Re: OT, .. Majordomo problem

[ropers]

I don't know what causes your problem, but I saw this:

2009/5/22 L. V. Lammert :
>
>t...@ted.com
>
> Even though this email is listed correctly as a list member,

  ^--  Here you say that t...@ted.com is listed correctly as a list member.

> when MD
> receives an email from this email address it gets rejected:
>
> Subject: BOUNCE list_memb...@ccsl.org:Non-member submission from ["TED"
> ]

  ^-- Here your MD appears to be telling you the opposite.

Re: multiple videocards... for console text

[Need Coffee]

On Fri, May 22, 2009 at 12:37 AM, Joel Wiramu Pauling
 wrote:
> Just use USB to RS323 convert cables and have as many heads as you like off
> of dumb terminals. Or old laptops.
>
>
> ;-)

Thanks, but my goal was not just to add more text consoles, it was to
actually create more
VTs on existing heads.  I have 3 monitors.  We're all painfully aware
of the Xorg limitations
with multiple pci graphics cards.  So, I wanted to run them in text
mode (80x50 of course  :)

80x50 is easy.  It's the "getting all 3 monitors to work
independently" that isn't.



> 2009/5/22 Need Coffee 
>>
>> Hi, I have kind of a weird question.
>>
>> I have two video cards in an amd64/-current machine.
>>
>> Both cards have dual-head capability.
>>
>> At the text console, the same text appears on both ports.
>>
>> Would it be possible to either:
>>
>> - make the ports separate consoles (seems unlikely)
>>
>> - run each card independently (so, more VT's offered on
>> the second video card)
>>
>> Or some variant of these?  Thanks in advance.

Re: OpenBSD ESXi VMware image on Soekris Net5501

[SJP Lists]

Hi,

2009/5/21 Obiozor Okeke :
> Hi Diana (and Stuart) thanks for all your advice.
>
> The problem or nut we're
> trying to crack is that we're trying to deploy OpenBSD to remote clients
and
> we wanted an inexpensive but very high reliability system with the
flexibility
> to change configurations (switch in/out different VMs) and add/modify
services
> remotely on-the-fly.  For example we could upgrade a client from 4.4 to 4.5
> along with all the custom apps and client data packaged in a VM.  We would
> grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure
it
> the way we wanted to and drop it back on the ESXi.  Then just change the
> network configs and switch the old for the new all remotely without ever
> visiting the client
>
> Thanks again all.

Even if this were feasible (given the hardware limitations of the
5501), you would still have to maintain ESX in a manner which requires
console access.

Wrapping OpenBSD up in ESX defeats the typical purpose of using
OpenBSD.  ESX and other x86 virtualization software introduces a whole
new vulnerable layer of software which requires patching and
rebooting.

Take it from the horses mouth...


"A critical vulnerability in the virtual machine display function
might allow a guest operating system to run code on the host. The
Common Vulnerabilities and Exposures Project (cve.mitre.org) has
assigned the name CVE-2009-1244 to this issue."

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp
layKC&externalId=1009853


"A memory corruption condition might occur in the virtual machine
hardware. A malicious request sent from the guest operating system to
the virtual hardware might cause the virtual hardware to write to
uncontrolled physical memory.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2008-4917
to this issue."

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp
layKC&externalId=1007507


"VMware addresses an in-guest privilege escalation on 64-bit guest
operating systems.  VMware products emulate hardware functions
including CPU, memory, and I/O.  A flaw in VMware's CPU hardware
emulation could allow the virtual CPU to jump to an incorrect memory
address. Exploitation of this issue on the guest operating system does
not lead to a compromise of the host system, but could lead to a
privilege escalation on guest operating systems. An attacker would
need to have a user account on the guest operating system.  Affected
guest operating systems include 64-bit Windows, 64-bit FreeBSD, and
possibly other 64-bit operating systems."

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp
layKC&externalId=1007090


This is just a small sample.  All this will get you extra complexity
and the doubt that a problem with the guest software is really with it
or the host.


Shane

Re: softraid

[Uwe Dippel]

Uwe Dippel  uniten.edu.my> writes:

> To me this seems a result of the sequence at boot: at first we identify the
> physical drives, that is sd0, sd1, sd2 and sd3 in this case, and only later
> do we get softraid up, sensibly roaming the RAID one up. Sensibly? Because
> fstab can't know and will want to mount partitions of a lower number 
> (sd3 in this case), which is always impossible.

I do understand the problem of 'no labels'/'no UUID', but the current working
will break boot whatever happens: any extra drive, in any slot, will be
discovered at boot time before softraid is activated. So it will break 100%,
right? There is no real solution without disk IDs, though a hackish one: 
If softraid was configured at sd3 (assembled from sd1 and sd2 in this case), 
the kernel needs to be aware of this fact when it goes into drive discovery 
at boot.
So that when one plugs another drive into a higher controller, it will discover:
sd0 - sd1 - sd2 - sd3_is_taken - sd4. Then fstab will be correct w.r.t. sd0 to
sd3, and one can use sd4, the new drive, for whatever purpose it had been
intended. And if sd0 was removed from the original configuration, it would find
sd0 - sd1 - sd3_is_taken. Then roaming can still do sd0->sd1 and sd1->sd2, and
the RAID will come up properly, again.
That's the best I could think of now, anything but perfect, but always better
than a 100% breakage. 
What do you think?

BGP responding with wrong IP address.

[Justin Credible]

Hi there,

I am running OpenBGPd on an OpenBSD 4.4 router.

Some times when traffic goes over one peer and finally gets to our router,
the last hop will respond as a different peer. For example:

Level3 IP 10.0.0.1
Global Crossing IP 192.168.0.1

Traffic traverses Global crossing all the way, last hop, 10.0.0.1 responds
and vice versa.

I noticed If i set one default gateway, this is always the IP to respond at
the last hop. If i set multi-path default gateways then random IPs respond
at the last hop.

Is there a common way that I am missing to get around this? Am i overlooking
something on the man pages?

Thanks for your help!

Regards,

Ken

Re: authpf for incoming connections

[Alexander Hall]

Aaron Martinez wrote:
>> On 22 May 2009 at 15:05, Aaron Martinez wrote:
>>
>>> Hi All,
>>>
>>> I am setting up an openbsd 4.5 stable based pf firewall and was
>>> wondering if there is a way to make it so only certain users could log
>>> in from certain IP addresses.  I have authpf set up and working well,
>>> but the problem is if someone that isn't coming from one of my "safe" ip
>>> addresses, i don't want them to be able to log in using a login name
>>> that has a standard shell like ksh.  I saw the "Match" statement for
>>> sshd but it looks like the only things that can be set are:
>>> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
>>> ForceCommand, GatewayPorts, GSSAPIAuthentication,
>>> HostbasedAuthentication, KbdInteractiveAuthentication,
>>> KerberosAuthentication, MaxAuthTries, MaxSessions,
>>> PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
>>> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
>>> X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
>>> would allow for what i'm trying. (if i'm understanding this correctly)
>>>
>>>
>>> I'm trying to have authpf authenticate people before they are able to
>>> use certain services behind the firewall, i.e. pptp server, pop server
>>> etc., while allowing certain people from static IP addresses to actually
>>> log into the openbsd firewall.
>> You did say you are setting up a pf firewall, so why not use its
>> firewalling functionality to limit those services to the specific
>> _static IP addresses_? This is one of the simplest use cases for pf!
>>
>>> Any ideas greatly appreciated.
>>>
>>>
>>> Thanks in advance.
>>>
>>> Aaron Martinez
>>
> 
> I don't want to limit the services behind the firewall to certain IP
> addressed, only to people that can authenticate with authpf at the
> firewall, they can be at any IP.  Then after they authenticate a rule is
> loaded to allow their IP to get to the pop or pptp server behind the
> firewall.
> 
> The safe addresses are for people that need to do administration on the fw
> and have an account on the fw system itself that has a shell other than
> authpf.

Maybe something like this will do:


Match Group wheel Address ...
ForceCommand exec ksh

Match Group wheel
ForceCommand echo Bye


If nothing else works good enough, you could just launch another ssh
process with its own config file at some other port and/or ip address.

/Alexander

Re: authpf for incoming connections

[Stuart Henderson]

If you use public keys for the users with shells, you could use a
Match block with 'PasswordAuthentication no' for those usernames,
and 'from="pattern-list"' in their authorized_keys files.


On 2009-05-22, Aaron Martinez  wrote:
> Hi All,
>
> I am setting up an openbsd 4.5 stable based pf firewall and was
> wondering if there is a way to make it so only certain users could log
> in from certain IP addresses.  I have authpf set up and working well,
> but the problem is if someone that isn't coming from one of my "safe" ip
> addresses, i don't want them to be able to log in using a login name
> that has a standard shell like ksh.  I saw the "Match" statement for
> sshd but it looks like the only things that can be set are:
> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
> ForceCommand, GatewayPorts, GSSAPIAuthentication,
> HostbasedAuthentication, KbdInteractiveAuthentication,
> KerberosAuthentication, MaxAuthTries, MaxSessions,
> PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
> X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
> would allow for what i'm trying. (if i'm understanding this correctly)
>
>
> I'm trying to have authpf authenticate people before they are able to
> use certain services behind the firewall, i.e. pptp server, pop server
> etc., while allowing certain people from static IP addresses to actually
> log into the openbsd firewall.  
>
> Any ideas greatly appreciated.
>
>
> Thanks in advance.
>
> Aaron Martinez

Re: authpf for incoming connections

[System Administrator]

On 22 May 2009 at 16:37, Aaron Martinez wrote:

> > On 22 May 2009 at 15:05, Aaron Martinez wrote:
> >
> >> Hi All,
> >>
> >> I am setting up an openbsd 4.5 stable based pf firewall and was
> >> wondering if there is a way to make it so only certain users could log
> >> in from certain IP addresses.  I have authpf set up and working well,
> >> but the problem is if someone that isn't coming from one of my "safe" ip
> >> addresses, i don't want them to be able to log in using a login name
> >> that has a standard shell like ksh.  I saw the "Match" statement for
> >> sshd but it looks like the only things that can be set are:
> >> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
> >> ForceCommand, GatewayPorts, GSSAPIAuthentication,
> >> HostbasedAuthentication, KbdInteractiveAuthentication,
> >> KerberosAuthentication, MaxAuthTries, MaxSessions,
> >> PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
> >> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
> >> X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
> >> would allow for what i'm trying. (if i'm understanding this correctly)
> >>
> >>
> >> I'm trying to have authpf authenticate people before they are able to
> >> use certain services behind the firewall, i.e. pptp server, pop server
> >> etc., while allowing certain people from static IP addresses to actually
> >> log into the openbsd firewall.
> >
> > You did say you are setting up a pf firewall, so why not use its
> > firewalling functionality to limit those services to the specific
> > _static IP addresses_? This is one of the simplest use cases for pf!
> >
> >> Any ideas greatly appreciated.
> >>
> >>
> >> Thanks in advance.
> >>
> >> Aaron Martinez
> >
> >
> 
> I don't want to limit the services behind the firewall to certain IP
> addressed, only to people that can authenticate with authpf at the
> firewall, they can be at any IP.  Then after they authenticate a rule is
> loaded to allow their IP to get to the pop or pptp server behind the
> firewall.
> 
> The safe addresses are for people that need to do administration on the fw
> and have an account on the fw system itself that has a shell other than
> authpf.

What kind of firewall would it be if it could not protect itself? Ergo, 
my original suggestion still holds. Please review the pf FAQ and other 
documentation, they contain a number of examples to do exactly what you 
are asking.

> Thanks.

Re: authpf for incoming connections

[Aaron Martinez]

> On 22 May 2009 at 15:05, Aaron Martinez wrote:
>
>> Hi All,
>>
>> I am setting up an openbsd 4.5 stable based pf firewall and was
>> wondering if there is a way to make it so only certain users could log
>> in from certain IP addresses.  I have authpf set up and working well,
>> but the problem is if someone that isn't coming from one of my "safe" ip
>> addresses, i don't want them to be able to log in using a login name
>> that has a standard shell like ksh.  I saw the "Match" statement for
>> sshd but it looks like the only things that can be set are:
>> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
>> ForceCommand, GatewayPorts, GSSAPIAuthentication,
>> HostbasedAuthentication, KbdInteractiveAuthentication,
>> KerberosAuthentication, MaxAuthTries, MaxSessions,
>> PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
>> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
>> X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
>> would allow for what i'm trying. (if i'm understanding this correctly)
>>
>>
>> I'm trying to have authpf authenticate people before they are able to
>> use certain services behind the firewall, i.e. pptp server, pop server
>> etc., while allowing certain people from static IP addresses to actually
>> log into the openbsd firewall.
>
> You did say you are setting up a pf firewall, so why not use its
> firewalling functionality to limit those services to the specific
> _static IP addresses_? This is one of the simplest use cases for pf!
>
>> Any ideas greatly appreciated.
>>
>>
>> Thanks in advance.
>>
>> Aaron Martinez
>
>

I don't want to limit the services behind the firewall to certain IP
addressed, only to people that can authenticate with authpf at the
firewall, they can be at any IP.  Then after they authenticate a rule is
loaded to allow their IP to get to the pop or pptp server behind the
firewall.

The safe addresses are for people that need to do administration on the fw
and have an account on the fw system itself that has a shell other than
authpf.

Thanks.

Re: authpf for incoming connections

[System Administrator]

On 22 May 2009 at 15:05, Aaron Martinez wrote:

> Hi All,
> 
> I am setting up an openbsd 4.5 stable based pf firewall and was
> wondering if there is a way to make it so only certain users could log
> in from certain IP addresses.  I have authpf set up and working well,
> but the problem is if someone that isn't coming from one of my "safe" ip
> addresses, i don't want them to be able to log in using a login name
> that has a standard shell like ksh.  I saw the "Match" statement for
> sshd but it looks like the only things that can be set are:
> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
> ForceCommand, GatewayPorts, GSSAPIAuthentication,
> HostbasedAuthentication, KbdInteractiveAuthentication,
> KerberosAuthentication, MaxAuthTries, MaxSessions,
> PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
> X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
> would allow for what i'm trying. (if i'm understanding this correctly)
> 
> 
> I'm trying to have authpf authenticate people before they are able to
> use certain services behind the firewall, i.e. pptp server, pop server
> etc., while allowing certain people from static IP addresses to actually
> log into the openbsd firewall.  

You did say you are setting up a pf firewall, so why not use its 
firewalling functionality to limit those services to the specific 
_static IP addresses_? This is one of the simplest use cases for pf!
 
> Any ideas greatly appreciated.
> 
> 
> Thanks in advance.
> 
> Aaron Martinez

OT, .. Majordomo problem

[L. V. Lammert]

OT question, but I was hoping there might be other folks that might have 
seen a similar problem [old MD installation (1.94.5)]:


Given this email in the list members:

t...@ted.com

Even though this email is listed correctly as a list member, when MD 
receives an email from this email address it gets rejected:


Subject: BOUNCE list_memb...@ccsl.org:Non-member submission from ["TED" 
]

X-SPAM-Info: Omnitec Corporation MailScanner
X-SPAM-MailScanner: Found to be clean
X-Antivirus: AVG for E-mail 8.5.339 [270.12.36/2125]

>From ad...@ourorg.org Fri May 22 14:56:15 2009
Received: from smtp106.sbc.mail.mud.yahoo.com 
(smtp106.sbc.mail.mud.yahoo.com [68.142.198.205])

by mail.omnitec.net (8.12.8/8.12.8) with SMTP id n4MJu7hm009875
for ; Fri, 22 May 2009 14:56:08 -0500 (CDT)
Received: (qmail 80084 invoked from network); 22 May 2009 19:56:25 -
Received: from unknown (HELO Thinkpad3tlp) (t...@69.149.225.0 with login)
  by smtp106.sbc.mail.mud.yahoo.com with SMTP; 22 May 2009 19:56:24 -

My only hypothesis is that, since the domain is hosted by Yahoo, the fact 
that the originating mail *server* does not belong to ted.com MD gets confused.


Anyone have any thoughts? His email comes through just fine by postfix & 
sendmail, just not MD.


TIA,

Lee

authpf for incoming connections

[Aaron Martinez]

Hi All,

I am setting up an openbsd 4.5 stable based pf firewall and was
wondering if there is a way to make it so only certain users could log
in from certain IP addresses.  I have authpf set up and working well,
but the problem is if someone that isn't coming from one of my "safe" ip
addresses, i don't want them to be able to log in using a login name
that has a standard shell like ksh.  I saw the "Match" statement for
sshd but it looks like the only things that can be set are:
AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory,
ForceCommand, GatewayPorts, GSSAPIAuthentication,
HostbasedAuthentication, KbdInteractiveAuthentication,
KerberosAuthentication, MaxAuthTries, MaxSessions,
PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.  none of which
would allow for what i'm trying. (if i'm understanding this correctly)


I'm trying to have authpf authenticate people before they are able to
use certain services behind the firewall, i.e. pptp server, pop server
etc., while allowing certain people from static IP addresses to actually
log into the openbsd firewall.  

Any ideas greatly appreciated.


Thanks in advance.

Aaron Martinez

Re: halt -p on a thinkpad x61; _PTS broken?

[Marco Peereboom]

fixed in -current

On Fri, May 22, 2009 at 01:59:47PM -0600, Matthew Emmett wrote:
> Hi,
> 
> First, thanks to all developers of OpenBSD for such a fine operating
> system!
> 
> I noticed some strange behaviour when issuing 'halt -p' on my ThinkPad
> X61.  Namely, that the laptop hung most of the time, and powered down
> only some of time, after 'halt -p' was issued under both 4.4 and 4.5.
> After reading archives of misc@, I believe others have experienced
> this.
> 
> I did some further reading on the 'net, and (naively) tried commenting
> out the _PTS ACPI command that is issued in
> 
>   acpi_prepare_sleep_state()
> 
> which is in sys/dev/acpi/acpi.c.  My laptop now powerdowns every time
> I issue 'halt -p'.
> 
> This doesn't quite seem right: surely _PTS should be called?
> 
> If I discover anything more, I will write more.
> 
> Thanks,
> Matthew

Re: spamd question

[Jim Razmus]

* Eric  [090522 14:41]:
> I never thought about it before, but it is clear that spamd handles the
> greylisting the same regardless of whether or not the e-mail address is
> valid.  That is, it doesn't check to make sure that the to address is
> legitimate before adding the IP address to the spamd-white table.
> 
> For example, if your domain is example.com and someone is trying to
> send to a bogus address, say 3dgeo...@example.com, then once they get
> through the greylisting, their ip address then added to the spamd-white
> table where it will remain for the next month or so, depending on the
> configuration.
> 
> On the surface, this doesn't seem to be much of a problem since the
> spammer could always do the same for a real e-mail address if he had
> one at the domain and get whitelisted for the configured period of
> time.  Furthermore, if the sender is not a spammer and just has the
> address wrong, say goe...@example.com instead of geo...@example.com, he
> gets a 5xx response much quicker telling him that the address does not
> exist so that he can correct it and resend it.
> 
> So it doesn't seem like such a bad thing.
> 
> But it also seems like this could be used by a savvy spammer to his
> benefit if he wants to have a better chance at getting past spamd on
> OpenBSD servers.  Suppose a spammer was getting ready to make a big
> spam run.  Then he could increase his probability of getting the IP
> address added to the spamd-white table by going through the various
> address lists earlier and "sending" a single e-mail to a completely
> random address at the same domain.
> 
> For example, if his address list contained geo...@example.com,
> sa...@example.com, he...@example.com, and j...@example.com, a day or
> two earlier, he could fake an e-mail something like
> 1739512349...@example.com.  Once the IP address is added to
> spamd-white, he will connect to the mail server on the next try where
> he will get a 5xx no such user error.  
> 
> The benefit he would gain by using a random made-up address instead of
> one on his list is because he won't definitively know which addresses
> on the list are spamtrap addresses.  Instead, the random address is
> unlikely to have been added with "spamdb -T -a" and so he increases his
> chances of not getting trapped.
> 
> Not only would this would make the spam run itself simpler and faster,
> but any addresses defined with spamdb as spamtrap addresses wouldn't
> cause the server to be trapped for 24 hours because since it had
> already been greylisted, spamd would never actually see the spamtrap
> addresses, if any.
> 
> If, on the other hand, the address had to be legitimate before spamd
> would send it on, the above scenario would fail.  The spammer would
> then only be able to get his IP addresses whitelisted by sending an
> e-mail to a legitimate user and avoiding the spamtrap addresses
> entirely.
> 
> I've seen no signs that the spammers are doing that now, but it might
> be worth considering an option to spamd that would check the addresses
> and use that as part of the determination of whether or not to add to
> the spamd-white list just in case they should start doing that.
> 
> Any thoughs on this?
> 
> Eric Johnson
> 

beck@ created the greyscanner Perl script to address the issues you've
highlighted.  It does deeper inspection of grey listed senders before
they are white listed.  It validates the DNS setup of the sending
server, the validity of the recipient address, and more.  You can add
your own checks to it as well.

I find it an effective addition to spamd.

http://www.ualberta.ca/~beck/greyscanner/

HTH,
Jim

halt -p on a thinkpad x61; _PTS broken?

[Matthew Emmett]

Hi,

First, thanks to all developers of OpenBSD for such a fine operating
system!

I noticed some strange behaviour when issuing 'halt -p' on my ThinkPad
X61.  Namely, that the laptop hung most of the time, and powered down
only some of time, after 'halt -p' was issued under both 4.4 and 4.5.
After reading archives of misc@, I believe others have experienced
this.

I did some further reading on the 'net, and (naively) tried commenting
out the _PTS ACPI command that is issued in

  acpi_prepare_sleep_state()

which is in sys/dev/acpi/acpi.c.  My laptop now powerdowns every time
I issue 'halt -p'.

This doesn't quite seem right: surely _PTS should be called?

If I discover anything more, I will write more.

Thanks,
Matthew

Compliments of the season

[James Mark]

You are invited to "Compliments of the season".


By your host James Mark:


 Date:  Friday May 22, 2009

 Time:  6:00 pm - 7:00 pm (GMT +00:00)
 Location:  Hello My Friend,Compliments of the season,thank you for 
your help I am very happy to inform you about my success in getting that funds 
Now, I want you to contact Mrs Caro Onuorah.EMAIL:Address (caroonuo...@live.fr 
)Ask him to send you the sum of ($1,500,000.00 )U.S.D in A CASHIER'S CHEQUE, 
the neeeded informations is as detailed 
bellow:NAME:.AGE..ADDRESS:OCCUPATION:.PHONE:COUNTRY:COMPANY:.RegardsMr,Tony
 Mike

Will you attend? RSVP to this invitation at:

 
http://calendar.yahoo.com/jamesmark1040?v=126&a1=0&iid=nx%407Fpz%40W2ul%40dqmwhh3tBl%40N6g1%40ieveh%40thh%40%40&igid=sha5ttbbbMt7%40gh3Xx%40yUVd%40F6bxalhvFhAmRW7%40Vgv%40

Copyright ) 2009 All Rights Reserved
 www.yahoo.com

Privacy Policy:
 http://privacy.yahoo.com/privacy/us

Terms of Service:
 http://docs.yahoo.com/info/terms/

spamd question

[Eric]

I never thought about it before, but it is clear that spamd handles the
greylisting the same regardless of whether or not the e-mail address is
valid.  That is, it doesn't check to make sure that the to address is
legitimate before adding the IP address to the spamd-white table.

For example, if your domain is example.com and someone is trying to
send to a bogus address, say 3dgeo...@example.com, then once they get
through the greylisting, their ip address then added to the spamd-white
table where it will remain for the next month or so, depending on the
configuration.

On the surface, this doesn't seem to be much of a problem since the
spammer could always do the same for a real e-mail address if he had
one at the domain and get whitelisted for the configured period of
time.  Furthermore, if the sender is not a spammer and just has the
address wrong, say goe...@example.com instead of geo...@example.com, he
gets a 5xx response much quicker telling him that the address does not
exist so that he can correct it and resend it.

So it doesn't seem like such a bad thing.

But it also seems like this could be used by a savvy spammer to his
benefit if he wants to have a better chance at getting past spamd on
OpenBSD servers.  Suppose a spammer was getting ready to make a big
spam run.  Then he could increase his probability of getting the IP
address added to the spamd-white table by going through the various
address lists earlier and "sending" a single e-mail to a completely
random address at the same domain.

For example, if his address list contained geo...@example.com,
sa...@example.com, he...@example.com, and j...@example.com, a day or
two earlier, he could fake an e-mail something like
1739512349...@example.com.  Once the IP address is added to
spamd-white, he will connect to the mail server on the next try where
he will get a 5xx no such user error.  

The benefit he would gain by using a random made-up address instead of
one on his list is because he won't definitively know which addresses
on the list are spamtrap addresses.  Instead, the random address is
unlikely to have been added with "spamdb -T -a" and so he increases his
chances of not getting trapped.

Not only would this would make the spam run itself simpler and faster,
but any addresses defined with spamdb as spamtrap addresses wouldn't
cause the server to be trapped for 24 hours because since it had
already been greylisted, spamd would never actually see the spamtrap
addresses, if any.

If, on the other hand, the address had to be legitimate before spamd
would send it on, the above scenario would fail.  The spammer would
then only be able to get his IP addresses whitelisted by sending an
e-mail to a legitimate user and avoiding the spamtrap addresses
entirely.

I've seen no signs that the spammers are doing that now, but it might
be worth considering an option to spamd that would check the addresses
and use that as part of the determination of whether or not to add to
the spamd-white list just in case they should start doing that.

Any thoughs on this?

Eric Johnson

Re: OpenNTPD warning

[(private) HKS]

On Fri, May 22, 2009 at 10:05 AM, Jordi Espasa  wrote:
>> Looks like you do not think at all. The reason was told to you, and you
>> didn't ever tried to do something. You prefer to "think" instead of "doing",
>> aren't you?
>
> I've fixed the commented conf error already, but it seems that the FIRST
> warning I've commented in my INITIAL post is not related to this
> configuration mistake.

Can you clarify what "seems" means? Did you fix the config file
problem, restart ntpd, and see this issue recur?

-HKS



>
> Looks like do you not read at all. Check the complete thread and think some
> seconds about your impoliteness.
>
> And.. speaking about doing something
>
> ?do you provide a public NTP server in your country?
> ?do you provide a public OpenBSD mirror in your country?
>
> Shame on you.
>
> --
> Thanks,
> Jordi Espasa Clofent

Azalia codec on HP Pavilion dv6000

[João Salvatti]

Hi,

For the first time my multimedia keyboard works (OpenBSD 4.5). Thanks
developers for the great work.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: salva...@gmail.com

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Obiozor Okeke]

Thanks Ross/Ed, yes we're going to dump the custom Windows app and use an open
source solution using Samba's file share capability (with Samba running on
OBSD of course :). 


--- On Fri, 5/22/09, Ross Cameron 
wrote:

> From: Ross Cameron 
> Subject: Re: OpenBSD ESXi
VMware image on Soekris Net5501
> To: "Ed Ahlsen-Girard" 
>
Cc: misc@openbsd.org
> Date: Friday, May 22, 2009, 9:05 AM
> On Fri, May 22,
2009 at 5:56 PM, Ed
> Ahlsen-Girard 
> wrote:
> 
> > On
2009-05-22  Ross Cameron wrote:
> >
> > > Certainly the hardware chosen isnt
anywhere NEAR
> potent enough,... and
> > u're
> > > leaving ure whole
configuration open for attack
> via the ESXi sub layer.
> > >
> > > Why not
just port the custom app to OpenBSD and
> run the configuration
> > > natively
on the hardware?
> >
> > There are apps on Windows for which "porting" to
>
OpenBSD would be roughly
> > equivalent to "porting" to NetWare Virtual
Loadable
> Module.
> >
> > Maybe he doesn't mind doing it all over from
scratch,
> but that's about what
> > it
> > might turn out to be.
> 
> 
> True
but then again I generally find that rewriting and
> targeting the code
> for
portability and re-use is worth the efforts in the long
> run.
> 
> Painting
you're self into a corner with regards to coding
> standards/languages/host OS
are generally just a headache
> waiting to happen
> in the years to come.

Re: softraid

[Uwe Dippel]

Marco Peereboom  peereboom.us> writes:

> > Next problem: There are quite a number of bays available in my box, 
> > so that I can plug another drive for a local 'dump'. But irrespective 
> > where I plug it, it won't come up:
> 
> Your trace shows that it comes up just fine.

> > softraid0: volume sd4 is roaming, it used to be sd3, updating metadata
> 
> You inserted a disk in front of others.  From where I am sitting it is
> all working as designed.

Hmm. I plugged the fourth 'before' and 'after'; or the tray above and the tray
below that pair. Both acted the same: breaking the mirror.
To me it *looks* as if any physical disk would go before the RAID, and therefore
the RAID always be incremented whenever one inserts another drive. And since
the RAID gets roamed, while fstab isn't, it will always break. No?


> This is not a softraid problem this is an OpenBSD problem.  We don't
> have uuids or labels on disks so when disks move around bad things
> happen.  This is a fact of life today that needs to be deal with
> accordingly.

Yes and no. 'Move around' is not what I am doing, when I plug an extra drive
*after* sd2 (in my case). However, the system makes that one sd3, and voilC , 
the s*** hits the fan, because the RAID volume is moved up one index. 
To me this seems a result of the sequence at boot: at first we identify the
physical drives, that is sd0, sd1, sd2 and sd3 in this case, and only later
do we get softraid up, sensibly roaming the RAID one up. Sensibly? Because fstab
can't know and will want to mount partitions of a lower number (sd3 in this
case), which is always impossible.

Re: 3G not navigate

[Tero Koskinen]

Hi,

On Fri, 22 May 2009 01:02:31 -0300 (BRT) Murilo da Silva Ijanc wrote:

> Hello misc@,
> 
> I am trying to use 3G technology in OpenBSD.

I have Huawei E220. After a few days of tweaking, I got it working pretty
well. There are some caveats however. (See below)

> $ ping -c 4 www.google.com
> PING google.navigation.opendns.com (208.69.32.231): 56 data bytes
> 64 bytes from 208.69.32.231: icmp_seq=0 ttl=51 time=679.708 ms

For some reason ping times are big with user space ppp.
(600+ ms vs. 150ms with in-kernel ppp)

> lynx www.openbsd.org
> 
> HTTP request sent; waiting for response.
>  .. 10 min . 20 min

With user space ppp, I had to set MTU to 900 before web browsing
worked. I think I did that using "set mrru 900" in /etc/ppp/ppp.conf.

I recommend that you try kernel mode ppp using pppd. There you can
use bigger MTU/MRRU.

My setup is following:
$ cat /etc/ppp/mokkula
#!/bin/sh

ifconfig ppp0 destroy 1>/dev/null 2>&1
ifconfig ppp0 create
route delete default 1>/dev/null 2>&1
/usr/sbin/pppd /dev/cuaU0 460800 connect '/usr/sbin/chat -f 
/etc/ppp/peers/elisa2.chat'
sleep 12

$ cat /etc/ppp/peers/elisa2.chat
ABORT BUSY
ABORT ERROR
ABORT "NO CARRIER"
ABORT VOICE
ABORT "NO DIALTONE"
"" AT
OK AT+CGDCONT=1,"IP","internet","0.0.0.0",0,0
OK ATDT*99#
TIMEOUT 40
CONNECT \c

$ cat /etc/ppp/options
debug
/dev/cuaU0
460800
lock
persist
noauth
0.0.0.0:10.0.0.2
netmask 255.255.255.255
ipcp-accept-local
ipcp-accept-remote
noipdefault
crtscts
deflate 0
bsdcomp 0
noccp
novj
novjccomp
nopcomp
#nodetach
mru 1440
refuse-chap
connect '/usr/sbin/chat -f /etc/ppp/peers/elisa2.chat' 
$

Like others suggested, enabling "debug" option gives you some hints.
Also, using cu directly ("cu -s 460800 -l /dev/cuaU0") and sending
AT commands gives you more hints. (For example, you might be required
to give PIN code with AT+CPIN command.)

-- 
Tero Koskinen 

Sensorsd behavior

[João Salvatti]

Hi Misc,

I put the following line in my sensorsd.conf file:

hw.sensors.acpibat0.raw0:command=/etc/sensorsd/bat_status %2

When the battery's laptop status change, bat_status program is
executed using param %2 (sensor's value can be: 0 when battery is
idle, 1 when battery is discharging and 2 when battery is charging),
but the problem is: sensorsd only runs program bat_status when it is
started!

EG: If my power cord is plugged on my laptop sensorsd execute
bat_status, but when I remove my power cord the sensorsd doesn't run
bat_status again. Is this a normal behavior?

bat_status.c:

#include 
#include 
#include 

int
main(int argc, char *argv[])
{
int bat_status = atoi(argv[1]);

if (bat_status == 0)
syslog(LOG_WARNING, "Battery is now idle.\n");
else if (bat_status == 1)
syslog(LOG_WARNING, "Battery is now
discharging...\n");
else
syslog(LOG_WARNING, "Battery is now charging...\n");

return 0;
}

Thanks in advance.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: salva...@gmail.com

Re: Block level snapshots - can I do them in OBSD?

[Graham Allan]

On Fri, May 22, 2009 at 02:32:24PM +0200, Joachim Schipper wrote:
> > 
> > I am very keen to run OBSD on this, but if it's absolutely impractical to do
> > so I'd also welcome suggestions of other ways to do this in FreeBSD.
> 
> I don't know anything about FreeBSD's (lack of?) support for snapshots.
> (Open)Solaris does have ZFS, which is supposed to be all kinds of
> awesome. I know that people did try to get ZFS in FreeBSD, but I don't
> know the current status of that effort.

At the risk of writing about the wrong OS on the wrong list, FreeBSD
supports snapshots on UFS filesystems. You might find some debate as to
how well they work, but I find them useful (it will depend what you want
out of them; they can start to get slow with larger FS sizes). I guess
there is a GEOM driver/class for encrypted filesystems, but I have no
idea how that would interact with snapshots.

Graham

Re: softraid

[Uwe Dippel]

Marco Peereboom  peereboom.us> writes:


> This is currently correct because I am working on this particular case.
> This one has proved to be very hairy hence it isn't in the tree yet.

Good to know, thanks for the heads-up, I keep waiting then for 4.6, I guess?


> > I'd expect the
> > softraid, in order to be useful, to reboot on its sane leg.
> 
> See previous comment.  This is incomplete code.

Thanks for the info. Complete is -current or will it be in 4.6?

Uwe

Re: softraid

[Uwe Dippel]

Marco Peereboom  peereboom.us> writes:

> 
> This is a repeat of the "can't bring up a raid set with missing
> members"

Yes, exactly. This can be closed; it was just to demonstrate that I am not
the only person, who sees broken mirrors being re-attached.

Re: softraid

[Uwe Dippel]

Marco Peereboom  peereboom.us> writes:

> 
> This one the pulled drive still contains the same metadata as the
> surviving members.  Since you are running a home made kernel I have no
> idea what code you are running.  This scenario should work with the code
> I committed a couple of weeks ago.  From the looks of it this is a bug
> or you are running old code.

4.5 stable.
I have no clue what 'home made kernel' implies, it is just the recompiled 
(according to FAQ)  standard, generic kernel; needed for the patches issued 
in 4.5 until now. Zero any other item.

Uwe

Re: pkg_add weirdness (4.5-current)

[Thomas Pfaff]

On Fri, 22 May 2009 22:56:33 +0700
Edho P Arief  wrote:
> On Fri, May 22, 2009 at 5:53 PM, Thomas Pfaff  wrote:
> > Trying to add a few packages on my -current system and there's
> > some weirdness going on that I believe was not present before:
> >
> > Script started on Fri May 22 12:34:41 2009
> > $ sudo pkg_add -v samba
> > $ sudo pkg_info -I samba
> > samba-3.0.34 B  B  B  B SMB and CIFS client and server for UNIX
> > samba-3.0.34-ads B  B SMB and CIFS client and server for UNIX
> > samba-3.0.34-cups B  SMB and CIFS client and server for UNIX
> > samba-3.0.34-cups-ads SMB and CIFS client and server for UNIX
> > samba-3.0.34-cups-ldap SMB and CIFS client and server for UNIX
> > samba-3.0.34-ldap B  SMB and CIFS client and server for UNIX
> > $ sudo pkg_add -v samba-3.0.34
> > parsing samba-3.0.34
> > ^C
> 
> perhaps you meant
> 
> pkg_add -i pkgname
>

That enters interactive mode and I'm presented with the correct
choices (as listed above) so, sure, that works.  Without the -i
option, however, pkg_add just terminates.  This is on May 18th
userland.  On another system of mine running February 28th user-
land the pkg_add behaviour is different, and as I would expect:

  Feb28$ sudo pkg_add vim
  Ambiguous: vim could be vim-7.2.77-gtk2 vim-7.2.77-no_x11
  Feb28$

  May18$ sudo pkg_add vim
  May18$

As far as I can tell, both systems are configured the same with
respect to the package manager (Feb28 is i386 and May18 is amd64
though).

Re: softraid

[Marco Peereboom]

On Fri, May 22, 2009 at 05:24:31AM +, Uwe Dippel wrote:
> Marco Peereboom  peereboom.us> writes:
> 
> > 
> > > Then keep asking!
> > > I do have the impression, what I wanted, is what you already had in mind:
> > > a broken mirror simply remains dead and broken, and the machine runs 
> > > happily 
> > > before and after reboot on the sane drive. Correct?
> > 
> > Correct.  If this isn't the case then I need to see a dmesg before &
> > after rebooting and bioctl output before and after reboot.
> 
> Alas, it doesn't (run happily ever after).  :(
> 
> My next experiment:
> Everything healthy, according to bioctl:
> 
> # bioctl softraid0 
> Volume  Status   Size Device  
> softraid0 0 Online   299671585280 sd3 RAID1
>   0 Online   299671585280 0:0.0   noencl 
>   1 Online   299671585280 0:1.0   noencl 
> # [pull drive]
> 
> [...]
> 
> [new situation: NOT putting the drive back, ever - simulating a dead drive,
> maybe spindle or head gone]
> 
> (System operates fine, read/write without any problem)
> 
> [reboot - as mentioned NOT pushing the drive back]
> 
> [...]
> 
> ugen0 at uhub2 port 1 "American Power Conversion Back-UPS RS 1000 FW:7.g8 .I 
> USB
> FW:g8" rev 1.10/1.06 addr 2
> 
> softraid0 at root
> 
> softraid0: roaming device sd2b -> sd1b
> 
> softraid0: not assembling partial disk that used to be volume 0

This is currently correct because I am working on this particular case.
This one has proved to be very hairy hence it isn't in the tree yet.

> 
> root on sd0a swap on sd0b dump on sd0b
> 
> Automatic boot in progress: starting file system checks.
> /dev/rsd0a: file system is clean; not checking
> Can't open /dev/rsd3h: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3h: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3d: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3f: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3f: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3e: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3e: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3g: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3g: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3i: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3i: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3j: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3j: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> THE FOLLOWING FILE SYSTEMS HAD AN UNEXPECTED INCONSISTENCY:
> 
> ffs: /dev/rsd3h (/home), ffs: /dev/rsd3d (/tmp), ffs: /dev/rsd3f 
> (/usr),
> ffs: /dev/rsd3e (/var), ffs: /dev/rsd3g (/var/mail), ffs: /dev/rsd3i 
> (/var/www),
> ffs: /dev/rsd3j (/backup)
> Automatic file system check failed; help!
> 
> Enter pathname of shell or RETURN for sh: 
> 
> Here, at least in production environment, and according to the situation of
> lacking physical access, I really would want the drive/system to come back. 
> Yes.
> To me, lacking of '-R' is no big deal. But what is the whole thing 'softraid'
> about, if it doesn't survive a reboot, on a single, before 100% sane, drive?
> See, it was sane, and working, and saving my files until reboot. Then, after
> reboot (can always happen), all is 'lost'. Not quite, but I simply can't go
> there any time of day or night to resolve the problem manually. I'd expect the
> softraid, in order to be useful, to reboot on its sane leg.

See previous comment.  This is incomplete code.

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Ed Ahlsen-Girard]

Ross Cameron wrote:
> On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard  > wrote:
>
> -(snip)-
> There are apps on Windows for which "porting" to OpenBSD would be
> roughly
> equivalent to "porting" to NetWare Virtual Loadable Module.
>
> Maybe he doesn't mind doing it all over from scratch, but that's
> about what it
> might turn out to be.
>
>
> True but then again I generally find that rewriting and targeting the 
> code for portability and re-use is worth the efforts in the long run.
>
> Painting you're self into a corner with regards to coding 
> standards/languages/host OS are generally just a headache waiting to 
> happen in the years to come.
I am sympathetic with that POV. It's part of why I decided to learn Perl 
instead of VB when I wanted to automate accounts on a Windows web 
server.  When I had to clean up and migrate a Linux web server years 
later (without having meaningful Linux experience), I was very happy 
about my choice.

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of eagirard.26699DEFANGED-vcf]

Re: softraid

[Marco Peereboom]

This one the pulled drive still contains the same metadata as the
surviving members.  Since you are running a home made kernel I have no
idea what code you are running.  This scenario should work with the code
I committed a couple of weeks ago.  From the looks of it this is a bug
or you are running old code.

On Fri, May 22, 2009 at 04:47:45AM +, Uwe Dippel wrote:
> Marco Peereboom  peereboom.us> writes:
> 
> 
> > Correct.  If this isn't the case then I need to see a dmesg before &
> > after rebooting and bioctl output before and after reboot.
> > 
> > Keep in mind that softraid can only detect failure AFTER an io fails.
> > This is key, because you could fail a drive and go undetected by
> > softraid.
> 
> Clear. This is why I tested with 'echo Nonsense > testo'.
> 
> 
> Here is what I did, I hope it explains what is going on. 
> If not, just ask!
> 
> [rebooted]
> # bioctl softraid0 
> Volume  Status   Size Device  
> softraid0 0 Online   299671585280 sd3 RAID1
>   0 Online   299671585280 0:0.0   noencl 
>   1 Online   299671585280 0:1.0   noencl 
> # df -h
> /dev/sd0a  300M108M177M38%/
> /dev/sd3h  9.8G730M8.6G 8%/home
> /dev/sd3d 1008M6.0K958M 0%/tmp
> /dev/sd3f  7.9G2.7G4.8G36%/usr
> /dev/sd3e  492M   17.1M450M 4%/var
> /dev/sd3g  2.0G1.4M1.9G 0%/var/mail
> /dev/sd3i  7.9G3.3M7.5G 0%/var/www
> /dev/sd3j  246G   95.5G138G41%/backup
> # cd /backup
> # ls -l
> total 200231436
> [some files listed]
> # echo Nonsense > testo_b4
> # ls -l testo_b4  
>  
> -rw-r--r--  1 root  wheel  9 May 22 11:57 testo_b4
> # bioctl softraid0 
> Volume  Status   Size Device  
> softraid0 0 Online   299671585280 sd3 RAID1
>   0 Online   299671585280 0:0.0   noencl 
>   1 Online   299671585280 0:1.0   noencl 
> # [pull drive]
> # dmesg
> OpenBSD 4.5 (GENERIC.MP) #0: Thu May 14 18:57:01 SGT 2009
> r...@claude2.uwe.uniten.edu.my:/usr/src/sys/arch/amd64
> /compile/GENERIC.MP
> real mem = 3756994560 (3582MB)
> avail mem = 3634552832 (3466MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xec000 (62 entries)
> bios0: vendor HP version "D17" date 07/16/2007
> bios0: HP ProLiant ML350 G4
> acpi0 at bios0: rev 2
> acpi0: tables DSDT FACP SPCR MCFG APIC
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(TM) CPU 3.00GHz, 3000.53 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,
> CNXT-ID,CX16,xTPR,LONG
> cpu0: 1MB 64b/line 8-way L2 cache
> cpu0: apic clock running at 200MHz
> cpu1 at mainbus0: apid 6 (application processor)
> cpu1: Intel(R) Xeon(TM) CPU 3.00GHz, 3000.11 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,
> CNXT-ID,CX16,xTPR,LONG
> cpu1: 1MB 64b/line 8-way L2 cache
> ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
> ioapic1 at mainbus0 apid 9 pa 0xfec1, version 20, 24 pins
> ioapic1: misconfigured as apic 0, remapped to apid 9
> ioapic2 at mainbus0 apid 10 pa 0xfec8, version 20, 24 pins
> ioapic3 at mainbus0 apid 11 pa 0xfec80400, version 20, 24 pins
> acpiprt0 at acpi0: bus 1 (IP2P)
> acpiprt1 at acpi0: bus 2 (IPXB)
> acpiprt2 at acpi0: bus 6 (PCXA)
> acpiprt3 at acpi0: bus 9 (PCXB)
> acpiprt4 at acpi0: bus 5 (PTA0)
> acpiprt5 at acpi0: bus 13 (PTB0)
> acpiprt6 at acpi0: bus 16 (PTC0)
> acpiprt7 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0
> acpicpu1 at acpi0
> acpitz0 at acpi0: critical temperature 31 degC
> pci0 at mainbus0 bus 0: configuration mode 1
> pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c
> ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c
> pci1 at ppb0 bus 5
> ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
> pci2 at ppb1 bus 6
> ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
> pci3 at ppb2 bus 9
> ppb3 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x0c
> pci4 at ppb3 bus 13
> ppb4 at pci0 dev 6 function 0 "Intel E7520 PCIE" rev 0x0c
> pci5 at ppb4 bus 16
> ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
> pci6 at ppb5 bus 2
> mpi0 at pci6 dev 3 function 0 "Symbios Logic 53c1030" rev 0x08: 
> apic 9 int 0 (irq 5)
> scsibus0 at mpi0: 16 targets, initiator 7
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
> sd0: 34732MB, 512 bytes/sec, 71132000 sec total
> sd1 at scsibus0 targ 3 lun 0:  SCSI3 0/direct fixed
> sd1: 286102MB, 512 bytes/sec, 585937500 sec total
> sd2 at scsibus0 targ 5 lun 0:  SCSI3 0/direct fixed
> sd2: 286102MB, 512 bytes/sec, 585937500 sec total
> mpi0: target 0 

Re: softraid

[Marco Peereboom]

> Since we (that's I, sorry) seem to discuss the whole bunch (not a bad idea
> after, all hoping to get things into their places and finally enjoying a 
> really beautiful and functioning softraid), I allow myself to add another
> question, real life, on a to-be-production system:
> Okay, now I have a broken harddisk, one half of the mirror is gone.
> Then I will have to dump the partitions, create a new mirror, and restore,
> correct?
> Next problem: There are quite a number of bays available in my box, 
> so that I can plug another drive for a local 'dump'. But irrespective 
> where I plug it, it won't come up:

Your trace shows that it comes up just fine.

> 
> "softraid0 at root
> 
> softraid0: roaming device sd1b -> sd2b
> 
> softraid0: roaming device sd2b -> sd3b
> 
> softraid0: roaming device sd1b -> sd2b
> 
> softraid0: roaming device sd2b -> sd3b
> 
> scsibus3 at softraid0: 1 targets
> 
> sd4 at scsibus3 targ 0 lun 0:  SCSI2 0/direct fixed
> 
> sd4: 285789MB, 512 bytes/sec, 585296066 sec total
> 
> softraid0: volume sd4 is roaming, it used to be sd3, updating metadata

You inserted a disk in front of others.  From where I am sitting it is
all working as designed.

> 
> root on sd0a swap on sd0b dump on sd0b
> 
> Automatic boot in progress: starting file system checks.
> /dev/rsd0a: file system is clean; not checking
> Can't open /dev/rsd3h: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3h: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3d: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3f: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3f: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3e: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3e: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3g: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3g: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3i: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3i: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> Can't open /dev/rsd3j: Device not configured
> CAN'T CHECK FILE SYSTEM.
> /dev/rsd3j: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
> THE FOLLOWING FILE SYSTEMS HAD AN UNEXPECTED INCONSISTENCY:
> 
> ffs: /dev/rsd3h (/home), ffs: /dev/rsd3d (/tmp), ffs: /dev/rsd3f 
> (/usr), ffs: /dev/rsd3e (/var), ffs: /dev/rsd3g (/var/mail), ffs: /dev/rsd3i
> (/var/www),
> ffs: /dev/rsd3j (/backup)
> Automatic file system check failed; help!
> 
> Enter pathname of shell or RETURN for sh: "
> 
> Now that roaming is in the way. I wonder if softraid really should do this:
> You plug an additional disk, higher or lower, and automatically it will 
> roam the mirror to drives of its liking, and inevitably fail the RAID thereby.

This is not a softraid problem this is an OpenBSD problem.  We don't
have uuids or labels on disks so when disks move around bad things
happen.  This is a fact of life today that needs to be deal with
accordingly.

Re: softraid

[Marco Peereboom]

This is a repeat of the "can't bring up a raid set with missing
members"

On Fri, May 22, 2009 at 05:01:40AM +, Uwe Dippel wrote:
> Marco Peereboom  peereboom.us> writes:
> 
> 
> > Correct.  If this isn't the case then I need to see a dmesg before &
> > after rebooting and bioctl output before and after reboot.
> 
> This is as well supported by the post
> http://vext01.blogspot.com/2007/11/playing-with-new-softraid-driver-in.html
> 
> "[...]
> Bioctl is the utility used for managing both hardware and software RAID in
> OpenBSD, the transparency is superb.
> 
> # bioctl softraid0
> Volume Status Size Device
> softraid0 0 Online 1023009 sd0 RAID1
> 0 Online 1023009 0:0.0 noencl
> 1 Online 1023009 0:1.0 noencl
> 2 Online 1023009 0:2.0 noencl
> 
> Lets break things and see what happens. First I will simulate a missing disk 
> at
> boot, by detaching wd3. After a reboot I see this:
> 
> # dmesg | grep softraid0
> softraid0 at root
> softraid0: not assembling partial disk that used to be volume 0
> # bioctl softraid0
> #
> 
> Our RAID array was not registered by the kernel, as a disk was missing. I
> imagine this will be changed at some point. As I said, the softraid driver is
> not finished.
> 
> Shutdown the system and put the disk back:
> 
> # dmesg | grep softraid
> softraid0 at root
> scsibus0 at softraid0: 1 targets
> # bioctl softraid0
> Volume Status Size Device
> softraid0 0 Online 1023009 sd0 RAID1
> 0 Online 1023009 0:0.0 noencl
> 1 Online 1023009 0:1.0 noencl
> 2 Online 1023009 0:2.0 noencl
> 
> It's back."
> 
> Isn't this what you said it shouldn't? (Be back 'Online' after an earlier
> breakage of the mirror)
> 
> Uwe

Re: pkg_add weirdness (4.5-current)

[Edho P Arief]

On Fri, May 22, 2009 at 5:53 PM, Thomas Pfaff  wrote:
> Trying to add a few packages on my -current system and there's
> some weirdness going on that I believe was not present before:
>
> Script started on Fri May 22 12:34:41 2009
> $ sudo pkg_add -v samba
> $ sudo pkg_info -I samba
> samba-3.0.34 B  B  B  B SMB and CIFS client and server for UNIX
> samba-3.0.34-ads B  B SMB and CIFS client and server for UNIX
> samba-3.0.34-cups B  SMB and CIFS client and server for UNIX
> samba-3.0.34-cups-ads SMB and CIFS client and server for UNIX
> samba-3.0.34-cups-ldap SMB and CIFS client and server for UNIX
> samba-3.0.34-ldap B  SMB and CIFS client and server for UNIX
> $ sudo pkg_add -v samba-3.0.34
> parsing samba-3.0.34
> ^C
> $ echo $PKG_PATH
>
ftp://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/amd64:http://ftp.open
bsd.org/pub/OpenBSD/snapshots/packages/amd64:ftp://ftp.uninett.no/pub/OpenBSD
/snapshots/packages/amd64:ftp://ftp.dkuug.dk/pub/OpenBSD/snapshots/packages/a
md64
> $ sysctl kern.version
> kern.version=OpenBSD 4.5-current (GENERIC.MP) #18: Fri May 22 11:42:25 CEST
2009
> B  B tpf...@ws.tp76.info:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> $ exit
> Script done on Fri May 22 12:36:00 2009
>
> The first pkg_add should show something like
>
> B Ambiguous: samba could be samba-3.0.33 ...
>

perhaps you meant

pkg_add -i pkgname

...?

> right? B The above also happens for packages like vim and emacs.
>
> What am I missing here?
>
>



--
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Ross Cameron]

On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard  wrote:

> On 2009-05-22  Ross Cameron wrote:
>
> > Certainly the hardware chosen isnt anywhere NEAR potent enough,... and
> u're
> > leaving ure whole configuration open for attack via the ESXi sub layer.
> >
> > Why not just port the custom app to OpenBSD and run the configuration
> > natively on the hardware?
>
> There are apps on Windows for which "porting" to OpenBSD would be roughly
> equivalent to "porting" to NetWare Virtual Loadable Module.
>
> Maybe he doesn't mind doing it all over from scratch, but that's about what
> it
> might turn out to be.


True but then again I generally find that rewriting and targeting the code
for portability and re-use is worth the efforts in the long run.

Painting you're self into a corner with regards to coding
standards/languages/host OS are generally just a headache waiting to happen
in the years to come.

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Ed Ahlsen-Girard]

On 2009-05-22  Ross Cameron wrote:

 > Certainly the hardware chosen isnt anywhere NEAR potent enough,... 
and u're
 > leaving ure whole configuration open for attack via the ESXi sub layer.
 >
 > Why not just port the custom app to OpenBSD and run the configuration
 > natively on the hardware?

There are apps on Windows for which "porting" to OpenBSD would be roughly
equivalent to "porting" to NetWare Virtual Loadable Module.

Maybe he doesn't mind doing it all over from scratch, but that's about 
what it
might turn out to be.

--

Ed Ahlsen-Girard

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of eagirard.8621DEFANGED-vcf]

Re: bsd_auth

[Gilles Chehade]

Gilles Chehade wrote:

Gregory Edigarov wrote:

Joachim Schipper wrote:

On Fri, May 22, 2009 at 11:25:17AM +0300, Gregory Edigarov wrote:
 

Hello,

Need just a small pointer to information on how to write an  
authentication program

i.e. login_ ? Because sources left much info outside.
Is there a specification or something?
Thanks. C



You'll want to read login.conf(5), in particular the AUTHENTICATION
section (it's not just a list of provided programs!). I'm not sure if
there are other sources of documentation, but it does appear to 
document

the protocol fairly well.
  
Logically I can understand, that password will be provided as an 
input on file descriptor 3.

But I cannot find that in manual...

Come on... no where the man page says that password will be provided 
on fd 3.


The man page says that file descriptor 3 will be open for reading and 
writing
and that for authentication to be successful the program must exit 
with value

0 and provide "authorize" or "authorize root" on file descriptor 3.

The fact that it does not say how and where the password is to be 
provided is
precisely because the login scripts are supposed to abstract that so 
that you

can write custom authentication which do not necessarily use passwords.

If you want to read a password and authenticate with it, you call 
getpass(3),
you check that password against whatever database you use, and you 
output the
"authorize" or "reject" line to descriptor 3, exactly as the man page 
says.


Gilles


I found this old and simple piece of code which is commented and which 
you can use as an example:


   http://www.poolp.org/~gilles/login_-sqlite/login_-sqlite.c

Gilles

Re: bsd_auth

[Gilles Chehade]

Gregory Edigarov wrote:

Joachim Schipper wrote:

On Fri, May 22, 2009 at 11:25:17AM +0300, Gregory Edigarov wrote:
 

Hello,

Need just a small pointer to information on how to write an  
authentication program

i.e. login_ ? Because sources left much info outside.
Is there a specification or something?
Thanks. C



You'll want to read login.conf(5), in particular the AUTHENTICATION
section (it's not just a list of provided programs!). I'm not sure if
there are other sources of documentation, but it does appear to document
the protocol fairly well.
  
Logically I can understand, that password will be provided as an input 
on file descriptor 3.

But I cannot find that in manual...

Come on... no where the man page says that password will be provided on 
fd 3.


The man page says that file descriptor 3 will be open for reading and 
writing
and that for authentication to be successful the program must exit with 
value

0 and provide "authorize" or "authorize root" on file descriptor 3.

The fact that it does not say how and where the password is to be 
provided is
precisely because the login scripts are supposed to abstract that so 
that you

can write custom authentication which do not necessarily use passwords.

If you want to read a password and authenticate with it, you call 
getpass(3),
you check that password against whatever database you use, and you 
output the

"authorize" or "reject" line to descriptor 3, exactly as the man page says.

Gilles

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Ross Cameron]

On Thu, May 21, 2009 at 6:53 PM,  wrote:

> Well I'm certainly no expert in all this and I'm happy to be corrected
> before
> I make any more mistakes with my configuration.  Man am I glad I put this
> post
> out because I'm getting such great feedback!
>
> I'll have to re-think this but I
> honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image
> running on ESXi as my strong firewall I would be ok.  Basically its just a
> virtualization of my physical environment but all on one box with 3 VM
> images.
> So my idea was to have second OpenBSD image (not the firewall OpenBSD
> image)
> running with Samba as my Domain Controller and File server, and Email
> server
> and then the third Windows VM running just the custom app.  I figured that
> as
> long as all the 'Net traffic hit my first OpenBSD VM and was properly
> filtered
> and controlled by pf, spam greylisting, brute force checked, etc I would be
> ok?  No?


Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're
leaving ure whole configuration open for attack via the ESXi sub layer.

Why not just port the custom app to OpenBSD and run the configuration
natively on the hardware?

Re: bsd_auth

[Antoine Jacoutot]

On Fri, 22 May 2009, Gregory Edigarov wrote:
> Logically I can understand, that password will be provided as an input on file
> descriptor 3.
> But I cannot find that in manual...

Why don't you start by reading bsd_auth(3) ?

-- 
Antoine

Re: bsd_auth

[Gregory Edigarov]

Joachim Schipper wrote:

On Fri, May 22, 2009 at 11:25:17AM +0300, Gregory Edigarov wrote:
  

Hello,

Need just a small pointer to information on how to write an  
authentication program

i.e. login_ ? Because sources left much info outside.
Is there a specification or something?
Thanks.



You'll want to read login.conf(5), in particular the AUTHENTICATION
section (it's not just a list of provided programs!). I'm not sure if
there are other sources of documentation, but it does appear to document
the protocol fairly well.
  
Logically I can understand, that password will be provided as an input 
on file descriptor 3.

But I cannot find that in manual...

--
With best regards,
Gregory Edigarov

Re: 3G not navigate

[Peter N. M. Hansteen]

"Murilo da Silva Ijanc"  writes:

> I tried using pppd do not succeed, it returns me to the log:
>
> Murilo may 22 10:31:58 pppd [19228]: pppd 2.3.5 started by murilobsd, uid 0
> Murilo may 22 10:32:01 pppd [19228]: Connect script failed
> May 22 10:32:03 Murilo pppd: Exit.

Try enabling debug and edit your syslog.conf so the debug output
appears somewhere sensible.  tail -f of that log file will be quite
revealing.  To get my huawei e220 to work here I mainly followed
http://www.jensolsson.se/?p=123, fiddled more than I should when all
that was wrong was the device name, but anyway what I have is

$ cat /etc/ppp/peers/netcom
debug
/dev/cuaU0
crtscts
921600
defaultroute
noauth
:10.64.64.64
connect "chat -v -f /etc/ppp/peers/netcom.chat"

$ cat /etc/ppp/peers/netcom.chat
ABORT "NO CARRIER"
ABORT "NO DIALTONE"
ABORT "ERROR"
ABORT "NO ANSWER"
ABORT "BUSY"
ABORT "Username/Password Incorrect"
TIMEOUT 15
"" "ATZ"
OK "ATE1"
OK "ATQ0V1E1S0=0&C1&D2+FCLASS=0"
OK `AT+CGDCONT=1,"IP","internet.netcom.no"`
OK "ATDT*99***#"
TIMEOUT 30
CONNECT \d\c

at least it gives me the opportunity to move some bytes.  Could likely
be tweaked further but then I don't use it all that much

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: OpenNTPD warning

[Jordi Espasa]

Looks like you do not think at all. The reason was told to you, and you 
didn't ever tried to do something. You prefer to "think" instead 
of "doing", aren't you?


I've fixed the commented conf error already, but it seems that the FIRST 
warning I've commented in my INITIAL post is not related to this 
configuration mistake.


Looks like do you not read at all. Check the complete thread and think 
some seconds about your impoliteness.


And.. speaking about doing something

?do you provide a public NTP server in your country?
?do you provide a public OpenBSD mirror in your country?

Shame on you.

--
Thanks,
Jordi Espasa Clofent

Re: 3G not navigate

[Murilo da Silva Ijanc]

I tried using pppd do not succeed, it returns me to the log:

Murilo may 22 10:31:58 pppd [19228]: pppd 2.3.5 started by murilobsd, uid 0
Murilo may 22 10:32:01 pppd [19228]: Connect script failed
May 22 10:32:03 Murilo pppd: Exit.

My Settings:

/etc/ppp/chat-claro

ABORT BUSY
ABORT 'NO CARRIER'
ABORT ERROR
REPORT CONNECT
TIMEOUT 60
SAY "Calling ... \n"
'' "ATZ"
'' 'AT + COPS? "
'' "AT_OPSYS = 3"
'' 'AT + CSQ "
'' 'AT + CGDCONT = 1, "ip", "bandalarga.claro.com.br'
'' "ATD * 99 *** 1 #"
CONNECT \d\c

/etc/ppp/pap-secrets

# $ OpenBSD: pap-secrets, v 1.3 2002/06/09 06:15:15 todd Exp $

# Secrets for authentication using PAP
# Client server secret IP addresses
"claro"  *   "pass"

/etc/ppp/peers/claro

ttyU0
384000
idle 7200
lock
debug
crtscts
modem
noauth
defaultroute
ipcp-restart 10
ipcp-accept-local
ipcp-accept-remote
0.0.0.0:10.64.64.64
noipdefault
novj
connect "/usr/sbin/chat -v -f /etc/ppp/chat-claro"

# cu -l /dev/ttyU0
ATI
Manufacturer: huawei
Model: E156B
Revision: 11.609.05.00.150
IMEI: 358642020845993
+GCAP: +CGSM,+DS,+ES

OK
~
[EOT]
#

> Hi Fred,
>
> It seems that nslookup is normal, see:
>
> # nslookup www.google.com
> Server: 208.67.222.222
> Address: 208.67.222.222 # 53
>
> Non-authoritative answer:
> Canonical name = www.google.com google.navigation.opendns.com.
> Name: google.navigation.opendns.com
> Address: 208.69.32.231
> Name: google.navigation.opendns.com
> Address: 208.69.32.230
>
> # nslookup www.openbsd.org
> Server: 208.67.222.222
> Address: 208.67.222.222 # 53
>
> Non-authoritative answer:
> Name: www.openbsd.org
> Address: 129.128.5.191
>
> I had no opportunity to use pppd, I read the man or get information on
> google on setting up 3G in pppd.
>
> Thanks
>
>> On 5/22/09, Murilo da Silva Ijanc  wrote:
>>> Stuart Thanks for responding, sorry for the delay, different zones =]
>>>
>>> I added the lines (vjcomp disable and deny vjcomp) in ppp.conf, however
>>> still the same problem.
>>>
>>
>> what happens when you do an nslookup(1) ?
>>
>> Have you tried pppd(8)?  Does that give you a different result?
>>
>> Thanks
>>
>> Fred
>>
>>
>
>
> --
> MuriloBSD
> silc.dotbsd.org, dotbsd
> http://www.dotbsd.org/
>


-- 
MuriloBSD
silc.dotbsd.org, dotbsd
http://www.dotbsd.org/

Re: OpenNTPD warning

[Daniel Ouellet]

Jordi Espasa Clofent wrote:

# sync to a single server
server yes
server hora.roa.es


You shouldn't have this here like that.

> server yes

The man(5) ntpd.conf if pretty clear on that.


server address [weight weight-value]
Specify the IP address or the hostname of an NTP server to syn-
chronize to.  If it appears multiple times, ntpd(8) will try to
synchronize to all of the servers specified.  If a hostname re-
solves to multiple IPv4 and/or IPv6 addresses, ntpd(8) uses the
first address.  If it does not get a reply, ntpd(8) retries with
the next address and continues to do so until a working address
is found.  For example:

  server 10.0.0.2 weight 5
  server ntp.example.org weight 1

server yes is neither an IP address or a full qualify name server.

So, as it say here, it will try to access "hora.roa.es" as well as 
"yes", witch it will not be able to obvioulsy and will give you errors.


So, just make your configuration properly and you will fix your problem.

Best,

Daniel

Re: OpenNTPD warning

[Vadim Zhukov]

On Friday 22 May 2009 15:51:02 Jordi Espasa Clofent wrote:
> >> # sync to a single server
> >> server yes
> >
> >  ^^^ -- this seems to be wrong.  Server line should contain
> > ipaddress/hostname, not 'yes'.
>
> Yes, you've the reason; in /var/log messages:
>
> (...)
> May 22 09:13:54 time ntpd[31006]: 1 out of 2 peers valid
> May 22 09:13:54 time ntpd[31006]: bad peer yes (not resolved)
> (...)
>
> But I think this is not related to the warning I commented in initial
> message.

Looks like you do not think at all. The reason was told to you, and you 
didn't ever tried to do something. You prefer to "think" instead 
of "doing", aren't you?

-- 
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: Two minor problems with install under -current

[Jim Razmus]

* Jim Razmus  [090522 08:46]:
> * Brian  [090522 02:22]:
> > I did a new install today of -current on my amd64 box.  I ran into two 
> > issues during the install. These were not show stoppers as I was able to 
> > finish.
> > 
> > First, when I attempted to pull down the file sets from the defaulted 
> > mirror, the files were not found.  
> > 
> > Second, when I switched my pull down of the file sets to ftp.openbsd.org, I 
> > had a: non-recoverable failure in name resolution for bsd.rd.  I later 
> > grabbed this from ftp3.usa.openbsd.org.
> > 
> > Just an FYI.  And I do like the new install for a few reasons:
> > 
> > 1) correctly determines that I want the snapshot directory
> > 2) offers a great selection of options at the beginning and offers some 
> > nice default options
> > 3) appears to run faster 
> > 
> > Anyway, keep up the great work.
> > 
> > Thanks,
> > 
> > Brian
> > 
> 
> You may have tried your install while beck@ was doing an upgrade
> yesterday.
> 
> Or perhaps your dns settings were incorrect.

ugh, obviously pulling from ftp3 worked and your dns settings were fine.
That's what I get for posting before coffee.

> 
> HTH,
> Jim

Re: OpenNTPD warning

[Joachim Schipper]

On Fri, May 22, 2009 at 11:43:50AM +0200, Jordi Espasa Clofent wrote:
> Hi all,
>
> I've updated my public NTP server (time.cdmon.com); 4.5 works like a charm!
>
> Despite of that, I see the following warning in /var/log/messages
>
> (...]
> May 21 23:53:53 time ntpd[12997]: sendto: Can't assign requested address
> May 22 00:03:58 time last message repeated 66 times
> May 22 00:13:52 time last message repeated 66 times
> May 22 00:23:56 time last message repeated 67 times
> May 22 00:33:48 time last message repeated 65 times
>
> I've searched this warning it in my /usr/src (after a CVS update, of  
> course), to figure out what this messages means but I get no results.
>
> ?Any clues?
>
> PD. Curiosly, when this warning appeas in /var/log/messages the server  
> reliability falls  
> (http://www.pool.ntp.org/scores/212.36.75.245#graph_explanation).
>
> PD. I suspect a CPD connection issue

You may want to look at the output of netstat and possibly fstat: some
other process may claim the port that ntpd wants to use.

Joachim

Re: bsd_auth

[Joachim Schipper]

On Fri, May 22, 2009 at 11:25:17AM +0300, Gregory Edigarov wrote:
> Hello,
>
> Need just a small pointer to information on how to write an  
> authentication program
> i.e. login_ ? Because sources left much info outside.
> Is there a specification or something?
> Thanks.

You'll want to read login.conf(5), in particular the AUTHENTICATION
section (it's not just a list of provided programs!). I'm not sure if
there are other sources of documentation, but it does appear to document
the protocol fairly well.

What are you trying to do?

Joachim

Re: 3G not navigate

[Murilo da Silva Ijanc]

Hi Fred,
Hi Fred,

It seems that nslookup is normal, see:

# nslookup www.google.com
Server: 208.67.222.222
Address: 208.67.222.222 # 53

Non-authoritative answer:
Canonical name = www.google.com google.navigation.opendns.com.
Name: google.navigation.opendns.com
Address: 208.69.32.231
Name: google.navigation.opendns.com
Address: 208.69.32.230

# nslookup www.openbsd.org
Server: 208.67.222.222
Address: 208.67.222.222 # 53

Non-authoritative answer:
Name: www.openbsd.org
Address: 129.128.5.191

I had no opportunity to use pppd, I read the man or get information on
google on setting up 3G in pppd.

Thanks

> On 5/22/09, Murilo da Silva Ijanc  wrote:
>> Stuart Thanks for responding, sorry for the delay, different zones =]
>>
>> I added the lines (vjcomp disable and deny vjcomp) in ppp.conf, however
>> still the same problem.
>>
>
> what happens when you do an nslookup(1) ?
>
> Have you tried pppd(8)?  Does that give you a different result?
>
> Thanks
>
> Fred
>
>


-- 
MuriloBSD
silc.dotbsd.org, dotbsd
http://www.dotbsd.org/

Re: Two minor problems with install under -current

[Jim Razmus]

* Brian  [090522 02:22]:
> I did a new install today of -current on my amd64 box.  I ran into two issues 
> during the install. These were not show stoppers as I was able to finish.
> 
> First, when I attempted to pull down the file sets from the defaulted mirror, 
> the files were not found.  
> 
> Second, when I switched my pull down of the file sets to ftp.openbsd.org, I 
> had a: non-recoverable failure in name resolution for bsd.rd.  I later 
> grabbed this from ftp3.usa.openbsd.org.
> 
> Just an FYI.  And I do like the new install for a few reasons:
> 
> 1) correctly determines that I want the snapshot directory
> 2) offers a great selection of options at the beginning and offers some nice 
> default options
> 3) appears to run faster 
> 
> Anyway, keep up the great work.
> 
> Thanks,
> 
> Brian
> 

You may have tried your install while beck@ was doing an upgrade
yesterday.

Or perhaps your dns settings were incorrect.

HTH,
Jim

Re: Block level snapshots - can I do them in OBSD?

[Joachim Schipper]

On Thu, May 21, 2009 at 01:41:55PM +0100, Paul Bradley wrote:
> I am setting up an encrypted fileserver with off-site backup, for one reason
> and another which I won't go into here for the sake of brevity, I need to
> block-level snapshot partitions, file-level snapshots as I believe are
> provided in UFS won't do since the partitions will contain large monolithic
> files filling the entire partition (which will be mounted by the users via
> loopback and dm-crypt).
> 
> Hence the problem is that if one or more of these large (say 500GB)
> monoliths is mounted at the time the backup is taking place, and snapshots
> are file-level, then any change to the file will immediately trigger the OS
> to try and create a copy of a 500GB file so as to snapshot it as it has
> changed - no good to me I am afraid, changes during backups will likely be
> small (can be controlled to be no more than say 10GB of data changing, so no
> problem to allocate snapshotting space), but _MUST_ be represented at the
> block level so that I can freeze the filesystem pre-backup, then run my
> backup in parallel while the user continues to alter the monolithic file
> with impunity.
> 
> Is there the capability for block-level snapshots in openBSD, if not in bare
> OBSD can I do it with another filesystem than UFS?
> 
> I have heard of the HAMMER FS, it looks good if a bit new and untested,
> perhaps that does block level snapshots - however it seems a bit new and
> untested for my tastes so unless there is a better alternative I'd rather
> not go down that route.
> 
> I am very keen to run OBSD on this, but if it's absolutely impractical to do
> so I'd also welcome suggestions of other ways to do this in FreeBSD.

There is no support in OpenBSD for snapshots, so that isn't going to
fly. OpenBSD does support encrypted filesystems, but then it's the
server doing the decrypting. I suppose you could create a RAID-1, break
the RAID and make a snapshot of one disk, but that's hardly a reasonable
solution.

The HAMMER filesystem does support snapshots, and I don't think it will
copy a 500GB file because someone changed a single bit. However, it is,
as you say, rather new. It's also only in DragonFlyBSD at this moment.

I don't know anything about FreeBSD's (lack of?) support for snapshots.
(Open)Solaris does have ZFS, which is supposed to be all kinds of
awesome. I know that people did try to get ZFS in FreeBSD, but I don't
know the current status of that effort.

I'm a bit puzzled by your apparent requirements, though. You seem to
feel that the file server warrants a higher level of security than the
clients (since you appear to be far more familiar with Linux than with
OpenBSD, you must have chosen to use OpenBSD there and only there for a
reason - I presume security). The clients, however, have full access to
the unencrypted filesystems while the server cannot really do anything
interesting. It could corrupt or destroy data, I suppose, but so can the
clients. You'll need good backups anyway.

Finally, it's been ages since I used Linux and I've never used dm-crypt,
but does dm-crypt actually work if you use it on top of a loopback
device on top of NFS? There appear to be a lot of possible issues there,
not all of which are obvious. (Does the NFS client cache writes? In such
a way that the encrypted filesystem may be unreadable after a crash?
What about the server?)

Of course, such Linux-specific problems are not on-topic here, and most
of us wouldn't know anything about them anyway. I would recommend that
you take a good look at such issues before going too far, though.

Joachim

Re: 3G not navigate

[Fred Crowson]

On 5/22/09, Murilo da Silva Ijanc  wrote:
> Stuart Thanks for responding, sorry for the delay, different zones =]
>
> I added the lines (vjcomp disable and deny vjcomp) in ppp.conf, however
> still the same problem.
>

what happens when you do an nslookup(1) ?

Have you tried pppd(8)?  Does that give you a different result?

Thanks

Fred

Re: OpenNTPD warning

[Jordi Espasa Clofent]

# sync to a single server
server yes

 ^^^ -- this seems to be wrong.  Server line should contain
ipaddress/hostname, not 'yes'.


Yes, you've the reason; in /var/log messages:

(...)
May 22 09:13:54 time ntpd[31006]: 1 out of 2 peers valid
May 22 09:13:54 time ntpd[31006]: bad peer yes (not resolved)
(...)

But I think this is not related to the warning I commented in initial 
message.


--
Thanks,
Jordi Espasa Clofent

Re: OpenNTPD warning

[Mika Westerberg]

On Fri, May 22, 2009 at 01:15:56PM +0200, Jordi Espasa Clofent wrote:
>> Config file says?
>
> # cat /etc/ntpd.conf
> # $OpenBSD: ntpd.conf,v 1.9 2008/10/10 11:46:22 sthen Exp $
> # sample ntpd configuration file, see ntpd.conf(5)
>
> # Addresses to listen on (ntpd does not listen by default)
> listen on *
>
> # sync to a single server
> server yes
 ^^^ -- this seems to be wrong.  Server line should contain
ipaddress/hostname, not 'yes'.

> server hora.roa.es

MW

Re: 3G not navigate

[Murilo da Silva Ijanc]

Stuart Thanks for responding, sorry for the delay, different zones =]

I added the lines (vjcomp disable and deny vjcomp) in ppp.conf, however
still the same problem.

> thanks for the detailed information in your post! everything important
> is there, with a good explanation of the problem, and it's collected in
> a single email.
>
> On 2009-05-22, Murilo da Silva Ijanc  wrote:
>> Hello misc@,
>>
>> I am trying to use 3G technology in OpenBSD. Currently my problem is
>> that
>> I can not navigate, I modified the dns's, and exchanged some information
>> from  /etc/ppp/options, still not provided. Below some information that
>> might help in solving the problem:
>>
>> /etc/ppp/options
>
> that file is used by pppd, not ppp.
>
>> /etc/ppp/ppp.conf
>
> this is the right one for the program you're using.
>
>> 4 packets transmitted, 4 packets received, 0.0% packet loss
>> round-trip min/avg/max/std-dev = 494.942/593.611/679.708/70.161 ms
>>
>> lynx www.openbsd.org
>>
>> HTTP request sent; waiting for response.
>>  .. 10 min . 20 min
>
> this might be a problem with Van Jacobson header compression.
> some devices don't support it correctly, and the usual symptom
> is that ping/udp work but tcp fails.
>
> you can try adding this to ppp.conf:
>
>  disable vjcomp
>  deny vjcomp
>
> does that help?
>
>


-- 
MuriloBSD
silc.dotbsd.org, dotbsd
http://www.dotbsd.org/

Re: OpenNTPD warning

[Jordi Espasa Clofent]

Config file says?


# cat /etc/ntpd.conf
# $OpenBSD: ntpd.conf,v 1.9 2008/10/10 11:46:22 sthen Exp $
# sample ntpd configuration file, see ntpd.conf(5)

# Addresses to listen on (ntpd does not listen by default)
listen on *

# sync to a single server
server yes
server hora.roa.es

# use a random selection of 8 public stratum 2 servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
#servers pool.ntp.org

# use a specific local timedelta sensor (radio clock, etc)
#sensor nmea0

# use any detected timedelta sensor
#sensor *

But be aware of that also:

# ntpd -n
configuration OK

--
Thanks,
Jordi Espasa Clofent

pkg_add weirdness (4.5-current)

[Thomas Pfaff]

Trying to add a few packages on my -current system and there's
some weirdness going on that I believe was not present before:

Script started on Fri May 22 12:34:41 2009
$ sudo pkg_add -v samba
$ sudo pkg_info -I samba
samba-3.0.34SMB and CIFS client and server for UNIX
samba-3.0.34-adsSMB and CIFS client and server for UNIX
samba-3.0.34-cups   SMB and CIFS client and server for UNIX
samba-3.0.34-cups-ads SMB and CIFS client and server for UNIX
samba-3.0.34-cups-ldap SMB and CIFS client and server for UNIX
samba-3.0.34-ldap   SMB and CIFS client and server for UNIX
$ sudo pkg_add -v samba-3.0.34
parsing samba-3.0.34
^C
$ echo $PKG_PATH
ftp://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/amd64:http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64:ftp://ftp.uninett.no/pub/OpenBSD/snapshots/packages/amd64:ftp://ftp.dkuug.dk/pub/OpenBSD/snapshots/packages/amd64
$ sysctl kern.version
kern.version=OpenBSD 4.5-current (GENERIC.MP) #18: Fri May 22 11:42:25 CEST 2009
tpf...@ws.tp76.info:/usr/src/sys/arch/amd64/compile/GENERIC.MP
$ exit
Script done on Fri May 22 12:36:00 2009

The first pkg_add should show something like

  Ambiguous: samba could be samba-3.0.33 ...

right?  The above also happens for packages like vim and emacs.

What am I missing here?

Re: OpenNTPD warning

[Rod Whitworth]

On Fri, 22 May 2009 11:43:50 +0200, Jordi Espasa Clofent wrote:

>Hi all,
>
>I've updated my public NTP server (time.cdmon.com); 4.5 works like a charm!
>
>Despite of that, I see the following warning in /var/log/messages
>
>(...]
>May 21 23:53:53 time ntpd[12997]: sendto: Can't assign requested address
>May 22 00:03:58 time last message repeated 66 times
>May 22 00:13:52 time last message repeated 66 times
>May 22 00:23:56 time last message repeated 67 times
>May 22 00:33:48 time last message repeated 65 times
>
>I've searched this warning it in my /usr/src (after a CVS update, of 
>course), to figure out what this messages means but I get no results.
>
>?Any clues?
>
>PD. Curiosly, when this warning appeas in /var/log/messages the server 
>reliability falls 
>(http://www.pool.ntp.org/scores/212.36.75.245#graph_explanation).
>
>PD. I suspect a CPD connection issue
>
>-- 
>Thanks,
>Jordi Espasa Clofent


Config file says?

r/

*** NOTE *** Please DO NOT CC me. I  subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

OpenNTPD warning

[Jordi Espasa Clofent]

Hi all,

I've updated my public NTP server (time.cdmon.com); 4.5 works like a charm!

Despite of that, I see the following warning in /var/log/messages

(...]
May 21 23:53:53 time ntpd[12997]: sendto: Can't assign requested address
May 22 00:03:58 time last message repeated 66 times
May 22 00:13:52 time last message repeated 66 times
May 22 00:23:56 time last message repeated 67 times
May 22 00:33:48 time last message repeated 65 times

I've searched this warning it in my /usr/src (after a CVS update, of 
course), to figure out what this messages means but I get no results.


?Any clues?

PD. Curiosly, when this warning appeas in /var/log/messages the server 
reliability falls 
(http://www.pool.ntp.org/scores/212.36.75.245#graph_explanation).


PD. I suspect a CPD connection issue

--
Thanks,
Jordi Espasa Clofent

Re: multiple videocards... for console text

[Felipe Alfaro Solana]

On Fri, May 22, 2009 at 6:37 AM, Joel Wiramu Pauling
wrote:

> Just use USB to RS323 convert cables and have as many heads as you like off
> of dumb terminals. Or old laptops.


RS323? Is that a new "standard"? Or do you mean RS232? :)

bsd_auth

[Gregory Edigarov]

Hello,

Need just a small pointer to information on how to write an 
authentication program

i.e. login_ ? Because sources left much info outside.
Is there a specification or something?
Thanks.

--
With best regards,
Gregory Edigarov

Re: softraid

[Uwe Dippel]

Marco Peereboom  peereboom.us> writes:


> > Then keep asking!
> > I do have the impression, what I wanted, is what you already had in mind:
> > a broken mirror simply remains dead and broken, and the machine runs 
> > happily 
> > before and after reboot on the sane drive. Correct?
> 
> Correct.  If this isn't the case then I need to see a dmesg before &
> after rebooting and bioctl output before and after reboot.

Since we (that's I, sorry) seem to discuss the whole bunch (not a bad idea
after, all hoping to get things into their places and finally enjoying a 
really beautiful and functioning softraid), I allow myself to add another
question, real life, on a to-be-production system:
Okay, now I have a broken harddisk, one half of the mirror is gone.
Then I will have to dump the partitions, create a new mirror, and restore,
correct?
Next problem: There are quite a number of bays available in my box, 
so that I can plug another drive for a local 'dump'. But irrespective 
where I plug it, it won't come up:

"softraid0 at root

softraid0: roaming device sd1b -> sd2b

softraid0: roaming device sd2b -> sd3b

softraid0: roaming device sd1b -> sd2b

softraid0: roaming device sd2b -> sd3b

scsibus3 at softraid0: 1 targets

sd4 at scsibus3 targ 0 lun 0:  SCSI2 0/direct fixed

sd4: 285789MB, 512 bytes/sec, 585296066 sec total

softraid0: volume sd4 is roaming, it used to be sd3, updating metadata

root on sd0a swap on sd0b dump on sd0b

Automatic boot in progress: starting file system checks.
/dev/rsd0a: file system is clean; not checking
Can't open /dev/rsd3h: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3h: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3d: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3f: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3f: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3e: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3e: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3g: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3g: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3i: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3i: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
Can't open /dev/rsd3j: Device not configured
CAN'T CHECK FILE SYSTEM.
/dev/rsd3j: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
THE FOLLOWING FILE SYSTEMS HAD AN UNEXPECTED INCONSISTENCY:

ffs: /dev/rsd3h (/home), ffs: /dev/rsd3d (/tmp), ffs: /dev/rsd3f 
(/usr), ffs: /dev/rsd3e (/var), ffs: /dev/rsd3g (/var/mail), ffs: /dev/rsd3i
(/var/www),
ffs: /dev/rsd3j (/backup)
Automatic file system check failed; help!

Enter pathname of shell or RETURN for sh: "

Now that roaming is in the way. I wonder if softraid really should do this:
You plug an additional disk, higher or lower, and automatically it will 
roam the mirror to drives of its liking, and inevitably fail the RAID thereby.

Re: 3G not navigate

[Stuart Henderson]

thanks for the detailed information in your post! everything important
is there, with a good explanation of the problem, and it's collected in
a single email.

On 2009-05-22, Murilo da Silva Ijanc  wrote:
> Hello misc@,
>
> I am trying to use 3G technology in OpenBSD. Currently my problem is that
> I can not navigate, I modified the dns's, and exchanged some information
> from  /etc/ppp/options, still not provided. Below some information that
> might help in solving the problem:
>
> /etc/ppp/options

that file is used by pppd, not ppp.

> /etc/ppp/ppp.conf

this is the right one for the program you're using.

> 4 packets transmitted, 4 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 494.942/593.611/679.708/70.161 ms
>
> lynx www.openbsd.org
>
> HTTP request sent; waiting for response.
>  .. 10 min . 20 min

this might be a problem with Van Jacobson header compression.
some devices don't support it correctly, and the usual symptom
is that ping/udp work but tcp fails.

you can try adding this to ppp.conf:

 disable vjcomp
 deny vjcomp

does that help?