Re: OpenBSD on EC2/Amazon

[Timmy L Steve]

+1

Would be nice to drop my linux ami.

tls


Hi all,

I have a question:

?Is anyone working to make possible run OpenBSD on Amazon EC2?

now, It is possible to run NetBSD and FreeBSD, but I can not find much
information about the progress of OpenBSD on this topic.

Thanks in advanced.

--


--
Fernando Quintero
http://nonroot.blogspot.com/
Just a nonroot User

Re: VPN on OpenBSD: OpenSSH or OpenVPN?

[mxb]

On Apr 24, 2012, at 11:07 PM, jin&hitman&Barracuda wrote:

>>> If you could write an article for undeadly (or only some short notes)
>>> on how you did this, it would be much appreciated. I'm sure there are
>>> lots of people besides me that are interested in this topic.
>> 
>> +1
> 
> 
> -- 
> *There is no place like "/home"*
> *From HemiB A R R A C U D A !*
> 


I just submitted a quick write to undeadly.org.
Screenshots for client configuration are missing yet, as I don' have them.
But I'll post them as soon as I have them.

//maxim

Campamento para Ejecutivos de Alto Desempeño ¡Fortalezca su plana Gerencial!

[Lic.Blanca Solis]

[IMAGE]

Campamento Ejecutivo de Alto Desempeqo

27 y 28 de Abril 2012, Mazamitla, Jalisco.

18 y 19 de Mayo 2012, Cuernavaca, Morelos.

Un evento especializado para Directores, Gerentes, Ejecutivos y Lmderes!

2 dmas de Entrenamiento, Reflexione, Potencialice sus Habilidades y
Destrezas!

Dinamicas, Practicas y temas que fortalecen al individuo.

!Reciba la informacisn completa y Reserve YA Cupo Limitado!

Por favor responda este e-mail con los datos siguientes.

Empresa

Nombre

Telifono

Email

Nzmero de Interesados

En breve recibira temario, reseqa de expositor y tarifas.

Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la
STPS

Trabajamos con expertos en la materia para poder brindar herramientas
tacticas, vanguardistas y de facil aplicacisn.

Si lo prefiere comunmquese a los telifonos donde con gusto uno de
nuestros ejecutivos le atendera.

Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas.

Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico

Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados.
E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
ALTO, si en esta ocasisn la informacisn recibida no fue de su interis
pero desea recibir informacisn personalizada en relacisn a otros temas
favor de indicarlo.
Si usted ha recibido este mensaje por error, haga caso omiso de el y de
antemano una sincera disculpa por la molestia, reporte su cuenta
respondiendo este correo con el subject BAJACAMPAMENTO

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJACAMPAMENTO
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia para nosotros y no es intencisn de la empresa la
inconformidad del receptor, nuestra intencisn es promover herramientas de
utilidad para el

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
imagecamp001.jpg]

Re: OpenBSD on EC2/Amazon

[Otto Moerbeek]

On Wed, Apr 25, 2012 at 12:42:30AM -0500, Fernando Quintero wrote:

> Hi all,
> 
> I have a question:
> 
> ?Is anyone working to make possible run OpenBSD on Amazon EC2?
> 
> now, It is possible to run NetBSD and FreeBSD, but I can not find much
> information about the progress of OpenBSD on this topic.
> 
> Thanks in advanced.

I don't think anybody is working on this. 

But there are several VPS companies around (arpnetworks.com is one)
that are OpenBSD friendly. 

*If* I want to run a VPS, I rather give my money to a small compmay
that some behemoth.

But note that virtual systems have many drawbacks. Most importantly,
the security of OpenBSD (or any system run on a virtual system) is
bounded by the security of the VM implementation. It's another layer
that could cause security problems. 

-Otto

Re: PF match word

[Stuart Henderson]

On 2012-04-24, Theron ZORBAS  wrote:
> Hello Misc,
>
> What is the difference beetwen these two rules:
> match out on egress inet from $int_if:network to any nat-to (egress)
>
> pass out on egress inet from $int_if:network to any nat-to (egress)
> Or there is no difference?
>
> I could not understand when to use match word.
>
>

'match' lets you separate natting, queue assignment, routing
table selection, qos marking etc from the main firewall
pass/block logic.

for example I find this easier to understand and edit:
(contrived example, but I think you'll get the idea..)

match from 10/8 to any nat-to egress:0
match from 10.0.5.9 to any nat-to $somehost
block
pass proto tcp from 10/8 to port 22
pass proto tcp from 10/8 to port 80
pass proto tcp from 10/8 to port 1433

than this:

block
pass proto tcp from 10/8 to port 22 nat-to egress:0
pass proto tcp from 10/8 to port 80 nat-to egress:0
pass proto tcp from 10/8 to port 1433 nat-to egress:0
pass proto tcp from 10.0.5.9 to port 22 nat-to $somehost
pass proto tcp from 10.0.5.9 to port 80 nat-to $somehost
pass proto tcp from 10.0.5.9 to port 1433 nat-to $somehost

> P.S. It's been very near time that i started to use OpenBSD as a firewall. 
> I'm asking this question as a newbie.
> Sorry if it is a time wasting question to you.
>
> Thanks.
> Theron ZORBAS

general advice: rather than just writing rules, start by working
out (and making notes on) what you want the firewall to allow,
then *after* you've done this, write some rules. then you can
check them against your original notes to make sure they do what
you want.

keep a copy of these notes, they will help a lot if you leave
the config alone for a while and then want to make changes to it
after a few months..

MS Project taller para Gestionar Proyectos Eficientemente

[Lic. Loana Blum]

[IMAGE]
Pms de Mixico prestigiada firma de Capacitacisn presenta:
Taller de Gestisn de Proyectos con MS Project
2 de Mayo 2012, Ciudad de Mixico
Obtenga las herramientas necesarias para alcanzar un sptimo desempeqo en
su funcisn.
!Reciba la informacisn completa! Por favor responda este e-mail con los
datos siguientes
Empresa
Nombre
Telifono
Email
Nzmero de Interesados
En breve recibira temario, reseqa de expositor y tarifas.

Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la
STPS
Trabajamos con expertos en la materia para poder brindar herramientas
tacticas, vanguardistas y de facil aplicacisn.
100% Garantma de Satisfaccisn.
Si lo prefiere comunmquese a los telifonos donde con gusto uno de
nuestros ejecutivos le atendera.
Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas.

Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico
Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados.
E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
ALTO, si en esta ocasisn la informacisn recibida no fue de su interis
pero desea recibir informacisn personalizada en relacisn a otros temas
favor de indicarlo.
Si usted ha recibido este mensaje por error, haga caso omiso de el y de
antemano una sincera disculpa por la molestia, reporte su cuenta
respondiendo este correo con el subject BAJAMS
Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAMS
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia para nosotros y no es intencisn de la empresa la
inconformidad del receptor, nuestra intencisn es promover herramientas de
utilidad para el

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
imagems project002.jpg]

Re: undeadly

[Mihai Popescu]

Hi,

Nice article about Paris. Can someone point out what text editors are
open in that picture?
I don't want to start the old war about editors, I'm just interested
what other options are ...
Thanks.

Re: undeadly

[mxb]

On 04/25/2012 11:52 AM, Mihai Popescu wrote:

> Hi,
> 
> Nice article about Paris. Can someone point out what text editors are
> open in that picture?
> I don't want to start the old war about editors, I'm just interested
> what other options are ...
> Thanks.
> 


I think it is Window Manager and grouping.
Forgot the name of this minimalistic WM. Anyone to point this out?

P.S.
I see at least two WM in use on those photos. One is from the base.

//maxim

Re: Where's my bandwidth going?

[Mihai Popescu]

I was using trafshow from packages, it was quick to install and very simple.

Re: SETUID perl script leaves backdoor open

[Christopher Zimmermann]

After short testing I found a bug or at least a dangerous pitfall.

This leaves a backdoor open (probably in the saved UID):

#!/usr/bin/perl -wT

use strict;
require POSIX;

sub ids () { print "RUID=$< EUID=$> RGID=$( EGID=$)\n" }

print "Running $^X $0\n";

ids;
$> = $< = $<;
ids;
$> = $< = 0;
ids;

=== OUTPUT: 
Running /usr/bin/perl /dev/fd/3
RUID=1000 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001
RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001
RUID=0 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001


While this drops privileges permanently:

#!/usr/bin/perl -wT

use strict;
require POSIX;

sub ids () { print "RUID=$< EUID=$> RGID=$( EGID=$)\n" }

print "Running $^X $0\n";

ids;
$< = $> = $<;
ids;
$> = $< = 0;
ids;

=== OUTPUT: 
Running /usr/bin/perl /dev/fd/3
RUID=1000 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001
RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001
RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001


Backdoor is still open when doing "$> = $< = 1000" or
"$< = 1000; $> = 1000;". POSIX::setuid($<) works fine.

Re: Where's my bandwidth going?

[Timmy L Steve]

drop to a debain net and grab lsof

On 04/25/12 03:14, Mihai Popescu wrote:

I was using trafshow from packages, it was quick to install and very simple.

Re: undeadly

[Claudiu Tanaselia]

On 25.04.2012 13:04, mxb wrote:

On 04/25/2012 11:52 AM, Mihai Popescu wrote:


Hi,

Nice article about Paris. Can someone point out what text editors are
open in that picture?
I don't want to start the old war about editors, I'm just interested
what other options are ...
Thanks.



I think it is Window Manager and grouping.
Forgot the name of this minimalistic WM. Anyone to point this out?

P.S.
I see at least two WM in use on those photos. One is from the base.

//maxim


calm wm (cwm)?

Re: fdisk flag bootable partition during install

[Louis V. Lambrecht]

On Tue, 2012-04-24 at 23:35 +0200, Louis V. Lambrecht wrote:
> On Tue, 2012-04-24 at 22:52 +0200, Erling Westenvik wrote:
> > On Tue, Apr 24, 2012 at 08:14:19PM +0200, Alexander Hall wrote:
> > > You do not flag which "to use". Multiple A6 entries brings problems since 
> > > you get multiple disklabels.
> > 
> > Trust me: I'll remember that in the future.
> > 
> > > I am pretty sure this is documented and in the faq and archives.
> > 
> > Maybe so, at least implicit, but I dare to say not explicit. I don't
> > blame anyone but myself though.
> > 
> > > You could try setting the partition not to be used to some other dummy 
> > > type. Backup first. Ymmv.
> > 
> > I tried setting fdisk partition 1 back to NTFS (0x07). Then, after
> > quitting fdisk, the system complained about missing parameteres when
> > trying to run reboot, halt and eventually shutdown. I managed to reboot
> > somehow but then no kernel was found. I then booted from CD and managed
> > to get the system back online with the two "multiple A6 entries".
> > 
> > 1. When I used "flag 1" in fdisk during install, did the installer place
> > the new files in fdisk partition 1?
> > 
> > 2. If so, does the original 5.0 installation still exists in fdisk
> > partition 2?
> > 
> > 3. If so, can my original disklabel be restored?
> > 
> > 
> > Cheers
> > Erling
> 
> 
> First read the FAQ 14.7,
> notice the "What can go wrong" chapter and fdisk with the -u option
> and run installboot(8) from the proper label.
> 
> Man boot(8) EXAMPLES 
> boot> boot hd2a:/bsd should get you in your large partition.
> 
> In most cases, when installing an OS, most rewrite the MBR: last install
> wins.
> 


Oops, after a good sleep, noticed an error: hard drive hd0 remains hd0
whatever the labels. Can't figure out the label. Sorry.

Now, stop playing with fdisk until you know what you are doing. :-6

Would have prefered to give you a plain OpenBSD solution.

Instead download a copy of RIP-Linux (CDRom or USB) or GAG (floppy).
What they do is to boot by-passing your (now whacked) fdisk.
Both will discover  the PBRs (Partition Boot Record) and let you boot
from without writing anything to the drive (unless you say so).

Repair your Win7: 
http://techchand.org/92/how-to-fix-bootmgr-error-in-windows-vista-and-windows-7

It is a PITA but possible to point to any PBR (henceyour OBSD sessions0
from within Windows boot manager.
Must be free tools around.

Re: bnx[01] -> trunk0 -> vlan119 -> carp119 problem

[Matt Hamilton]

BARDOU Pierre  mipih.fr> writes:

> 
> Hello,
> 
> I have dozens of CARP interfaces over VLAN interfaces over LACP trunk
> interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast
> routing is disabled. Works like a charm with various OpenBSD versions since
> 4.4 to 5.0.

OK, that is good to know. Are you using i386 or amd64? I'm wondering if 
somehow that is a factor here?
 
> I can give you my hostname.if if that helps...

Yes, that would be very useful. Can you email to matth at netsight.co.uk.

I'm about to start setting up ospfd on these hosts, which also uses 
multicast so it will be interesting to see if that now also fails due to 
multicast being filtered out somewhere.

-Matt

Maestría en Relaciones Internacionales

[Universidad del Mar - IEF]

 Pulse AQUÍ si no lo  visualiza correctamente.













  www.udelmar-ief.com


Si no quiere recibir mas publicidad de master, maestrmas o cursos de
capacitacisn pulse aquí y su correo electrsnico se dara de baja de esta
lista de distribucisn. Muchas gracias de antemano por su atencisn prestada.
Reciba un cordial saludo.

Re: undeadly

[Jeremy O'Brien]

First laptop looks like either wmii or i3 based on the dynamic tiling
(tab layouts within tiled layout) and colorscheme, though xmonad could
also be coaxed into providing a layout like that. Second laptop looks
like fvwm to me based on the fact that the windows have titlebars. cwm
doesn't have titlebars. Just my observation.

On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote:
> On 04/25/2012 11:52 AM, Mihai Popescu wrote:
> 
> > Hi,
> > 
> > Nice article about Paris. Can someone point out what text editors are
> > open in that picture?
> > I don't want to start the old war about editors, I'm just interested
> > what other options are ...
> > Thanks.
> > 
> 
> 
> I think it is Window Manager and grouping.
> Forgot the name of this minimalistic WM. Anyone to point this out?
> 
> P.S.
> I see at least two WM in use on those photos. One is from the base.
> 
> //maxim

Re: undeadly

[Jeremy O'Brien]

On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote:
> On 04/25/2012 11:52 AM, Mihai Popescu wrote:
> 
> > Hi,
> > 
> > Nice article about Paris. Can someone point out what text editors are
> > open in that picture?
> > I don't want to start the old war about editors, I'm just interested
> > what other options are ...
> > Thanks.
> > 
> 
> 
> I think it is Window Manager and grouping.
> Forgot the name of this minimalistic WM. Anyone to point this out?
> 
> P.S.
> I see at least two WM in use on those photos. One is from the base.
> 
> //maxim
> 

Let's try that again without top-posting... O_o

First laptop looks like either wmii or i3 based on the dynamic tiling
(tab layouts within tiled layout) and colorscheme, though xmonad could
also be coaxed into providing a layout like that. Second laptop looks
like fvwm to me based on the fact that the windows have titlebars. cwm
doesn't have titlebars. Just my observation.

Re: undeadly

[Gilles Chehade]

On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote:
> On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote:
> > On 04/25/2012 11:52 AM, Mihai Popescu wrote:
> > 
> > > Hi,
> > > 
> > > Nice article about Paris. Can someone point out what text editors are
> > > open in that picture?
> > > I don't want to start the old war about editors, I'm just interested
> > > what other options are ...
> > > Thanks.
> > > 
> > 
> > 
> > I think it is Window Manager and grouping.
> > Forgot the name of this minimalistic WM. Anyone to point this out?
> > 
> > P.S.
> > I see at least two WM in use on those photos. One is from the base.
> > 
> > //maxim
> > 
> 
> Let's try that again without top-posting... O_o
> 
> First laptop looks like either wmii or i3 based on the dynamic tiling
> (tab layouts within tiled layout) and colorscheme, though xmonad could
> also be coaxed into providing a layout like that. Second laptop looks
> like fvwm to me based on the fact that the windows have titlebars. cwm
> doesn't have titlebars. Just my observation.
> 

First laptop has ion3, editor is emacs with custom emacs.conf:

  https://www.poolp.org/~gilles/emacs/emacs.conf

Also, how I managed to appear on a picture while only attending 3/4 hours
is an achievement in itself ;-p

-- 
Gilles Chehade

https://www.poolp.org | http://pool.ps  @poolpOrg

Re: after downgrade OpenBSD dmesg display wrong information

[Timmy L Steve]

IRC EXPOSED@!@!

READ THE NEWS NOW!


drizztbsd is no synonym - it is Theo himself!




On 04/18/12 21:37, Theo de Raadt wrote:

Some machines keep previous dmessages in mem. Scroll down to see the
most recent dmesg, or check /var/run/dmesg.boot

A cold boot wipes the dmesg buffer.

-Otto

Did something change in -current?

Might be surprising, but things always change in -current...

5.1 is shipping

[OpenBSD Europe]

We have started shipping.

Thanks.

Re: undeadly

[Jeremy O'Brien]

On Wed, Apr 25, 2012 at 01:21:06PM +0200, Gilles Chehade wrote:
> On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote:
> > On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote:
> > > On 04/25/2012 11:52 AM, Mihai Popescu wrote:
> > > 
> > > > Hi,
> > > > 
> > > > Nice article about Paris. Can someone point out what text editors are
> > > > open in that picture?
> > > > I don't want to start the old war about editors, I'm just interested
> > > > what other options are ...
> > > > Thanks.
> > > > 
> > > 
> > > 
> > > I think it is Window Manager and grouping.
> > > Forgot the name of this minimalistic WM. Anyone to point this out?
> > > 
> > > P.S.
> > > I see at least two WM in use on those photos. One is from the base.
> > > 
> > > //maxim
> > > 
> > 
> > Let's try that again without top-posting... O_o
> > 
> > First laptop looks like either wmii or i3 based on the dynamic tiling
> > (tab layouts within tiled layout) and colorscheme, though xmonad could
> > also be coaxed into providing a layout like that. Second laptop looks
> > like fvwm to me based on the fact that the windows have titlebars. cwm
> > doesn't have titlebars. Just my observation.
> > 
> 
> First laptop has ion3, editor is emacs with custom emacs.conf:
> 
>   https://www.poolp.org/~gilles/emacs/emacs.conf
> 
> Also, how I managed to appear on a picture while only attending 3/4 hours
> is an achievement in itself ;-p
> 

I thought ion3, but i3 came out instead because that's what _I_ use.
Thanks for the input. I'm also very nosy when it comes to the
(windowing/editing) environments that people work/code in. Always
looking for new ideas.

Re: 5.1 is shipping

[Laurence Rochfort]

On 25 April 2012 12:46, OpenBSD Europe  wrote:
> We have started shipping.
>
> Thanks.
>

Fantastic news.  Sandybridge graphics here I come!

Many thanks, as ever, to all the OpenBSD developers.

Re: OpenBSD on EC2/Amazon

[C. Bensend]

> But there are several VPS companies around (arpnetworks.com is one)
> that are OpenBSD friendly.
>
> *If* I want to run a VPS, I rather give my money to a small compmay
> that some behemoth.

+1.

ARP Networks is a great group of guys, they've been fantastic the
few times I've needed them to do something (most of the time, just
swapping the ISO image attached to my VPS).

Benny


-- 
"The problem with quotes on the internet is that it's very hard to
verify their authenticity."   -- Abraham Lincoln

Re: OpenBSD on EC2/Amazon

[Wesley]

BSDVM.COM is also great.

Cheers,

--
Wesley

Le 2012-04-25 16:01, C. Bensend a C)critB :

But there are several VPS companies around (arpnetworks.com is one)
that are OpenBSD friendly.

*If* I want to run a VPS, I rather give my money to a small compmay
that some behemoth.


+1.

ARP Networks is a great group of guys, they've been fantastic the
few times I've needed them to do something (most of the time, just
swapping the ISO image attached to my VPS).

Benny

Re: undeadly

[Steffen Daode Nurpmeso]

Hi all you messy-int-typedef-mix rejectors,

Jeremy O'Brien wrote [2012-04-25 13:56+0200]:
> On Wed, Apr 25, 2012 at 01:21:06PM +0200, Gilles Chehade wrote:
> > On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote:
> > > On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote:
> > > > On 04/25/2012 11:52 AM, Mihai Popescu wrote:
[reducing like grazy, very unpolite]
> > > > 
> > > > > Nice article about Paris.
> > > > 
> > > > I think it is Window Manager and grouping.
> > > > Forgot the name of this minimalistic WM. Anyone to point this out?
> > > > 
> > > > P.S.
> > > > I see at least two WM in use on those photos. One is from the base.
> > > > 
> > > > //maxim
> > > > 
> > First laptop has ion3, editor is emacs with custom emacs.conf:
> > 
> >   https://www.poolp.org/~gilles/emacs/emacs.conf
> > 
> > Also, how I managed to appear on a picture while only attending 3/4 hours
> > is an achievement in itself ;-p
> > 
> 
> Thanks for the input. I'm also very nosy when it comes to the
> (windowing/editing) environments that people work/code in. Always
> looking for new ideas.

if you like then you should really give ahwm a try.
I'm using it since 2002 (almost eight years on FreeBSD, and since
about 4 months again on OpenBSD in addition).
It's a real nifty thing and has an even smaller memory footprint
than cwm, while being much more sweet, e.g., each desktop can have
different window decoration colors (e.g. root-logins ALL RED).
You can also send windows to specific workspaces automatically
through their given name, as in

  # .xinitrc
  rxvt-unicode -title Ed -e vim &

  # .ahwmrc
  WindowName "Ed" {
DefaultWorkspace = 1;
#Sticky = True;
#Omnipresent = True
  }

I think cwm doesn't do that (at least yet).
Read the .rc, it contains almost the entire docu (functions,
selectors, options; do bindings, defines - whatever)

But now the *absolute hammer*!
The guy who wrote that grazy thing back in 2002 has just (!)
modified his webpage and now states something like 

  Please note: this page, and this code, haven't been updated in
  ten years. This is of historical value only.

IT'S NOT!?  I'M USING IT DAILY!

  Please do not hesitate to contact me

Why should i?

  to report bugs

Why should i??

  or request new features

Why should i, dammit???

  Sat Feb 9 19:49:37 CST 2002
  Released version 0.90. This is the initial beta release of AHWM.
  It may contain bugs.

  Fri Apr 20 02:12:35 PDT 2012
  Did not release any new version in the preceeding ten years.
  Updated this page to make it clear that updates are unlikely.

Ha!  You don't say.
Just because you don't touch your did-once-for-good piece of
software means that it's historical.
Maybe you see it as an OpenBSD package before 5.2 is released.
Has a nice rather-BSD license, has it.

Thanks for your understanding.

P.S.: Forget your cat - my wild one is much more beautiful.

--steffen
Forza Figa!

Re: 5.1 is shipping

[OpenBSD Europe]

On Wed, Apr 25, 2012 at 12:46 PM, OpenBSD Europe  wrote:
> We have started shipping.
>
> Thanks.

Hi,

We've shipped the vast majority now. The rest will go tomorrow AM.

Thanks,

Re: fdisk flag bootable partition during install

[Erling Westenvik]

Thank you for your time everyone. Especially Gregor Best who pointed me
in the right direction. I managed to get hold on the old 5.0 RELEASE in
fdisk partition 2. However, afterwards I managed to do unspeakable
things.. I learned a lot though. It's a first time for everything! :-D

On Tue, Apr 24, 2012 at 11:12:55PM +0200, Gregor Best wrote:
> On Tue, Apr 24, 2012 at 10:52:26PM +0200, Erling Westenvik wrote:
> 
> > 1. When I used "flag 1" in fdisk during install, did the installer place
> > the new files in fdisk partition 1?
> 
> IIRC, behaviour with more than one A6 partition is undefined, but
> I'd say so, since it was the first A6 the kernel encountered on
> that disk.

Strictly speaking, partition 1 wasn't the first A6 partition the kernel
encountered since it was marked as 07 during CD boot, and was first
changed to 0xA6 "live" during install, without rebooting in between?

> > 2. If so, does the original 5.0 installation still exists in fdisk
> > partition 2?
> 
> May be.

It did.


Cheers,
Erling

Re: SETUID perl script leaves backdoor open after dropping privileges

[Ted Unangst]

On Wed, Apr 25, 2012 at 07:15, Christopher Zimmermann wrote:
> As requested, here's the same test case a little more readable:
> 
> This leaves a backdoor open (possibly in the saved UID):

Yes, if you don't clear the saved uid, you can still switch back to
it.  You should use setresuid if it's available, because the semantics
of setting one uid at a time are a mess.

www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf

ypldap, ypbind at boot

[Ganguin Michel]

Hi,

I've setup my openbsd machines so that ldap users can log into it.

I've installed login_ldap, configured /etc/login.conf, /etc/ypldap.conf,
domainname in /etc/defaultdomain, and added the + user and group in
master.passwd and /etc/group.

As far as I read ypldap cannot speak ldaps, so I configured relayd to do an
ssl tunnel and made ypldap connect through the tunnel.

Everything worked fine until I moved my server infrastructure (shutdown
everything).

ypbind is stuck because the ldap server is not yet reachable, which is
understandable. I read that I won't be able to log in if this happens, but
that I can use netid so that local non-ldap users can still log in. I've done
this but boot process is stuck and even if sshd is already started, I'm not
able to ssh in with the users defined in netid (ssh connection closed by
server after a timeout).

Is it possible to setup ypbind and ypldap so that even if the ldap server is
not available I'm able to login with the local users either by having the
login prompt on the console or by being able to ssh in?

Thanks
Michel

Re: undeadly

[Marc Espie]

My laptop is running fvwm, from the system, because I reinstall often enough
and rebuild enough packages that anything else is a chore.

Besides, I have weird keyboard shortcuts, and I haven't been able to find
anything else that caters to the idiosyncrasies I caught years ago.

As editor, I use vim if it's installed, and downgrade to vi while it's
building. I have a small script named "vim" that calls the most appropriate
editor, and can at least emulate "vim -" with vi.

Re: fdisk flag bootable partition during install

[Gregor Best]

On Tue, Apr 24, 2012 at 08:47:05PM -0600, Theo de Raadt wrote:
> [...]
> Undefined?
>
> Sorry.  But if you go look at the code, that is exactly how it works.
>
> Some might not like it.  But that is how it works, at this time.
>
> I don't know what the word "undefined" means in that context.
> [...]

Hence the IIRC. Apparently I did not completely remember correctly :)

--
Gregor Best

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Where's my bandwidth going?

[Barry Grumbine]

On Tue, Apr 24, 2012 at 9:27 PM, Alan Corey  wrote:
> I'm on a modem, so there's only about 3 K/sec anyway, but is there anything
> that'll show me at least pids of what's using bandwidth?  I've learned to
> close Firefox and even mc sessions I'm not using, and I'm watching a wget
> download and pftop and "netstat -b -I tun0 -w 1".
>
> I've got it under control right now by shutting off my wireless access
point
> because my Kindle Fire was talking to s3.amazonaws.com.  Poking around in
> userland ppp sources I see something called netgraph.  How do I use that
and
> what does it do?
>
>  Alan
>

Running OpenBSD, you shouldn't have much trouble
with rouge processes sucking bandwidth.  You should
know what processes you started.

To see the ins and outs of our network traffic, I like
using pftop.  I looked at iftop too, it has an interesting
display but pftop was more useful for me.

-Barry

Re: ypldap, ypbind at boot

[Vitali]

On Wed, Apr 25, 2012 at 4:48 PM, Ganguin Michel
 wrote:
> Hi,

[cut]

> server after a timeout).
>
> Is it possible to setup ypbind and ypldap so that even if the ldap server
is
> not available I'm able to login with the local users either by having the
> login prompt on the console or by being able to ssh in?
>
> Thanks
> Michel
>


On FreeBSD there is /etc/nsswitch.ldap in which you could say, for example:

---

passwd: files ldap
group:  files ldap
shells: files ldap

# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:  files dns ldap

# LDAP is nominally authoritative for the following maps.
services:   ldap [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:files
sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)
#netgroup:   ldap [NOTFOUND=return] files
netgroup:   files

---

It's my FreeBSD file, but I have never tried running user ldap
authorizing  on OpenBSD, can't say more.


--
### Coonardoo - PQP8P=P8QP:P0 Q QQP=Q / The Well In The Shadow / Le
Puits
Dans L'Ombre ###

Re: bnx[01] -> trunk0 -> vlan119 -> carp119 problem

[Stuart Henderson]

On 2012-04-25, Matt Hamilton  wrote:
> BARDOU Pierre  mipih.fr> writes:
>
>> 
>> Hello,
>> 
>> I have dozens of CARP interfaces over VLAN interfaces over LACP trunk
>> interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast
>> routing is disabled. Works like a charm with various OpenBSD versions since
>> 4.4 to 5.0.
>
> OK, that is good to know. Are you using i386 or amd64? I'm wondering if 
> somehow that is a factor here?
>  
>> I can give you my hostname.if if that helps...
>
> Yes, that would be very useful. Can you email to matth at netsight.co.uk.
>
> I'm about to start setting up ospfd on these hosts, which also uses 
> multicast so it will be interesting to see if that now also fails due to 
> multicast being filtered out somewhere.

You can try something simple to test multicast; ping6 -w ff02::1%vlan119
you should see name responses from the local machine and other boxes on
the same vlan.

I setup carp-on-vlan-on-trunk-on-bnx0/1 on an R210-II running 5.1
the other day, no trouble. In this case they're webservers so I didn't
set net.inet.ip.forwarding in sysctl.conf and i'm using ip balancing
rather than simple carp failover.

hostname.carp82

carpdev vlan82 pass bleh advbase 0
carpnodes 74:32,75:128 balancing ip
xxx.xxx.xxx.xxx/32

hostname.vlan82

vlandev trunk0 vlan 82
xxx.xxx.xxx.yyy/28

hostname.trunk0 

trunkproto failover
trunkport bnx0
trunkport bnx1
up

hostname.bnx0, hostname.bnx1

up

(using "advbase 0" allows for much faster failover, you really
want 5.1 if you want to use that, it was added in 5.0 but the timer
was a bit over-sensitive).

erm, do you have a default route configured? I haven't tested, but
it wouldn't be a big surprise if that resulted in behaviour like
you're seeing.

Re: OpenBSD on EC2/Amazon

[Tyler Morgan]

On 4/25/2012 1:55 AM, Otto Moerbeek wrote:

On Wed, Apr 25, 2012 at 12:42:30AM -0500, Fernando Quintero wrote:


Hi all,

I have a question:

?Is anyone working to make possible run OpenBSD on Amazon EC2?

now, It is possible to run NetBSD and FreeBSD, but I can not find much
information about the progress of OpenBSD on this topic.

Thanks in advanced.

I don't think anybody is working on this.

But there are several VPS companies around (arpnetworks.com is one)
that are OpenBSD friendly.

*If* I want to run a VPS, I rather give my money to a small compmay
that some behemoth.

But note that virtual systems have many drawbacks. Most importantly,
the security of OpenBSD (or any system run on a virtual system) is
bounded by the security of the VM implementation. It's another layer
that could cause security problems.

-Otto



Couldn't be timed better, VMWare confirms ESX source code leak:

http://blogs.vmware.com/security/2012/04/vmware-security-note.html

I'm sure hypervisor->guest VM exploits exist already, and hopefully this 
will lead to more, because it is nearly unaddressed in all the virtual 
computing I work with.


--

Re: ypldap, ypbind at boot

[Stuart Henderson]

On 2012-04-25, Vitali  wrote:
>> Is it possible to setup ypbind and ypldap so that even if the ldap server is
>> not available I'm able to login with the local users either by having the
>> login prompt on the console or by being able to ssh in?
>
> On FreeBSD there is /etc/nsswitch.ldap in which you could say, for example:
[snip]
>
> It's my FreeBSD file, but I have never tried running user ldap
> authorizing  on OpenBSD, can't say more.

This is not applicable to OpenBSD. (and I'd like to hear of any
strategies for dealing with this too, there are various new and exciting
ways of locking yourself out of your machines by misconfiguring ypldap!)

5.1 arrives in Arizona

[Gary Ashkenazy]

Thanks again to all the developers for providing such a secure and
stable operating system.

Gary

Re: Where's my bandwidth going?

[Stuart Henderson]

On 2012-04-25, Alan Corey  wrote:
> I'm on a modem, so there's only about 3 K/sec anyway, but is there 
> anything that'll show me at least pids of what's using bandwidth?

You can watch each packet with "match log(all,user)" in pf.conf and
running "tcpdump -enipflog0 -v". The *second* pid reported shows the
associated program. (The *first* pid is that of the pfctl instance
which added the rule).

Or it may be easier to use some other program to grab the bandwidth
figures (darkstat, perhaps?) and then look in pflog to identify the
pid, in which case the per-packet information is probably not useful
so maybe just do "match log(user)" which will just show one entry
for each state that was setup.

Re: authorized_keys and security(8)

[Stuart Henderson]

On 2012-04-24, Tyler  wrote:
> Hi,
>
> Is there a way to create logins that are only accessed via 
> authorized_keys so that security(8) doesn't complain about them every day?
>
> The general goal is to disable remote root login via SSH and allow an 
> unprivileged "admin" user access via key files and pass phrases (and 
> then sudo or su).
>
> My problem is security(8) complains about this every day:
>
> "Login admin is off but still has a valid shell and alternate access 
> files in home directory are still readable."

vipw and set the crypted password to 13 *'s. pretty sure the old
/etc/security script did the same thing in this respect.

Why does the ports system delete distfiles?

[Alan Corey]

I've seen this before, I wonder if there's some environment variable I 
can set to stop it?


I try make fetch on a port, it fails due to a bad site.  I hit Ctrl-C to 
stop it, it goes to the next site and downloads the file.  Then it deletes 
the file when it finishes.  I type make install and it tries the bad site 
again...


  Alan

Re: Why does the ports system delete distfiles?

[Alexander Hall]

Alan Corey  wrote:

>I've seen this before, I wonder if there's some environment variable I 
>can set to stop it?
>
>I try make fetch on a port, it fails due to a bad site.  I hit Ctrl-C
>to 
>stop it, it goes to the next site and downloads the file.  Then it
>deletes 
>the file when it finishes.  I type make install and it tries the bad
>site 
>again...
>
>   Alan

I'd guess one or more subprocesses ignore SIGINT while others (=make?) don't, 
and thus the fetching proceeds but when it's done, make exits, after the 
appropriate cleanup. Don't know if it's trivially fixed.

/Alexander

Re: Why does the ports system delete distfiles?

[Jan Stary]

On Apr 25 23:34:24, Alan Corey wrote:
> I've seen this before, I wonder if there's some environment variable
> I can set to stop it?
> 
> I try make fetch on a port, it fails due to a bad site.  I hit
> Ctrl-C to stop it, it goes to the next site and downloads the file.
> Then it deletes the file when it finishes.

I can confirm this happens; for example, audio/sox:

# make fetch
===>  Checking files for sox-14.4.0p1
>> Fetch http://downloads.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C http fetch aborted.
>> Fetch http://easynews.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://puzzle.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://optusnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
ftp: Error retrieving file: 404 Not Found
>> Fetch http://heanet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://jaist.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C http fetch aborted.
>> Fetch http://nchc.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://switch.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://kent.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://internap.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
ftp: no address associated with name: internap.dl.sourceforge.net
>> Fetch http://mesh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://ovh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://surfnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://ufpr.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
^C>> Fetch http://ftp.openbsd.org/pub/OpenBSD/distfiles//sox-14.4.0.tar.gz
sox-14.4.0.tar.gz 100% ||  1079 KB 00:03
*** /usr/ports/distfiles/sox-14.4.0.tar.gz removed

Re: Why does the ports system delete distfiles?

[patrick keshishian]

On Wed, Apr 25, 2012 at 10:48 PM, Jan Stary  wrote:
> On Apr 25 23:34:24, Alan Corey wrote:
>> I've seen this before, I wonder if there's some environment variable
>> I can set to stop it?
>>
>> I try make fetch on a port, it fails due to a bad site.  I hit
>> Ctrl-C to stop it, it goes to the next site and downloads the file.
>> Then it deletes the file when it finishes.
>
> I can confirm this happens; for example, audio/sox:

as pointed out by Alexander Hall it is make doing this because before
the target is build, the process is aborted:

$ cat > touch_tmp_testdottxt.sh
#!/bin/sh
set -x
touch /tmp/test.txt
# sleep 5 second allow for ^C
echo sleeping for 5 second. go ahead and control-C out of make
sleep 5
echo done!
$ cat > Makefile
test.txt:
/bin/sh touch_tmp_testdottxt.sh
$ make -n
/bin/sh touch_tmp_testdottxt.sh
$ make
/bin/sh touch_tmp_testdottxt.sh
+ touch /tmp/test.txt
+ echo sleeping for 5 second. go ahead and control-C out of make
sleeping for 5 second. go ahead and control-C out of make
+ sleep 5
^C*** test.txt removed


HTH,
--patrick


> # make fetch
> ===>  Checking files for sox-14.4.0p1
>>> Fetch http://downloads.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C http fetch aborted.
>>> Fetch
http://easynews.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://puzzle.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://optusnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ftp: Error retrieving file: 404 Not Found
>>> Fetch http://heanet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://jaist.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C http fetch aborted.
>>> Fetch http://nchc.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://switch.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch http://kent.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://internap.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ftp: no address associated with name: internap.dl.sourceforge.net
>>> Fetch http://mesh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch http://ovh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch
http://surfnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch http://ufpr.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz
> ^C>> Fetch http://ftp.openbsd.org/pub/OpenBSD/distfiles//sox-14.4.0.tar.gz
> sox-14.4.0.tar.gz 100% ||  1079 KB 00:03
> *** /usr/ports/distfiles/sox-14.4.0.tar.gz removed

Re: Why does the ports system delete distfiles?

[Marc Espie]

On Wed, Apr 25, 2012 at 11:34:24PM -0400, Alan Corey wrote:
> I've seen this before, I wonder if there's some environment variable
> I can set to stop it?

Nope.

> I try make fetch on a port, it fails due to a bad site.  I hit
> Ctrl-C to stop it, it goes to the next site and downloads the file.
> Then it deletes the file when it finishes.  I type make install and
> it tries the bad site again...

That's the way make works. Don't hit ^C.

Changing this is impossible, since make sees the ^C, being the controlling
process and all.


Oh, and if the site is really bad, report the site.
If it's not, fix your network config.


I hardly notice anymore since dpb fetches things for me.