Re: Two questions.
So the rumors are true the movie below is based on the process developed/used by Theo.. http://en.wikipedia.org/wiki/Moon_(film) Theo de Raadt dera...@cvs.openbsd.org wrote: On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, a copy is automatically brought out of statis to continue to effort. The process is so transparent, that you won't even know if it has happened before...
Re: Network appliance recomendation.
On 08/09/13 17:05, Francisco Valladolid H. wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? Axiomtek NA-320R might be an alternative. Rack mount, 6 gbit ports, CF-storage and Atom 1.6 GHz CPU. Maurice
Post-quantum cryptography
It is long known, that almost all asymetric cyphers that are of practical importance today, are easiely broken, using Shor's algorithm https://en.wikipedia.org/wiki/Shor's_algorithm which can only run on a quantum computer. In particular every inverse logarithm and prime factorization based cypher, isn't exponentially complex but just polynomial in time, using that algorithm. Now looking at this http://spectrum.ieee.org/tech-talk/computing/hardware/scientists-confirm-dwave-computer-chips-compute-using-quantum-mechanics one may think, if it's time to implement a post quantum asymetric key cryptographic system. Are there any attemptes to do this? Are there discussions which of the mathematical possible systems are best in practice and so forth? Are there even implementations, yet? /mirco
Re: C partition of type 4.2BSD
On 08/09/13 22:54, Kenneth R Westerback wrote: On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote: I don't know how I made it (probably in previous releases of OS), but now I have a disk with the following disklabel: # /dev/rsd2c: type: SCSI disk: SCSI disk label: ST1000DM003-9YN1 duid: b0e3fc037df87899 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 boundstart: 64 boundend: 1953520065 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1953519936 64 4.2BSD 8192 655361 # /bu c: 19535251680 4.2BSD 2048 163841 As you can see the c partition is not of type unused, and some commands complain of this. I wasn't able to change this situation. I tried with disklabel -E sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper proto file), but nothing changed. What is the proper way to handle this? Please note that a partition contains data that must be preserved (I umounted that partition before all disklabel commands). The system is a 5.3 amd64, and sd2 is a normal SATA disk. Thanks. disklabel(8) contains a description of the 'z' command available in the -E mode. It should kill 'c' dead. Just add 'a' back with the same parameters it had brfore. Not that Nick's solution isn't more fun! Ken Unfortunately neither your suggestion or the Nick's one worked (the 4b variant), the disklabel remained always the same... Thanks.
Re: ospfd/ospf6d causing denial of service(?)
There was a bug. It was in software you got for free. It is hopefully fixed, before the next bug is found and fixed. In the meantime, further advancements will improve that software so that it continues to do neat innovative things. and takes down an entire network with ridiculous amounts of pps is not considered serious? OK, let me call it serious, just for a minute. Do you feel better? Hey, does everyone else feel better? Hell, does anyone feel better? I doubt it. I don't think I understand the logic here. What does logic have to do with calling something serious or not calling it serious? Am I calling it serious in the right places? Do I need to put it on a web page, or a wiki, or is my logic faulty for not broadcasting it enough? Should claudio write it on his chest in permanent marker for you to be satisfied? Because clearly you are only mouthing off because you want to be satisfied. All users of 4.9 (possibly even 4.8) deserve to have this fixed so they don't suffer the same fate. Oh... all users. How about me, on my little laptop having a glass of wine with friends. Do I deserve a fix right now, before I suffer the fate of the ospfd bug? I doubt it. And deserve? Noone deserves anything from us. People get good things, and they are happy. The developers in this project do the best they can writing innovative software, and will not accept preaching from pompous self-entitled American pricks like you. And if there is anyting All users deserve, it is for people like you to start the apologies. I believe you deserve to stop running the software. Right now, ok? Update: We have stopped running the software. Yay?
Re: Post-quantum cryptography
Mirco Richter mirco.rich...@email.de wrote: one may think, if it's time to implement a post quantum asymetric key cryptographic system. Are there any attemptes to do this? Are there discussions which of the mathematical possible systems are best in practice and so forth? Are there even implementations, yet? This--the second hit when you google for post-quantum cryptography-- looks like an excellent starting point: http://pqcrypto.org/ -- Christian naddy Weisgerber na...@mips.inka.de
Re: Post-quantum cryptography
Gesendet: Samstag, 10. August 2013 um 13:18 Uhr Von: Christian Weisgerber na...@mips.inka.de An: misc@openbsd.org Betreff: Re: Post-quantum cryptography Mirco Richter mirco.rich...@email.de wrote: one may think, if it's time to implement a post quantum asymetric key cryptographic system. Are there any attemptes to do this? Are there discussions which of the mathematical possible systems are best in practice and so forth? Are there even implementations, yet? This--the second hit when you google for post-quantum cryptography-- looks like an excellent starting point: http://pqcrypto.org/ -- Christian naddy Weisgerber na...@mips.inka.de Don't see what you imply? Can you please point me to where this is related to OBSD? /mirco
Re: Two questions.
On Fri, Aug 09, 2013 at 06:45:10PM -0600, Theo de Raadt wrote: On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, a copy is automatically brought out of statis to continue to effort. The process is so transparent, that you won't even know if it has happened before... Excellent detail on the process. I'll get an errata out for Absolute OpenBSD. But I do wish you'd mentioned this before we went to print. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me.
Intel I210 ethernet card support
Hello! Does OpenBSD support the recently released Intel I210 card? I have searched the net but have not come up with a satisfying answer to this. Thanks, Peter
Re: Usefulness of offloading cryptographic hashing of passwords
On Fri, Aug 09, 2013 at 21:46, Nathan Goings wrote: I recently read an article from facebook on password cracking. It got Am I over-thinking this? Yes. People have recently become fascinated with bizarro password storage schemes. Something fairly simple like bcrypt (perhaps with an increased difficulty factor if you care that much) is fine. Or take the radical approach of using different passwords for different services.
log file's watchers
Hi! Is anybody works with tools like logsentry, swatch, logtail or others? What is your preference? I install swatch on current i386 system. My swatch.conf like this: .. watchfor /INVALID|REPEATED|INCOMPLETE|[Ff]ail / echo magenta_h bell 3 mail addresses=myname\@mydomain, subject=Bad_login_attempt watchfor /invalid|repeated|incomplete/ echo write myname mail addresses=myname\@localhost, subject=Authentication Problems watchfor /BAD SU|bad su/ echo write myname mail addresses=myname\@localhost, subject=SU Problems When i start swatch: #/usr/local/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/authlog --pid-file=/var/run/swatch.pid it's OK but if run $su (with wrong password) system meets me by silence :( What's wrong with my swatch.conf? Thanks, Alex P.S. DNS mail servers works OK
Re: Intel I210 ethernet card support
On Sat, Aug 10, 2013 at 02:53:41PM +0200, Peter Olsson wrote: Hello! Does OpenBSD support the recently released Intel I210 card? I have searched the net but have not come up with a satisfying answer to this. Thanks, Peter The i210/i211 chips aren't supported yet. The i217/pch_lpt found in the Lynx Point/Haswell PCH isn't either. I don't think any of the usual suspects have hardware yet.
Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell
While searching for 'OpenBSD bad package CONTENTS' I somehow came across this and got sucked in when I shouldn't have. OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth http://aboutthebsds{dot}wordpress{dot}com Well I had a go at educating the author of this thread but I guess without a response he modified my comments into utter lies and left them under my name. I guess the old adage that you can help the stupid but not the willfully ignorant is true. I knew he was an arch linux user and so I was expecting comment deletion in the case of moderator disagreement to the arguments (similar to the Arch Linux mailing lists where a moderators task being meant to have nothing to do with taking sides is ignored and is even more annoying when what you said was proven right by upstream a little later). Incidentally I expect similar to Lennart's pages as they are comment free. Sorry to be wasting your time or even mentioning this useless blog but I just wanted to put the record straight and to save time for anyone who stumbles across it and hope may now also see this in a Google search where it appears. Bear in mind these are counter points to his blog and not things I want to bring up. _ I posted _ It is extremely one sided! How about Linux allowing modules like Nvidia and far worse like Sony to be easily installed under the safe and free flag of their repo. I can tell you OpenBSD would not allow this and allow no binary blobs and with modules disabled by default, unlike FreeBSD and Linux allowing and even including by default binary blobs that does unknown things posibly with good intentions but full of exploits. You can take BSD and do freely whatever evil you want but you cannot abuse the trust users have in OpenBSD devs by flying your dodgy code in under their flag and so users radars. This is because BSD only precludes plagiarism and so using OpenBSD as a selling point when it may have been modified. There are many products using OpenBSD but this cannot be revealed directly. Linux try's but can't afford to sue Nvidia giving users a false sense of security but also well running games (I shall admit as I do give balance to my thoughts), but now they (Intel/AMD) are going open source which is extra great for the CAREful OpenBSD. And yes this CARE means it cannot go as quick as Linux thankfully as Torvalds can no longer check before OKaying potentially evil or insecure code (admitted himself). _ The blog author posted anonymously after 'archlike moderation' _ BSD allows modules like Nvidia and far worse like Sony to be easily installed under the safe and free flag of their repo. I can tell you OpenBSD freely allows this including non-free firmware and with modules enabled by default, like FreeBSD allowing and even including by default binary blobs that does unknown things posibly with good intentions but full of exploits. You can take BSD and do freely whatever evil you want including abuse the mindless trust users have in OpenBSD devs by flying dodgy code in under their flag and so users radars. Look at what Richard Stallman said about them. BSD encourages plagiarism and so using OpenBSD as a selling point when it may have been turning into proprietary software. There are many proprietary products using OpenBSD but this cannot be revealed directly because the code this now thiers. Linux impedes Nvidia from giving users a false sense of security but also well running games (I shall admit as I do give balance to my thoughts), but now they (Intel/AMD) are going open source which is extra great for the CAREful Linux. BSD devs don't care for open source drivers (Intel/AMD). So they continue to suck proprietary cocks. Also, Linux thankfully has Torvalds to check before for any potential evil code before it is included in the source tree. I posted about his systemd page. Bane of BSD, it's hardly even mentioned on the OpenBSD list atleast, maybe two very short threads stemming from things like Gnome. Even Redhat devs have said it has very insignificant impact. Anything that takes s much time on Linux lists is almost guarnteed to have flaws. I wouldn't fancy OpenBSDs record of two holes in over a decade not incrementing if they ported systemd but of course they correctly wouldn't. There's been more holes in PAM than OpenBSD and the Linux kernel would be at hundreds of hole in less than a decade but of course a bugs a bug right. Ignorance is bliss and an easy life of course, hence Windows dominance. __
Re: Network appliance recomendation.
On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen maur...@z74.net wrote: On 08/09/13 17:05, Francisco Valladolid H. wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? Axiomtek NA-320R might be an alternative. Rack mount, 6 gbit ports, CF-storage and Atom 1.6 GHz CPU. Thank you Maurice, excellente recomendation. Maurice -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Post-quantum cryptography
On Sat, Aug 10, 2013 at 01:33:11PM +0200, Mirco Richter wrote: Can you please point me to where this is related to OBSD? I think your question as intended was, is the OpenBSD project working on pqcrypto. The answer is no: The OpenBSD project does not invent new primitives; it only implements them (or uses existing implementations) once thoroughly tested and reviewed by the cryptographic community. And at the moment, pqcrypto is not sufficiently far advanced to be anywhere near that status. At the moment, the pqcrypto.org site already mentioned covers the state of the art. Nicolai
Re: Network appliance recomendation.
On 08/10/2013 06:01 PM, Francisco Valladolid H. wrote: On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen maur...@z74.net wrote: On 08/09/13 17:05, Francisco Valladolid H. wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? Axiomtek NA-320R might be an alternative. Rack mount, 6 gbit ports, CF-storage and Atom 1.6 GHz CPU. Thank you Maurice, excellente recomendation. Maurice I know you say appliance however, how about an embedded system? Since you already run OpenBSD on a Mini-ITX system, a 1U rack chassis for Mini-ITX plus Intel based Network card should also give up to 6-7GbE ports plus SSD or other flash drive alternative.. e.g. http://www.steatite-embedded.co.uk/ as examples for chassis and systemboard. It might not be what you want since you did say appliance but still it is a thought :-) Regards, Kaya
Re: Post-quantum cryptography
Gesendet: Samstag, 10. August 2013 um 19:11 Uhr Von: Nicolai nicolai-om...@chocolatine.org An: misc@openbsd.org Betreff: Re: Post-quantum cryptography On Sat, Aug 10, 2013 at 01:33:11PM +0200, Mirco Richter wrote: Can you please point me to where this is related to OBSD? I think your question as intended was, is the OpenBSD project working on pqcrypto. The question was if the OBSD projects works on an implementation! of such a cypher, since from a purely mathematical POV, there are already proofen pq-hard cyphers. The answer is no: The OpenBSD project does not invent new primitives; Of course I don't expect the OBSD project to do pqcypher-research. So you say, that from the OBSD POV, the project wants to wait until someone else implements such a cypher and has proofen, that the implementation is practically as secure as the mathematical model already predicts ? it only implements them (or uses existing implementations) once thoroughly tested and reviewed by the cryptographic community. And at the moment, pqcrypto is not sufficiently far advanced to be anywhere near that status. AES-256 is considered to be a pqcrypto-hard system. Isn't it a well testet and reviewed cypher? best /mirco
Re: log file's watchers
On 10 August 2013 16:10, alex pae33...@gmail.com wrote: Hi! Is anybody works with tools like logsentry, swatch, logtail or others? What is your preference? I install swatch on current i386 system. My swatch.conf like this: .. watchfor /INVALID|REPEATED|INCOMPLETE|[Ff]ail / echo magenta_h bell 3 mail addresses=myname\@mydomain, subject=Bad_login_attempt watchfor /invalid|repeated|incomplete/ echo write myname mail addresses=myname\@localhost, subject=Authentication Problems watchfor /BAD SU|bad su/ echo write myname mail addresses=myname\@localhost, subject=SU Problems When i start swatch: #/usr/local/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/authlog --pid-file=/var/run/swatch.pid it's OK but if run $su (with wrong password) system meets me by silence :( What's wrong with my swatch.conf? Thanks, Alex P.S. DNS mail servers works OK Hello, I started with swatch but for some reason it ended up creating zombie forks. Then, I switched to logfmon and been using that for awhile now. Serves my needs perfectly and I also find the syntax to be more convenient than in swatch. Try and see what suits for your needs. So, here's my 2 cents for this matter :) -- Cheers, Ville Valkonen
Re: Post-quantum cryptography
2013/8/10 Mirco Richter mirco.rich...@email.de: say, that from the OBSD POV, the project wants to wait until someone else implements such a cypher and has proofen, that the implementation is practically as secure as the mathematical model already predicts ? Yes. Now show us your cypher or go away.
Re: Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell
I doubt if anyone on this list will believe that it was actually you who posted it in its current form. Besides, thanks for passing it along - it is an excellent light reading over a weekend - tickled me to death! -ag -- sent via 100% recycled electrons from my mobile command center. On Aug 10, 2013, at 9:19 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: While searching for 'OpenBSD bad package CONTENTS' I somehow came across this and got sucked in when I shouldn't have. OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth http://aboutthebsds{dot}wordpress{dot}com Well I had a go at educating the author of this thread but I guess without a response he modified my comments into utter lies and left them under my name. I guess the old adage that you can help the stupid but not the willfully ignorant is true. I knew he was an arch linux user and so I was expecting comment deletion in the case of moderator disagreement to the arguments (similar to the Arch Linux mailing lists where a moderators task being meant to have nothing to do with taking sides is ignored and is even more annoying when what you said was proven right by upstream a little later). Incidentally I expect similar to Lennart's pages as they are comment free. Sorry to be wasting your time or even mentioning this useless blog but I just wanted to put the record straight and to save time for anyone who stumbles across it and hope may now also see this in a Google search where it appears. Bear in mind these are counter points to his blog and not things I want to bring up. _ I posted _ It is extremely one sided! How about Linux allowing modules like Nvidia and far worse like Sony to be easily installed under the safe and free flag of their repo. I can tell you OpenBSD would not allow this and allow no binary blobs and with modules disabled by default, unlike FreeBSD and Linux allowing and even including by default binary blobs that does unknown things posibly with good intentions but full of exploits. You can take BSD and do freely whatever evil you want but you cannot abuse the trust users have in OpenBSD devs by flying your dodgy code in under their flag and so users radars. This is because BSD only precludes plagiarism and so using OpenBSD as a selling point when it may have been modified. There are many products using OpenBSD but this cannot be revealed directly. Linux try's but can't afford to sue Nvidia giving users a false sense of security but also well running games (I shall admit as I do give balance to my thoughts), but now they (Intel/AMD) are going open source which is extra great for the CAREful OpenBSD. And yes this CARE means it cannot go as quick as Linux thankfully as Torvalds can no longer check before OKaying potentially evil or insecure code (admitted himself). _ The blog author posted anonymously after 'archlike moderation' _ BSD allows modules like Nvidia and far worse like Sony to be easily installed under the safe and free flag of their repo. I can tell you OpenBSD freely allows this including non-free firmware and with modules enabled by default, like FreeBSD allowing and even including by default binary blobs that does unknown things posibly with good intentions but full of exploits. You can take BSD and do freely whatever evil you want including abuse the mindless trust users have in OpenBSD devs by flying dodgy code in under their flag and so users radars. Look at what Richard Stallman said about them. BSD encourages plagiarism and so using OpenBSD as a selling point when it may have been turning into proprietary software. There are many proprietary products using OpenBSD but this cannot be revealed directly because the code this now thiers. Linux impedes Nvidia from giving users a false sense of security but also well running games (I shall admit as I do give balance to my thoughts), but now they (Intel/AMD) are going open source which is extra great for the CAREful Linux. BSD devs don't care for open source drivers (Intel/AMD). So they continue to suck proprietary cocks. Also, Linux thankfully has Torvalds to check before for any potential evil code before it is included in the source tree. I posted about his systemd page. Bane of BSD, it's hardly even mentioned on the OpenBSD list atleast, maybe two very short threads stemming from things like Gnome. Even Redhat devs have said it has very insignificant impact. Anything that takes s much time on Linux lists is
Re: C partition of type 4.2BSD
On 08/09/13 23:34, Kenneth R Westerback wrote: On Fri, Aug 09, 2013 at 04:54:01PM -0400, Kenneth R Westerback wrote: On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote: ... disklabel(8) contains a description of the 'z' command available in the -E mode. It should kill 'c' dead. Just add 'a' back with the same parameters it had brfore. Not that Nick's solution isn't more fun! Ken Or it could be a nifty snare in the kernel that is accidentally preserving info that should not be preserved. This is probably not the best patch, but it does let me use 'disklabel -e sd2' to set 'c' to 'unused'. Ken This makes things much better. ok nick@ on the general idea and the results, but I won't pass judgement on the implementation. Nick. Index: subr_disk.c === RCS file: /cvs/src/sys/kern/subr_disk.c,v retrieving revision 1.150 diff -u -p -r1.150 subr_disk.c --- subr_disk.c 3 Jul 2013 15:21:40 - 1.150 +++ subr_disk.c 10 Aug 2013 03:23:26 - @@ -655,6 +674,8 @@ setdisklabel(struct disklabel *olp, stru if (DL_GETPOFFSET(npp) != DL_GETPOFFSET(opp) || DL_GETPSIZE(npp) DL_GETPSIZE(opp)) return (EBUSY); + if (i == RAW_PART) + continue; /* * Copy internally-set partition information * if new label doesn't include it. XXX
Re: Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell
OpenBSD’s PF: A stripped down copy of IPTABLES made my day. :) -- Michał Markowski
Re: Network appliance recomendation.
On 2013-08-10, Maurice Janssen maur...@z74.net wrote: On 08/09/13 17:05, Francisco Valladolid H. wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? Axiomtek NA-320R might be an alternative. Rack mount, 6 gbit ports, CF-storage and Atom 1.6 GHz CPU. Maurice These can be hard to get via the usual axiomtek reseller channels, but these are the same thing with a different front plate: https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html
Re: Post-quantum cryptography
On Sat, Aug 10, 2013 at 08:13:10PM +0200, Mirco Richter wrote: AES-256 is considered to be a pqcrypto-hard system. You also need key negotation, a mode of operation, and a MAC function to tie it all together. Cryptography is a very complicated field. You know, a lotta ins, lotta outs, lotta what-have-you's. Lotta bits to keep in the cache. Luckily I'm adhering to a pretty strict constant-time regimen to keep my output limber. Nicolai
Re: Two questions.
On Fri, Aug 9, 2013 at 7:13 PM, Michael W. Lucas mwlu...@michaelwlucas.comwrote: On Fri, Aug 09, 2013 at 06:45:10PM -0600, Theo de Raadt wrote: On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote: ... The first one. We all know that the operating system OpenBSD largely depends on lead, so what will happen when time will come for Theo? We all know that so far people do not live thousands of years... I think that not only me would be interesting to know the future of this great project in case something happens. Please do not misunderstand me here, I do not wish anything bad for Theo, I just need to be sure that there are others who could keep project going. same thing that happens for any open source volunteer project, or any sole proprietorship...or any corporation. Someone(s) may step up, they may not. They may succeed in keeping the team together, they may not. The project may improve, it may lessen. What a bunch of worrying balony. I have asexually reproduced a few times, and put the other copies of myself in stasis. In the event that I fall off a mountain or get attacked by group of dogs in central Turkey, a copy is automatically brought out of statis to continue to effort. The process is so transparent, that you won't even know if it has happened before... Excellent detail on the process. I'll get an errata out for Absolute OpenBSD. But I do wish you'd mentioned this before we went to print. Hahaha, very very nice.
Re: Network appliance recomendation.
I recommend the atom 1u by supermicro. If you buy a pic riser with it you can extend how many interfaces you have ( the board comes with two). You can get a cheap SSD and your set. I've been running one as a firewall-vpn for two years and it works great. Sent from my iPhone On Aug 9, 2013, at 11:06 AM, Francisco Valladolid H. fic...@gmail.com wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? I'm disappointing using other network solutions with proprietary brands in the market. Best Regards. P.S sorry for my bad english. -- Francisco Valladolid H. -- http://blog.bsdguy.org - Jesus Christ follower.
Re: openBGPd - 2/4byte AS prepend
On 2013-08-02, OCEANET - Cédric BASSAGET ced...@oceanet.com wrote: Always working on my problem, if anybody can help me please. Here's a tcpdump of BGP exchanges between the neighbor (192.168.53.118) and me (192.168.53.113) : _Open from my neighbor, no 4 Byte AS capability :_ 17:26:04.529327 IP (tos 0xc0, ttl 1, id 16154, offset 0, flags [DF], proto TCP (6), length 79) 192.168.53.113.44169 192.168.53.118.bgp: Flags [P.], cksum 0x6e87 (correct), seq 687533061:687533100, ack 2368601536, win 16384, length 39: BGP, length: 39 Open Message (1), length: 39 Version 4, my AS 65426, Holdtime 20s, ID 46.226.128.1 Optional parameters, length: 10 Option Capabilities Advertisement (2), length: 8 Multiprotocol Extensions (1), length: 4 AFI IPv4 (1), SAFI Unicast (1) 0x: 0001 0001 _Open from me, 4 Byte AS capability :_ 17:26:04.530298 IP (tos 0xc0, ttl 1, id 61896, offset 0, flags [DF], proto TCP (6), length 93) 192.168.53.118.bgp 192.168.53.113.44169: Flags [P.], cksum 0x7ecf (correct), seq 1:54, ack 39, win 16345, length 53: BGP, length: 53 Open Message (1), length: 53 Version 4, my AS 35330, Holdtime 180s, ID 192.168.53.118 Optional parameters, length: 24 Option Capabilities Advertisement (2), length: 6 Multiprotocol Extensions (1), length: 4 AFI IPv4 (1), SAFI Unicast (1) 0x: 0001 0001 Option Capabilities Advertisement (2), length: 2 Route Refresh (Cisco) (128), length: 0 Option Capabilities Advertisement (2), length: 2 Route Refresh (2), length: 0 Option Capabilities Advertisement (2), length: 6 * 32-Bit AS Number (65), length: 4** ** 4 Byte AS 35330* 0x: 8a02 _Keepalives..._ 17:26:04.530350 IP (tos 0xc0, ttl 1, id 61897, offset 0, flags [DF], proto TCP (6), length 59) 192.168.53.118.bgp 192.168.53.113.44169: Flags [P.], cksum 0x320e (correct), seq 54:73, ack 39, win 16345, length 19: BGP, length: 19 Keepalive Message (4), length: 19 17:26:04.530479 IP (tos 0xc0, ttl 1, id 28050, offset 0, flags [DF], proto TCP (6), length 59) 192.168.53.113.44169 192.168.53.118.bgp: Flags [P.], cksum 0x31e7 (correct), seq 39:58, ack 73, win 16365, length 19: BGP, length: 19 Keepalive Message (4), length: 19 _Update :_ 17:26:04.530926 IP (tos 0xc0, ttl 1, id 37630, offset 0, flags [DF], proto TCP (6), length 94) 192.168.53.113.44169 192.168.53.118.bgp: Flags [P.], cksum 0x4a46 (correct), seq 58:112, ack 73, win 16384, length 54: BGP, length: 54 Update Message (2), length: 54 Origin (1), length: 1, Flags [T]: IGP 0x: 00 * AS Path (2), length: 4, Flags [T]: 23456 * 0x: 0201 5ba0 Next Hop (3), length: 4, Flags [T]: 192.168.53.113 0x: c0a8 3571 * AS4 Path (17), length: 6, Flags [OT]: 4 byte AS* 0x: 0201 0003 039c Updated routes: net/21 _Error notification :_ 17:26:04.531860 IP (tos 0xc0, ttl 1, id 61899, offset 0, flags [DF], proto TCP (6), length 68) 192.168.53.118.bgp 192.168.53.113.44169: Flags [P.], cksum 0xc800 (correct), seq 73:101, ack 112, win 16272, length 28: BGP, length: 28 *Notification Message (3), length: 28, UPDATE Message Error (3), subcode Malformed AS_PATH (11)* Regards, C�dric I think this is a config error, bgpd behaviour seems correct according to RFC 4893. To represent 4-octet AS numbers (which are not mapped from 2-octets) as 2-octet AS numbers in the AS path information encoded with 2-octet AS numbers, this document reserves a 2-octet AS number. We denote this special AS number as AS_TRANS for ease of description in the rest of this specification. This AS number is also placed in the My Autonomous System field of the OPEN message originated by a NEW BGP speaker, if the speaker does not have a (globally unique) 2-octet AS number. so, the rfc says: 1. in the OPEN you use either AS_TRANS or a unique other 16-bit AS number but, 2. in AS_PATH when talking to an old bgp speaker, you use AS_TRANS (*not* some other ASN) to replace any 32-bit ASN. additionally, whenever peers that handle 32-bit ASN talk to each other, they *always* use just AS_PATH (writing 32-bit ASNs in full), but when they talk to an old 16-bit-only peer, they *regenerate* AS_PATH as 16 bits by writing AS_TRANS in place of any 32-bit ASNs in the path - so even if you were allowed to use a number other than AS_TRANS in the (16-bit) path, that would be overwritten anyway when the update is received by another 32-bit speaker and then passed on to another 16-bit speaker. I think your options are: - ask the 16-bit-only peer to update to current software (usually preferred) - ask the 16-bit-only peer to disable enforce neighbor-as or equivalent - use the default AS_TRANS
Re: SSHD setup
Thank you for the help, I think I hadn't done a reboot. I saw sshd starting during the boot I believe. What else would I need to do to be able to use my MacBook to ssh to the openbsd system? My domain is hostname.my.domain. On my MacBook I type ssh hostname.my.domain and after awhile it returns operation timed out. Im really just starting to try to learn UNIX and computing as you can see. Any help is much appreciated. Sent from my Windows Phone From: Matthew Weigel Sent: 8/9/2013 4:32 PM To: misc@openbsd.org Subject: Re: SSHD setup On 08/09/2013 03:24 PM, Lance Ferrer wrote: I'm not sure if I need to create the keys or what, looking for a little bit of guidance. Sorry for the trouble with probably such a simple task. Did quite a bit of googling, no luck You could create them yourself by running ssh-keygen -A as root. However, that is run at every boot by /etc/rc (it only generates keys if there are no existing keys), so I would guess either a) you haven't rebooted yet or b) something is wrong with your system that is preventing these files from getting created. You don't need sshd_flags in /etc/rc.conf.local unless you want to change the default set in /etc/rc.conf. -- Matthew Weigel hacker unique idempot . ent
Re: Network appliance recomendation.
On Sat, Aug 10, 2013 at 08:09:02PM +, Stuart Henderson wrote: | These can be hard to get via the usual axiomtek reseller channels, but these are | the same thing with a different front plate: | | https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html | https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html I have the 6a16e (i.e. the non-rackmountable version) and have been very happy with it. Highly recommmend it! Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: SSHD setup
On Sat, 10 Aug 2013, Lance Ferrer wrote: Thank you for the help, I think I hadn't done a reboot. I saw sshd starting during the boot I believe. What else would I need to do to be able to use my MacBook to ssh to the openbsd system? My domain is hostname.my.domain. On my MacBook I type ssh hostname.my.domain and after awhile it returns operation timed out. That would probably be a DNS issue; check the IP of the OBSD box ifconfig -a to see all interfaces ifconfig active interface to see just the active one If you ssh to that IP from your MacBook you will not need a DNS or hosts entry. Lee
Re: Network appliance recomendation.
On Sat, Aug 10, 2013 at 5:15 PM, Paul de Weerd we...@weirdnet.nl wrote: On Sat, Aug 10, 2013 at 08:09:02PM +, Stuart Henderson wrote: | These can be hard to get via the usual axiomtek reseller channels, but these are | the same thing with a different front plate: | | https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html | https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html I have the 6a16e (i.e. the non-rackmountable version) and have been very happy with it. Highly recommmend it! Thank you Paul. This model is very expensive plus the shipping and import duties to Mexico.. Regards Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.