barix voice :)

The products are quite different in that the Barionet can be programmed in a
basic dialect for quite sophisticated functions (if required), connects via
IP, and can be polled by SNMP, CGI, UDP or TCP (ascii protocols).
You could also use much cheaper products from our range (see 
http://www.barix.com barix website ) like the X8 or IO12 (industrial I/O),
but these have an RS-485 interface so you need to poll them with Modbus/RTU
- or have the Barionet do this for you ..

Greetings !

Johannes



Tom Le Page wrote:
 
 Are there any alternative solutions that I should look at?
 I've used an alternate standalone solution.  Do a search for
 Barix Barionet. Per unit it may appear to be more expensive, but

 Thanks for that, I had not come across the Barix range of devices before.
 Indeed, it does appear more expensive per unit!
 But it should be simpler to query (http) than the Phidgets...
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Digital-IO---Phidgets-support--alternatives--tp18336166p18391151.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: trouble with running spamd on 4.4 BETA [SOLVED]

2008-07-10 Thread Jose Fragoso

Hi again,

It seems that I needed:

set skip on lo0

Funny thing is that the same ruleset works on 4.3 without the
need for this statement.

Was there some change in the route-to logic from 4.3 to 4.4?

This may be of interest for someone running spamd in a bridge
setup.

Kind regards,

Jose.

--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com

Re: Iwi, wireless bad behavior

2008-07-10 Thread Daniel B.

On Thu, 3 Jul 2008, Edd Barrett wrote:

 Hi,

 If you get the wep key (or network name) wrong when configuring iwi network
 drivers the card becomes useless until you reboot. This is annoying when at a
 friends house and I mistype the key for example. I have tried taking the
 interface down and back up, it makes no difference.

 Is there a way of resetting the card altogether?

 thinky% ifconfig iwi0
 iwi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:12:f0:79:36:41
 groups: wlan
 media: IEEE802.11 autoselect
 status: no network
 ieee80211: nwid  100dBm
 thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey
 0xedd1edd2edd3edd4edd5edd666
 thinky% sudo dhclient iwi0
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 7
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 9
 DHCPOFFER from 192.168.1.254
 DHCPREQUEST on iwi0 to 255.255.255.255 port 67
 DHCPACK from 192.168.1.254
 bound to 192.168.1.69 -- renewal in 43200 seconds.
 thinky% ifconfig iwi0
 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:12:f0:79:36:41
 groups: wlan egress
 media: IEEE802.11 autoselect
 status: active
 ieee80211: nwid SquishMitten chan 1 bssid 00:11:95:54:90:97 77dB nwkey
 not displayed 100dBm
 inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1
   inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255
 thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey
 0xedd1edd2edd3edd4edd5edd667
 thinky% sudo dhclient iwi0
 DHCPREQUEST on iwi0 to 255.255.255.255 port 67
 DHCPREQUEST on iwi0 to 255.255.255.255 port 67
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 7
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 8
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 15
 ^C
 thinky% ifconfig iwi0
 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:12:f0:79:36:41
   groups: wlan egress
   media: IEEE802.11 autoselect
   status: no network
   ieee80211: nwid SquishMitten nwkey not displayed 100dBm
   inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1
   inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255
 thinky% sudo ifconfig iwi0 nwid SquishMitten nwkey
 0xedd1edd2edd3edd4edd5edd666
 thinky% sudo dhclient iwi0
 DHCPREQUEST on iwi0 to 255.255.255.255 port 67
 DHCPREQUEST on iwi0 to 255.255.255.255 port 67
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 5
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 6
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 6
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 13
 DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 19
 ^C
 thinky% ifconfig iwi0
 iwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:12:f0:79:36:41
   groups: wlan egress
   media: IEEE802.11 autoselect
   status: no network
   ieee80211: nwid SquishMitten nwkey not displayed 100dBm
   inet6 fe80::212:f0ff:fe79:3641%iwi0 prefixlen 64 scopeid 0x1
   inet 192.168.1.69 netmask 0xff00 broadcast 192.168.1.255

 Thanks

I have similar behavior using bwi(4) driver, although I'm using WPA2.
But it's something worst since I can use for some minutes when I lost
the connection. After that, I can't even make nfe(4) run.

The only solution I found is reboot. Since this isn't a solution, when
possible, I prefer to use nfe(4) Ethernet connection.

Cheers,

Re: sendmail STARTTLS

2008-07-10 Thread Claus Assmann

On Thu, Jul 10, 2008, GVG GVG wrote:

 I first have to excuse myself cause I claimed that there were no errors in
 the log file!
 
 Well, there was no debugging output enabled. Now I did that with '-d0-17.4'
 flags!

You do NOT need to enable debugging to get logging...

 Still I don't see anything weird in there! I don't know if you can provide
 with an example of such an error or warning?

STARTTLS=server: file /etc/mail/smkey.pem unsafe: Group readable file

Either you aren't running sendmail or you broke logging...

Celluless - Hit cena na internetu- samo do 12. 07.

2008-07-10 Thread Top Shop

Top Shop

Ekskluzivna pretprodaja - samo na internetu!

80-95% Å¾enske populacije u svetu ima problem sa celulitom.
ReÅ¡ite ga se uz Celluless...Samo do 12. jula po Äak 38% niÅ¾oj ceni!

HIT proizvod! HIT cena!
Celluless

Celluless

Bikiniji, mini suknje i kratki Å¡orcevi su ponovo u modi, a vi ne smete ni
da ih pogledate?

OseÄate se nesigurno kad morate da otkrijete i centimetar svoga tela?

Celluless - anticelulit masaÅ¾er je pravo reÅ¡enje za povratak vaÅ¡eg
samopouzdanja. Zaboravite na skupe tretmane i oslobodite se celulita u
udobnosti svog doma!

Redovna cena: 3.990,00 RSD

VaÅ¡a cena -2.490,00 RSD SAMO U NAREDNIH 48 SATI!

Kliknite ovde i poruÄite odmah!

SAMO DO 12. JULA! NE PROPUSTITE OVU PRILIKU

Celluless

Efekat Celluless-a

  * Vidno smanjuje celulit

  * StimuliÅ¾e proizvodnju kolagena i elastina

  * PoboljÅ¡ava teksturu i zateÅ¾e koÅ¾u

  * Oblikuje podruÄje stomaka i zateÅ¾e miÅ¡iÄe zadnjice

  * Jednostavna upotreba

  * Neagresivno i bezbolno

KoliÄine su ograniÄene!
Samo u narednih 48 sati proizvod Vam je dostupan po ovoj ceni!

Kako deluje Celluless:

  * Vakuumska masaÅ¾a je dokazano meÄu najboljim terapijama za
problematiÄnu koÅ¾u

  * MasaÅ¾a Cellulessom podstiÄe cirkulaciju na povrÅ¡inskom i
ispodpovrÅ¡inskom delu koÅ¾e

  * PojaÄava se proizvodnja kolagena i elastina Å¡to poboljÅ¡ava teksturu i
zateÅ¾e koÅ¾u

  * Neagresivna i bezbolna terapija

PoÄetna | Budi fit | Lepota | Zdravlje

Ovu elektronsku poÅ¡tu primate ukoliko ste svojevoljno ostavili svoju
e-mail adresu ili uÄestvovalu u posebnim akcijama na www.e-topshop.tv

Uslovi ponude iz ovog e-maila vaÅ¾e iskljuÄivo za porudÅ¾bine izvrÅ¡ene
putem Interneta ili na broj telefona 021 489 26 60.

Ukoliko ne Å¾elite viÅ¡e da primate naÅ¡e elektronske poruke, molimo Vas
kliknite ovde .
U obrazac na web stranici upiÅ¡ite svoju taÄnu e-mail adresu i odjavu
potvrdite.

STUDIO MODERNA d.o.o., Laze NanÄiÄa 50, 21 000 Novi Sad, tel: 021 489 26
60 fax: 021 489 26 08

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread Jacob Yocom-Piatt

Marco Peereboom wrote:

The machine I install and then deploy to be hostile network connected
gets some extra love in that department however crippling every box by
default for no gain is counter productive.

maybe if people actually READ THE ARCHIVES, they'd be better informed. i
wish this mailing list had

PermitStupidEmails No

as the default.

i really fail to see how this setting does anything other than make mgmt
types worry because they don't really understand security.

On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote:

On Thu, 10 Jul 2008, Marco Peereboom wrote:

Of course it is enabled by default. Why do I want a box that is
freshly installed and unreachable?

No -- I just find that most of afterboot(8) can be done from the console;
even serial console, at first boot, configure the network, add a non-root
user, add them to wheel, enable sshd.

I guess I'm just having trouble imagining the situation where you have
console access, but need to do basic post-install configuration via the
network, as root, remotely.

Even with CF/Embedded, you ship out master.passwd prepopualted.

And this is likely the rationel why the rest of the projects changed it.

~~BAS

On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:

Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt
default to PermitRootLogin yes after the install.

I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
changed, but Redhat Support is giving some some noise about:

Well the source vendor doesn't disable it by default ...

~BAS

Re: Iwi, wireless bad behavior

2008-07-10 Thread Edd Barrett

On Thu, Jul 10, 2008 at 7:43 PM, Daniel B. [EMAIL PROTECTED] wrote:
 After that, I can't even make nfe(4) run.

After iwi is boned, also my fxp is boned. Same situation different hardware.

I mailed damien pointing at this thread, but no reply.

-- 

Best Regards

Edd

http://students.dec.bournemouth.ac.uk/ebarrett

Re: sshd_config(5) PermitRootLogin yes

2008-07-10 Thread bofh

Dude,
Why do you let them tell you because the source blah blah?  Isn't
that why you pay them lots of $$?





On 7/10/08, Brian A. Seklecki [EMAIL PROTECTED] wrote:
 Am I reading this right?

 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

 I dont have a fresh install anywhere -- but I want to say that it doesnt
 default to PermitRootLogin yes after the install.

 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get
 this changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

 ~BAS




-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

Transparent OpenBSD firewall rules for Retrospect

2008-07-10 Thread Vincent Li


Hi OpenBSD PF experts,

I am managing a private network 192.168.1.0/24, 192.168.1.2 is my 
Retrospect backup server running on OS X 10.5 to back up the rest of 
computers.


To add another layer to protect my backup server, I add an OpenBSD4.3 PF 
transparent firewall in front of 192.168.1.2, Since it is transparent, all 
my current private network setting keeps the same.


my /etc/bridgename.bridge0:

add sis0
add sis1
blocknoip sis0
blocknoip sis1
up

my /etc/pf.conf:

ext_if=sis0
int_if=sis1

localnet=192.168.1.0/24

#only filter ext_if interface, so pass everything on int_if
pass in quick on $int_if all
pass out quick on $int_if all

#pass out everything by default on ext_if, block in everything on ext_if
pass out log on $ext_if all
block in log on $ext_if all

#Allow incoming Retrospect client tcp port
pass in log quick on $ext_if proto tcp from any to $localnet \
 port { 497 } modulate state

pass in log quick on $ext_if proto udp from any to $localnet \
 port { 497 } modulate state

Now the problem:

It seems random problem that  Retrospect server could not locate the 
Retrospect client computer. I googled, Retrospect 
server is sending udp packet to IP Multicast address 224.1.0.38 to locate 
the client computer listening on port 497, here is the tcpdump I ran on 
OpenBSD to catch the udp traffic when Retrospect has problem contacting 
client:


# tcpdump -n -i sis0 port 497
tcpdump: listening on sis0, link-type EN10MB

13:45:34.032842 192.168.1.2.49816  224.1.0.38.497: udp 196 [ttl 1]
13:45:34.033865 192.168.1.3.497  192.168.1.2.49816: udp 196
13:45:36.047369 192.168.1.2.49817  224.1.0.38.497: udp 196 [ttl 1]
13:45:36.048391 192.168.1.3.497  192.168.1.2.49817: udp 196
13:45:38.064087 192.168.1.2.49818  224.1.0.38.497: udp 196 [ttl 1]
13:45:38.065113 192.168.1.3.497  192.168.1.2.49818: udp 196

The server ip 192.168.1.2 does locate the client 192.168.1.3, but 
Retrospect still complains that the client is not visable from network.


If I change firewall rules to pass in log on $ext_if all and load it 
immediately, The retrospect server would find the client immediately. I am 
lost on how to properly configure PF rules to enable Retrospect server 
locate the client reliably.

Re: Digital IO - Phidgets support? alternatives?

2008-07-10 Thread Paul M


There is also the Tini from Dallas.
This is a more low level approach, but it comes with a lightweight 
unix-like shell, and supports a variety of interface busses and 
protocols, http, ppp, ftp and others, and can be programmed in c, java 
or assembly.
I've used it extensively, and while there's things I dislike about it, 
I've simply found nothing better for my use. I've set up some fairly 
extensive networks performing a plethora of tasks - instrumentation, 
data aquisition, control, security, automation etc etc.


If you want a plug and play solution, the barix is probably better, but 
if you want the flexibilty, power and control of a lower level 
implimentation, then the tini is hard to beat.




On 9/07/2008, at 8:46 PM, Tom Le Page wrote:


Are there any alternative solutions that I should look at?

I've used an alternate standalone solution.  Do a search for
Barix Barionet. Per unit it may appear to be more expensive, but

Thanks for that, I had not come across the Barix range of devices 
before.

Indeed, it does appear more expensive per unit!
But it should be simpler to query (http) than the Phidgets...

Re: yacc rebuild

2008-07-10 Thread Nick Holland

Charles Smith wrote:
 Good afternoon!
 
 So, before the next make build I must rebuild the yacc alone.
 I would like to know how can I rebuild yacc.
 I searched in old errata patches, Makefiles, bsd.*.mk files.
 In my previous logfile (2008.07.07/src_make_build) I see, that by
 yacc the make cleandir is used:
 rm -f yacc.cat1 ...
 rm -f .depend ...tags
 
 So is this correct?
 cd usr.bin/yacc
 make obj
 make cleandir
 make depend
 make
 make install
 
 In general, how can I ascertain, what kind of make Phony Targets must
 I use?
 I didn't read through the whole stuff (docs, all Makefiles, etc) yet,
 so I rejoice at a link too.

Start with a snapshot, then you don't have to worry about this at all.

Don't make your life more difficult than it needs to be...

Nick.

Re: Can't install using pkg_add [SOLVED]

2008-07-10 Thread my mail

--- On Thu, 7/10/08, Louis V. Lambrecht [EMAIL PROTECTED] wrote:


 Frankly, re-re-re-re-read the FAQ.
 Since you just re-installed and still want -current
 packages, the best 
 way would
 be to grab a snapshot and do a fresh install.
 Do this on a date at which your mirror has packages with
 the same date than
 the snapshots. (or a day or two off).
 Release updates are almost foolproof, updating from
 snapshots might break,
 while a snapshot of the next day would be perfect.
 
 My personal opinion:
 when you have both the stock OS and sources and started
 installing 
 packages,
 I experienced it to be safe to keep pkg_add'ing for a
 week or two.
 Certainly not do a cvs.
 When packages fail to install, switch to installing the
 ports from 
 source (still without
 having done a cvs: keep OS. sources, ports tree at the same
 date).
 
 Actually, I have 2 slices, one with a working environment,
 one with a 
 testing
 environment. Yet another slice with my server's data,
 archives, 
 distfiles, ...
 Every 2 months or so I install a snapshot and most used
 packages on the
 testing slice and switch the boot slice when all is well.
 
 To be honest, I have a third installation on an USB key
 where I test the
 snapshot. First an upgrade, and if it is OK, I upgrade the
 testing slice.
 If not OK, I read misc@ and undeadly for hints and wait a
 couple of
 weeks to try another snapshot.
 Doing so, I have 2 (eventually 3) OSes to boot from and
 access my data 
 and archives.
 
 Current is where the team is developing, what works now can
 break in the 
 next minutes,
 and work perfectly half an hour later.
 
 If you really need current, test it on a separate slice.
 Don't touch a good working installation.
 
 Before I forget:
 mighty important!
 keep copies of /var/backups on a safe place before
 upgrading/re-installing.
 Time-saver.

thanks for you help and advice. 
Now i have been able using OpenBSD 4.3 stable and running desktop with gnome[1].

yes, i have a plan for dual boot OpenBSD, one for stable and one for current, 
but at now i'll stick using OpenBSD 4.3 Stable branch.

thanks you all for helping me using OpenBSD for the first time :)
this is a big experience for me :)


[1]http://img2.freeimagehosting.net/uploads/673111fb18.jpg

Another way to help OpenBSD

2008-07-10 Thread Darrin Chandler

All the developers are great, but even so some stand out. Otto writes a
lot of very good code, fixed ancient bugs, is nice to random idiots like
me here on misc@openbsd.org, and a lot of other good things.

A little bird (not Otto) told me he's got a wishlist with a couple of
books. If someone were to buy these for him perhaps he could use one or
two things from them in upcoming code. ;-)

If anyone is feeling generous please see:

http://www.amazon.com/gp/registry/P6RBCK0YFTZ



-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: CVS: cvs.openbsd.org: src

2008-07-10 Thread Ben Calvert


On Jun 14, 2008, at 1:47 PM, Damien Miller wrote:


Just to reinforce the experimental thing:

There are some big softraid changes coming that will alter the on-disk
metadata format (for all softraid disciplines, not just crypto).  
Volumes

created with the current tools will be unreadable afterwards. In the
meantime, we appreciate test reports but please don't complain about
incompatibility after cvs up.

We will announce when the format has stabilised.


 I don't see a lot of changes to softraid.c since June, and am not  
expert enough to tell if these would be affecting the on-disk format.


I also don't see anything in current.html about softtraid.

should i just hold off updating my machines?  should I update weekly  
with lots of dump  restore?


I'm uncomfortable getting too far behind the curve.

thanks,

Ben




-d

Re: CVS: cvs.openbsd.org: src

2008-07-10 Thread Marco Peereboom

I currently have a 3500 line diff in my tree that completely rewrites
softraid metadata handling.  The idea is that when this goes in we can
start adding foreign raid formats as sub-drivers to softraid.  This also
fixes issues of power failures and crashes where the checksums are no
longer correct.  To top it all the code is far cleaner now.  I am about
95% done so hang in there.

When this change goes in old softraid metadata formats will no longer
work!  So now is a good time to get dumps going.  I am _not_ planning on
adding a metadata driver for the previous versions.

I will be soliciting tests soonish to get the diff production ready so
that we can officially support RAID 0 and CRYPTO for the 4.4 release.
RAID 1 will continue to be experimental until I get a chance to work out
the rebuild mechanics (hi henning!!).

/marco

On Thu, Jul 10, 2008 at 08:20:29PM -0700, Ben Calvert wrote:
 On Jun 14, 2008, at 1:47 PM, Damien Miller wrote:

 Just to reinforce the experimental thing:

 There are some big softraid changes coming that will alter the on-disk
 metadata format (for all softraid disciplines, not just crypto). Volumes
 created with the current tools will be unreadable afterwards. In the
 meantime, we appreciate test reports but please don't complain about
 incompatibility after cvs up.

 We will announce when the format has stabilised.

  I don't see a lot of changes to softraid.c since June, and am not expert 
 enough to tell if these would be affecting the on-disk format.

 I also don't see anything in current.html about softtraid.

 should i just hold off updating my machines?  should I update weekly with 
 lots of dump  restore?

 I'm uncomfortable getting too far behind the curve.

 thanks,

 Ben



 -d

Re: sshd_config(5) PermitRootLogin yes