Re: Two questions.

[Jeff O'Neal]

So the rumors are true the movie below is based on the process developed/used 
by Theo..


http://en.wikipedia.org/wiki/Moon_(film)



Theo de Raadt dera...@cvs.openbsd.org wrote:

 On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote:
 ...
  The first one. We all know that the operating system OpenBSD largely
  depends on lead, so what will happen when time will come for Theo? We
  all know that so far people do not live thousands of years... I think
  that not only me would be interesting to know the future of this great
  project in case something happens. Please do not misunderstand me here,
  I do not wish anything bad for Theo, I just need to be sure that there
  are others who could keep project going.
 
 same thing that happens for any open source volunteer project, or any 
 sole proprietorship...or any corporation.  Someone(s) may step up, they 
 may not.  They may succeed in keeping the team together, they may not. 
 The project may improve, it may lessen.

What a bunch of worrying balony.

I have asexually reproduced a few times, and put the other copies of
myself in stasis.

In the event that I fall off a mountain or get attacked by group of
dogs in central Turkey, a copy is automatically brought out of statis
to continue to effort.

The process is so transparent, that you won't even know if it has
happened before...

Re: Network appliance recomendation.

[Maurice Janssen]

On 08/09/13 17:05, Francisco Valladolid H. wrote:

Hi folks.

Currently I have a Wireless network serving in my town using a small
form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.

I need recommendations for a network appliance in rack mode with flash
storage and five rj45 ports.

Can anyone recommended a solution for my needs ?


Axiomtek NA-320R might be an alternative.  Rack mount, 6 gbit ports, 
CF-storage and Atom 1.6 GHz CPU.


Maurice

Post-quantum cryptography

[Mirco Richter]

It is long known, that almost all asymetric cyphers that are of practical 
importance
today, are easiely broken, using Shor's algorithm

https://en.wikipedia.org/wiki/Shor's_algorithm

which can only run on a quantum computer. In particular every inverse 
logarithm and
prime factorization based cypher, isn't exponentially complex but just 
polynomial in time,
using that algorithm.

Now looking at this

http://spectrum.ieee.org/tech-talk/computing/hardware/scientists-confirm-dwave-computer-chips-compute-using-quantum-mechanics

one may think, if it's time to implement a post quantum asymetric key 
cryptographic system.

Are there any attemptes to do this? Are there discussions which of the 
mathematical possible
systems are best in practice and so forth? Are there even implementations, yet?

/mirco

Re: C partition of type 4.2BSD

[Federico Giannici]

On 08/09/13 22:54, Kenneth R Westerback wrote:

On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote:

I don't know how I made it (probably in previous releases of OS),
but now I have a disk with the following disklabel:

# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: ST1000DM003-9YN1
duid: b0e3fc037df87899
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 121601
total sectors: 1953525168
boundstart: 64
boundend: 1953520065
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
   a:   1953519936   64  4.2BSD   8192 655361 # /bu
   c:   19535251680  4.2BSD   2048 163841


As you can see the c partition is not of type unused, and some
commands complain of this.

I wasn't able to change this situation. I tried with disklabel -E
sd2, disklabel -d sd2, disklabel -R sd2 proto (with a proper
proto file), but nothing changed.

What is the proper way to handle this?
Please note that a partition contains data that must be preserved
(I umounted that partition before all disklabel commands).

The system is a 5.3 amd64, and sd2 is a normal SATA disk.

Thanks.



disklabel(8) contains a description of the 'z' command available
in the -E mode. It should kill 'c' dead. Just add 'a' back with the
same parameters it had brfore.

Not that Nick's solution isn't more fun!

 Ken



Unfortunately neither your suggestion or the Nick's one worked (the 4b 
variant), the disklabel remained always the same...


Thanks.

Re: ospfd/ospf6d causing denial of service(?)

[Colin Baker]

 There was a bug.
 
 It was in software you got for free.  It is hopefully fixed, before
 the next bug is found and fixed.  In the meantime, further
 advancements will improve that software so that it continues to do
 neat innovative things.
 
 and takes down an entire network with ridiculous amounts of  
 pps is not considered serious?
 
 OK, let me call it serious, just for a minute.  Do you feel better?
 Hey, does everyone else feel better?  Hell, does anyone feel better?
 
 I doubt it.
 
 I don't think I understand the logic here.
 
 What does logic have to do with calling something serious or not
 calling it serious?  Am I calling it serious in the right places?
 Do I need to put it on a web page, or a wiki, or is my logic faulty
 for not broadcasting it enough?  Should claudio write it on his chest
 in permanent marker for you to be satisfied?
 
 Because clearly you are only mouthing off because you want to be
 satisfied.
 
 All users of 4.9 (possibly even 4.8) deserve to have this fixed so  
 they don't suffer the same fate.
 
 Oh... all users.
 
 How about me, on my little laptop having a glass of wine with friends.
 Do I deserve a fix right now, before I suffer the fate of the ospfd
 bug?  I doubt it.
 
 And deserve?
 
 Noone deserves anything from us.  People get good things, and they are
 happy.  The developers in this project do the best they can writing
 innovative software, and will not accept preaching from pompous
 self-entitled American pricks like you.
 
 And if there is anyting All users deserve, it is for people like
 you to start the apologies.
 
 I believe you deserve to stop running the software.  Right now, ok?

Update: We have stopped running the software.  Yay?

Re: Post-quantum cryptography

[Christian Weisgerber]

Mirco Richter mirco.rich...@email.de wrote:

 one may think, if it's time to implement a post quantum asymetric key
 cryptographic system.
 
 Are there any attemptes to do this? Are there discussions which of the
 mathematical possible
 systems are best in practice and so forth? Are there even implementations, 
 yet?

This--the second hit when you google for post-quantum cryptography--
looks like an excellent starting point:

http://pqcrypto.org/

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: Post-quantum cryptography

[Mirco Richter]

 Gesendet: Samstag, 10. August 2013 um 13:18 Uhr
 Von: Christian Weisgerber na...@mips.inka.de
 An: misc@openbsd.org
 Betreff: Re: Post-quantum cryptography

 Mirco Richter mirco.rich...@email.de wrote:
 
  one may think, if it's time to implement a post quantum asymetric key
  cryptographic system.
  
  Are there any attemptes to do this? Are there discussions which of the
  mathematical possible
  systems are best in practice and so forth? Are there even implementations, 
  yet?
 
 This--the second hit when you google for post-quantum cryptography--
 looks like an excellent starting point:
 
 http://pqcrypto.org/
 
 -- 
 Christian naddy Weisgerber  na...@mips.inka.de
 
 


Don't see what you imply? Can you please point me to where this is related to 
OBSD?

/mirco

Re: Two questions.

[Michael W. Lucas]

On Fri, Aug 09, 2013 at 06:45:10PM -0600, Theo de Raadt wrote:
  On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote:
  ...
   The first one. We all know that the operating system OpenBSD largely
   depends on lead, so what will happen when time will come for Theo? We
   all know that so far people do not live thousands of years... I think
   that not only me would be interesting to know the future of this great
   project in case something happens. Please do not misunderstand me here,
   I do not wish anything bad for Theo, I just need to be sure that there
   are others who could keep project going.
  
  same thing that happens for any open source volunteer project, or any 
  sole proprietorship...or any corporation.  Someone(s) may step up, they 
  may not.  They may succeed in keeping the team together, they may not. 
  The project may improve, it may lessen.
 
 What a bunch of worrying balony.
 
 I have asexually reproduced a few times, and put the other copies of
 myself in stasis.
 
 In the event that I fall off a mountain or get attacked by group of
 dogs in central Turkey, a copy is automatically brought out of statis
 to continue to effort.
 
 The process is so transparent, that you won't even know if it has
 happened before...

Excellent detail on the process. I'll get an errata out for Absolute
OpenBSD.

But I do wish you'd mentioned this before we went to print.

==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code ILUVMICHAEL gets you 30% off  helps me.

Intel I210 ethernet card support

[Peter Olsson]

Hello!
Does OpenBSD support the recently released Intel I210 card?
I have searched the net but have not come up with a satisfying answer to
this.

Thanks,
Peter

Re: Usefulness of offloading cryptographic hashing of passwords

[Ted Unangst]

On Fri, Aug 09, 2013 at 21:46, Nathan Goings wrote:
 I recently read an article from facebook on password cracking.  It got

 Am I over-thinking this?

Yes. People have recently become fascinated with bizarro password
storage schemes. Something fairly simple like bcrypt (perhaps with an
increased difficulty factor if you care that much) is fine.

Or take the radical approach of using different passwords for
different services.

log file's watchers

[alex]

Hi!
Is anybody works with tools like logsentry, swatch, logtail or others?
What is your preference?
I install swatch on current i386 system. My swatch.conf like this:
..
watchfor   /INVALID|REPEATED|INCOMPLETE|[Ff]ail /
echo magenta_h
bell 3
mail addresses=myname\@mydomain, subject=Bad_login_attempt

watchfor /invalid|repeated|incomplete/
 echo
 write myname
 mail addresses=myname\@localhost, 
subject=Authentication Problems


watchfor /BAD SU|bad su/
 echo
 write myname
 mail addresses=myname\@localhost, subject=SU Problems

When i start swatch:
#/usr/local/bin/swatch --daemon --config-file=/etc/swatch.conf 
--tail-file=/var/log/authlog --pid-file=/var/run/swatch.pid

 it's OK but if run
$su (with wrong password)
system meets me by silence :(

What's  wrong with my swatch.conf?

Thanks,
Alex

P.S. DNS  mail servers works OK

Re: Intel I210 ethernet card support

[Jonathan Gray]

On Sat, Aug 10, 2013 at 02:53:41PM +0200, Peter Olsson wrote:
 Hello!
 Does OpenBSD support the recently released Intel I210 card?
 I have searched the net but have not come up with a satisfying answer to
 this.
 
 Thanks,
 Peter

The i210/i211 chips aren't supported yet.  The i217/pch_lpt found
in the Lynx Point/Haswell PCH isn't either.  I don't think any of
the usual suspects have hardware yet.

Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell

[Kevin Chadwick]

While searching for 'OpenBSD bad package CONTENTS' I somehow came
across this and got sucked in when I shouldn't have.

OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the
truth

http://aboutthebsds{dot}wordpress{dot}com

Well I had a go at educating the author of this thread but I guess
without a response he modified my comments into utter lies and left them
under my name. I guess the old adage that you can help the stupid but
not the willfully ignorant is true.

I knew he was an arch linux user and so I was expecting comment
deletion in the case of moderator disagreement to the arguments (similar
to the Arch Linux mailing lists where a moderators task being meant to
have nothing to do with taking sides is ignored and is even more
annoying when what you said was proven right by upstream a little
later). Incidentally I expect similar to Lennart's pages as they are
comment free.

Sorry to be wasting your time or even mentioning this useless blog but
I just wanted to put the record straight and to save time for anyone
who stumbles across it and hope may now also see this in a Google
search where it appears.

Bear in mind these are counter points to his blog and not things I want
to bring up.

_

I posted
_


It is extremely one sided!

How about Linux allowing modules like Nvidia and far worse like Sony to
be easily installed under the safe and free flag of their repo.

I can tell you OpenBSD would not allow this and allow no binary blobs
and with modules disabled by default, unlike FreeBSD and Linux allowing
and even including by default binary blobs that does unknown things
posibly with good intentions but full of exploits. You can take BSD and
do freely whatever evil you want but you cannot abuse the trust users
have in OpenBSD devs by flying your dodgy code in under their flag and
so users radars.

This is because BSD only precludes plagiarism and so using OpenBSD as a
selling point when it may have been modified. There are many products
using OpenBSD but this cannot be revealed directly.

Linux try's but can't afford to sue Nvidia giving users a false sense
of security but also well running games (I shall admit as I do give
balance to my thoughts), but now they (Intel/AMD) are going open source
which is extra great for the CAREful OpenBSD.

And yes this CARE means it cannot go as quick as Linux thankfully as
Torvalds can no longer check before OKaying potentially evil or
insecure code (admitted himself).
_

The blog author posted anonymously after 'archlike moderation'
_

BSD allows modules like Nvidia and far worse like Sony to be easily
installed under the safe and free flag of their repo.

I can tell you OpenBSD freely allows this including non-free firmware
and with modules enabled by default, like FreeBSD allowing and even
including by default binary blobs that does unknown things posibly with
good intentions but full of exploits. You can take BSD and do freely
whatever evil you want including abuse the mindless trust users have in
OpenBSD devs by flying dodgy code in under their flag and so users
radars.

Look at what Richard Stallman said about them.

BSD encourages plagiarism and so using OpenBSD as a selling point when
it may have been turning into proprietary software. There are many
proprietary products using OpenBSD but this cannot be revealed directly
because the code this now thiers.

Linux impedes Nvidia from giving users a false sense of security but
also well running games (I shall admit as I do give balance to my
thoughts), but now they (Intel/AMD) are going open source which is
extra great for the CAREful Linux. BSD devs don't care for open source
drivers (Intel/AMD). So they continue to suck proprietary cocks.

Also, Linux thankfully has Torvalds to check before for any potential
evil code before it is included in the source tree.



I posted about his systemd page.


Bane of BSD, it's hardly even mentioned on the OpenBSD list atleast,
maybe two very short threads stemming from things like Gnome. Even
Redhat devs have said it has very insignificant impact.

Anything that takes s much time on Linux lists is almost guarnteed to
have flaws.

I wouldn't fancy OpenBSDs record of two holes in over a decade not
incrementing if they ported systemd but of course they correctly
wouldn't. There's been more holes in PAM than OpenBSD and the Linux
kernel would be at hundreds of hole in less than a decade but of course
a bugs a bug right. Ignorance is bliss and an easy life of course,
hence Windows dominance.

__

Re: Network appliance recomendation.

[Francisco Valladolid H.]

On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen maur...@z74.net wrote:
 On 08/09/13 17:05, Francisco Valladolid H. wrote:

 Hi folks.

 Currently I have a Wireless network serving in my town using a small
 form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.

 I need recommendations for a network appliance in rack mode with flash
 storage and five rj45 ports.

 Can anyone recommended a solution for my needs ?


 Axiomtek NA-320R might be an alternative.  Rack mount, 6 gbit ports,
 CF-storage and Atom 1.6 GHz CPU.

Thank you Maurice, excellente recomendation.


 Maurice



-- 
Francisco Valladolid H.
 -- http://blog.bsdguy.net - Jesus Christ follower.

Re: Post-quantum cryptography

[Nicolai]

On Sat, Aug 10, 2013 at 01:33:11PM +0200, Mirco Richter wrote:
 Can you please point me to where this is related to OBSD?

I think your question as intended was, is the OpenBSD project working on
pqcrypto.

The answer is no: The OpenBSD project does not invent new primitives; it
only implements them (or uses existing implementations) once thoroughly
tested and reviewed by the cryptographic community.  And at the moment,
pqcrypto is not sufficiently far advanced to be anywhere near that
status.  At the moment, the pqcrypto.org site already mentioned covers
the state of the art.

Nicolai

Re: Network appliance recomendation.

[Kaya Saman]

On 08/10/2013 06:01 PM, Francisco Valladolid H. wrote:
 On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen maur...@z74.net wrote:
 On 08/09/13 17:05, Francisco Valladolid H. wrote:
 Hi folks.

 Currently I have a Wireless network serving in my town using a small
 form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.

 I need recommendations for a network appliance in rack mode with flash
 storage and five rj45 ports.

 Can anyone recommended a solution for my needs ?

 Axiomtek NA-320R might be an alternative.  Rack mount, 6 gbit ports,
 CF-storage and Atom 1.6 GHz CPU.
 Thank you Maurice, excellente recomendation.

 Maurice


I know you say appliance however, how about an embedded system? Since 
you already run OpenBSD on a Mini-ITX system, a 1U rack chassis for 
Mini-ITX plus Intel based Network card should also give up to 6-7GbE 
ports plus SSD or other flash drive alternative..


e.g. http://www.steatite-embedded.co.uk/

as examples for chassis and systemboard.

It might not be what you want since you did say appliance but still it 
is a thought :-)


Regards,


Kaya

Re: Post-quantum cryptography

[Mirco Richter]

 Gesendet: Samstag, 10. August 2013 um 19:11 Uhr
 Von: Nicolai nicolai-om...@chocolatine.org
 An: misc@openbsd.org
 Betreff: Re: Post-quantum cryptography

 On Sat, Aug 10, 2013 at 01:33:11PM +0200, Mirco Richter wrote:
  Can you please point me to where this is related to OBSD?
 
 I think your question as intended was, is the OpenBSD project working on
 pqcrypto.

The question was if the OBSD projects works on an implementation! of such
a cypher, since from a purely mathematical POV, there are already 
proofen pq-hard cyphers.

 
 The answer is no: The OpenBSD project does not invent new primitives; 

Of course I don't expect the OBSD project to do pqcypher-research. So you
say, that from the OBSD POV, the project wants to wait until someone else
implements such a cypher and has proofen, that the implementation is 
practically as secure as the mathematical model already predicts ?

 it only implements them (or uses existing implementations) once thoroughly
 tested and reviewed by the cryptographic community.  And at the moment,
 pqcrypto is not sufficiently far advanced to be anywhere near that
 status. 

AES-256 is considered to be a pqcrypto-hard system. Isn't it a well testet
and reviewed cypher?

best /mirco 

Re: log file's watchers

[Ville Valkonen]

On 10 August 2013 16:10, alex pae33...@gmail.com wrote:
 Hi!
 Is anybody works with tools like logsentry, swatch, logtail or others?
 What is your preference?
 I install swatch on current i386 system. My swatch.conf like this:
 ..
 watchfor   /INVALID|REPEATED|INCOMPLETE|[Ff]ail /
 echo magenta_h
 bell 3
 mail addresses=myname\@mydomain, subject=Bad_login_attempt

 watchfor /invalid|repeated|incomplete/
  echo
  write myname
  mail addresses=myname\@localhost, subject=Authentication
 Problems

 watchfor /BAD SU|bad su/
  echo
  write myname
  mail addresses=myname\@localhost, subject=SU Problems
 
 When i start swatch:
 #/usr/local/bin/swatch --daemon --config-file=/etc/swatch.conf
 --tail-file=/var/log/authlog --pid-file=/var/run/swatch.pid
  it's OK but if run
 $su (with wrong password)
 system meets me by silence :(

 What's  wrong with my swatch.conf?

 Thanks,
 Alex

 P.S. DNS  mail servers works OK

Hello,

I started with swatch but for some reason it ended up creating zombie
forks. Then, I switched to logfmon and been using that for awhile now.
Serves my needs perfectly and I also find the syntax to be more
convenient than in swatch. Try and see what suits for your needs.

So, here's my 2 cents for this matter :)

--
Cheers,
Ville Valkonen

Re: Post-quantum cryptography

[Martin Schröder]

2013/8/10 Mirco Richter mirco.rich...@email.de:
 say, that from the OBSD POV, the project wants to wait until someone else
 implements such a cypher and has proofen, that the implementation is
 practically as secure as the mathematical model already predicts ?

Yes. Now show us your cypher or go away.

Re: Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell

[ag@gmail]

I doubt if anyone on this list will believe that it was actually you who posted 
it in its current form.

Besides, thanks for passing it along - it is an excellent light reading over a 
weekend - tickled me to death!

-ag

--
sent via 100% recycled electrons from my mobile command center.

On Aug 10, 2013, at 9:19 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote:

 While searching for 'OpenBSD bad package CONTENTS' I somehow came
 across this and got sucked in when I shouldn't have.
 
 OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the
 truth
 
 http://aboutthebsds{dot}wordpress{dot}com
 
 Well I had a go at educating the author of this thread but I guess
 without a response he modified my comments into utter lies and left them
 under my name. I guess the old adage that you can help the stupid but
 not the willfully ignorant is true.
 
 I knew he was an arch linux user and so I was expecting comment
 deletion in the case of moderator disagreement to the arguments (similar
 to the Arch Linux mailing lists where a moderators task being meant to
 have nothing to do with taking sides is ignored and is even more
 annoying when what you said was proven right by upstream a little
 later). Incidentally I expect similar to Lennart's pages as they are
 comment free.
 
 Sorry to be wasting your time or even mentioning this useless blog but
 I just wanted to put the record straight and to save time for anyone
 who stumbles across it and hope may now also see this in a Google
 search where it appears.
 
 Bear in mind these are counter points to his blog and not things I want
 to bring up.
 
 _
 
 I posted
 _
 
 
 It is extremely one sided!
 
 How about Linux allowing modules like Nvidia and far worse like Sony to
 be easily installed under the safe and free flag of their repo.
 
 I can tell you OpenBSD would not allow this and allow no binary blobs
 and with modules disabled by default, unlike FreeBSD and Linux allowing
 and even including by default binary blobs that does unknown things
 posibly with good intentions but full of exploits. You can take BSD and
 do freely whatever evil you want but you cannot abuse the trust users
 have in OpenBSD devs by flying your dodgy code in under their flag and
 so users radars.
 
 This is because BSD only precludes plagiarism and so using OpenBSD as a
 selling point when it may have been modified. There are many products
 using OpenBSD but this cannot be revealed directly.
 
 Linux try's but can't afford to sue Nvidia giving users a false sense
 of security but also well running games (I shall admit as I do give
 balance to my thoughts), but now they (Intel/AMD) are going open source
 which is extra great for the CAREful OpenBSD.
 
 And yes this CARE means it cannot go as quick as Linux thankfully as
 Torvalds can no longer check before OKaying potentially evil or
 insecure code (admitted himself).
 _
 
 The blog author posted anonymously after 'archlike moderation'
 _
 
 BSD allows modules like Nvidia and far worse like Sony to be easily
 installed under the safe and free flag of their repo.
 
 I can tell you OpenBSD freely allows this including non-free firmware
 and with modules enabled by default, like FreeBSD allowing and even
 including by default binary blobs that does unknown things posibly with
 good intentions but full of exploits. You can take BSD and do freely
 whatever evil you want including abuse the mindless trust users have in
 OpenBSD devs by flying dodgy code in under their flag and so users
 radars.
 
 Look at what Richard Stallman said about them.
 
 BSD encourages plagiarism and so using OpenBSD as a selling point when
 it may have been turning into proprietary software. There are many
 proprietary products using OpenBSD but this cannot be revealed directly
 because the code this now thiers.
 
 Linux impedes Nvidia from giving users a false sense of security but
 also well running games (I shall admit as I do give balance to my
 thoughts), but now they (Intel/AMD) are going open source which is
 extra great for the CAREful Linux. BSD devs don't care for open source
 drivers (Intel/AMD). So they continue to suck proprietary cocks.
 
 Also, Linux thankfully has Torvalds to check before for any potential
 evil code before it is included in the source tree.
 
 
 
 I posted about his systemd page.
 
 
 Bane of BSD, it's hardly even mentioned on the OpenBSD list atleast,
 maybe two very short threads stemming from things like Gnome. Even
 Redhat devs have said it has very insignificant impact.
 
 Anything that takes s much time on Linux lists is 

Re: C partition of type 4.2BSD

[Nick Holland]

On 08/09/13 23:34, Kenneth R Westerback wrote:
 On Fri, Aug 09, 2013 at 04:54:01PM -0400, Kenneth R Westerback wrote:
 On Fri, Aug 09, 2013 at 11:38:16AM +0200, Federico Giannici wrote:
...
 disklabel(8) contains a description of the 'z' command available
 in the -E mode. It should kill 'c' dead. Just add 'a' back with the
 same parameters it had brfore.
 
 Not that Nick's solution isn't more fun!
 
  Ken

 Or it could be a nifty snare in the kernel that is accidentally preserving
 info that should not be preserved. This is probably not the best patch, but
 it does let me use 'disklabel -e sd2' to set 'c' to 'unused'.
 
  Ken

This makes things much better.
ok nick@ on the general idea and the results, but I won't pass judgement
on the implementation.

Nick.

 
 Index: subr_disk.c
 ===
 RCS file: /cvs/src/sys/kern/subr_disk.c,v
 retrieving revision 1.150
 diff -u -p -r1.150 subr_disk.c
 --- subr_disk.c   3 Jul 2013 15:21:40 -   1.150
 +++ subr_disk.c   10 Aug 2013 03:23:26 -
 @@ -655,6 +674,8 @@ setdisklabel(struct disklabel *olp, stru
   if (DL_GETPOFFSET(npp) != DL_GETPOFFSET(opp) ||
   DL_GETPSIZE(npp)  DL_GETPSIZE(opp))
   return (EBUSY);
 + if (i == RAW_PART)
 + continue;
   /*
* Copy internally-set partition information
* if new label doesn't include it. XXX

Re: Don't read this - OpenBSD: Not Free Not Fuctional and Definetly Not Secure | BSD, the truth - as author rewrites your comments and can't spell

[Michał Markowski]

OpenBSD’s PF: A stripped down copy of IPTABLES made my day. :)


-- 
Michał Markowski

Re: Network appliance recomendation.

[Stuart Henderson]

On 2013-08-10, Maurice Janssen maur...@z74.net wrote:
 On 08/09/13 17:05, Francisco Valladolid H. wrote:
 Hi folks.

 Currently I have a Wireless network serving in my town using a small
 form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.

 I need recommendations for a network appliance in rack mode with flash
 storage and five rj45 ports.

 Can anyone recommended a solution for my needs ?

 Axiomtek NA-320R might be an alternative.  Rack mount, 6 gbit ports, 
 CF-storage and Atom 1.6 GHz CPU.

 Maurice



These can be hard to get via the usual axiomtek reseller channels, but these are
the same thing with a different front plate:

https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html
https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html

Re: Post-quantum cryptography

[Nicolai]

On Sat, Aug 10, 2013 at 08:13:10PM +0200, Mirco Richter wrote:

 AES-256 is considered to be a pqcrypto-hard system.

You also need key negotation, a mode of operation, and a MAC function to
tie it all together.

Cryptography is a very complicated field.  You know, a lotta ins, lotta
outs, lotta what-have-you's.  Lotta bits to keep in the cache.  Luckily
I'm adhering to a pretty strict constant-time regimen to keep my output
limber.

Nicolai

Re: Two questions.

[Greg Thomas]

On Fri, Aug 9, 2013 at 7:13 PM, Michael W. Lucas
mwlu...@michaelwlucas.comwrote:

 On Fri, Aug 09, 2013 at 06:45:10PM -0600, Theo de Raadt wrote:
   On 08/09/2013 12:00 AM, voic...@openmailbox.org wrote:
   ...
The first one. We all know that the operating system OpenBSD largely
depends on lead, so what will happen when time will come for Theo? We
all know that so far people do not live thousands of years... I think
that not only me would be interesting to know the future of this
 great
project in case something happens. Please do not misunderstand me
 here,
I do not wish anything bad for Theo, I just need to be sure that
 there
are others who could keep project going.
  
   same thing that happens for any open source volunteer project, or any
   sole proprietorship...or any corporation.  Someone(s) may step up, they
   may not.  They may succeed in keeping the team together, they may not.
   The project may improve, it may lessen.
 
  What a bunch of worrying balony.
 
  I have asexually reproduced a few times, and put the other copies of
  myself in stasis.
 
  In the event that I fall off a mountain or get attacked by group of
  dogs in central Turkey, a copy is automatically brought out of statis
  to continue to effort.
 
  The process is so transparent, that you won't even know if it has
  happened before...

 Excellent detail on the process. I'll get an errata out for Absolute
 OpenBSD.

 But I do wish you'd mentioned this before we went to print.


Hahaha, very very nice.

Re: Network appliance recomendation.

[Bentley, Dain]

I recommend the atom 1u by supermicro.  If you buy a pic riser with it  you can 
extend how many interfaces you have ( the board comes with two).  You can get a 
cheap SSD and your set.  I've been running one as a firewall-vpn for two years 
and it works great.

Sent from my iPhone

On Aug 9, 2013, at 11:06 AM, Francisco Valladolid H. fic...@gmail.com wrote:

 Hi folks.
 
 Currently I have a Wireless network serving in my town using a small
 form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.
 
 I need recommendations for a network appliance in rack mode with flash
 storage and five rj45 ports.
 
 Can anyone recommended a solution for my needs ?
 
 I'm disappointing using other network solutions with proprietary
 brands in the market.
 
 Best Regards.
 
 P.S sorry for my bad english.
 
 -- 
 Francisco Valladolid H.
 -- http://blog.bsdguy.org - Jesus Christ follower.

Re: openBGPd - 2/4byte AS prepend

[Stuart Henderson]

On 2013-08-02, OCEANET - Cédric BASSAGET ced...@oceanet.com wrote:
 Always working on my problem, if anybody can help me please.

 Here's a tcpdump of BGP exchanges between the neighbor (192.168.53.118) 
 and me (192.168.53.113) :

 _Open from my neighbor, no 4 Byte AS capability :_
 17:26:04.529327 IP (tos 0xc0, ttl 1, id 16154, offset 0, flags [DF], 
 proto TCP (6), length 79)
  192.168.53.113.44169  192.168.53.118.bgp: Flags [P.], cksum 0x6e87 
 (correct), seq 687533061:687533100, ack 2368601536, win 16384, length 
 39: BGP, length: 39
  Open Message (1), length: 39
Version 4, my AS 65426, Holdtime 20s, ID 46.226.128.1
Optional parameters, length: 10
  Option Capabilities Advertisement (2), length: 8
Multiprotocol Extensions (1), length: 4
  AFI IPv4 (1), SAFI Unicast (1)
  0x:  0001 0001

 _Open from me, 4 Byte AS capability :_
 17:26:04.530298 IP (tos 0xc0, ttl 1, id 61896, offset 0, flags [DF], 
 proto TCP (6), length 93)
  192.168.53.118.bgp  192.168.53.113.44169: Flags [P.], cksum 0x7ecf 
 (correct), seq 1:54, ack 39, win 16345, length 53: BGP, length: 53
  Open Message (1), length: 53
Version 4, my AS 35330, Holdtime 180s, ID 192.168.53.118
Optional parameters, length: 24
  Option Capabilities Advertisement (2), length: 6
Multiprotocol Extensions (1), length: 4
  AFI IPv4 (1), SAFI Unicast (1)
  0x:  0001 0001
  Option Capabilities Advertisement (2), length: 2
Route Refresh (Cisco) (128), length: 0
  Option Capabilities Advertisement (2), length: 2
Route Refresh (2), length: 0
  Option Capabilities Advertisement (2), length: 6
 * 32-Bit AS Number (65), length: 4**
 ** 4 Byte AS 35330*
  0x:   8a02

 _Keepalives..._
 17:26:04.530350 IP (tos 0xc0, ttl 1, id 61897, offset 0, flags [DF], 
 proto TCP (6), length 59)
  192.168.53.118.bgp  192.168.53.113.44169: Flags [P.], cksum 0x320e 
 (correct), seq 54:73, ack 39, win 16345, length 19: BGP, length: 19
  Keepalive Message (4), length: 19

 17:26:04.530479 IP (tos 0xc0, ttl 1, id 28050, offset 0, flags [DF], 
 proto TCP (6), length 59)
  192.168.53.113.44169  192.168.53.118.bgp: Flags [P.], cksum 0x31e7 
 (correct), seq 39:58, ack 73, win 16365, length 19: BGP, length: 19
  Keepalive Message (4), length: 19

 _Update :_
 17:26:04.530926 IP (tos 0xc0, ttl 1, id 37630, offset 0, flags [DF], 
 proto TCP (6), length 94)
  192.168.53.113.44169  192.168.53.118.bgp: Flags [P.], cksum 0x4a46 
 (correct), seq 58:112, ack 73, win 16384, length 54: BGP, length: 54
  Update Message (2), length: 54
Origin (1), length: 1, Flags [T]: IGP
  0x:  00
 *  AS Path (2), length: 4, Flags [T]: 23456 *
  0x:  0201 5ba0
Next Hop (3), length: 4, Flags [T]: 192.168.53.113
  0x:  c0a8 3571
 *  AS4 Path (17), length: 6, Flags [OT]: 4 byte AS*
  0x:  0201 0003 039c
Updated routes:
  net/21

 _Error notification :_
 17:26:04.531860 IP (tos 0xc0, ttl 1, id 61899, offset 0, flags [DF], 
 proto TCP (6), length 68)
  192.168.53.118.bgp  192.168.53.113.44169: Flags [P.], cksum 0xc800 
 (correct), seq 73:101, ack 112, win 16272, length 28: BGP, length: 28
 *Notification Message (3), length: 28, UPDATE Message Error (3), 
 subcode Malformed AS_PATH (11)*

 Regards,
 C�dric

I think this is a config error, bgpd behaviour seems correct according
to RFC 4893.

   To represent 4-octet AS numbers (which are not mapped from 2-octets)
   as 2-octet AS numbers in the AS path information encoded with 2-octet
   AS numbers, this document reserves a 2-octet AS number.  We denote
   this special AS number as AS_TRANS for ease of description in the
   rest of this specification.  This AS number is also placed in the My
   Autonomous System field of the OPEN message originated by a NEW BGP
   speaker, if the speaker does not have a (globally unique) 2-octet AS
   number.

so, the rfc says:

1. in the OPEN you use either AS_TRANS or a unique other 16-bit AS number

but,

2. in AS_PATH when talking to an old bgp speaker, you use AS_TRANS 
(*not* some other ASN) to replace any 32-bit ASN.

additionally, whenever peers that handle 32-bit ASN talk to each other,
they *always* use just AS_PATH (writing 32-bit ASNs in full), but when they
talk to an old 16-bit-only peer, they *regenerate* AS_PATH as 16 bits by
writing AS_TRANS in place of any 32-bit ASNs in the path - so even if you
were allowed to use a number other than AS_TRANS in the (16-bit) path,
that would be overwritten anyway when the update is received by another
32-bit speaker and then passed on to another 16-bit speaker.

I think your options are:

- ask the 16-bit-only peer to update to current software (usually preferred)

- ask the 16-bit-only peer to disable enforce neighbor-as or equivalent

- use the default AS_TRANS 

Re: SSHD setup

[Lance Ferrer]

Thank you for the help, I think I hadn't done a reboot. I saw sshd
starting during the boot I believe.

What else would I need to do to be able to use my MacBook to ssh to the
openbsd system? My domain is hostname.my.domain. On my MacBook I type
ssh hostname.my.domain and after awhile it returns operation timed
out.

Im really just starting to try to learn UNIX and computing as you can
see. Any help is much appreciated.

Sent from my Windows Phone From: Matthew Weigel
Sent: 8/9/2013 4:32 PM
To: misc@openbsd.org
Subject: Re: SSHD setup
On 08/09/2013 03:24 PM, Lance Ferrer wrote:

 I'm not sure if I need to create the keys or what, looking for a little
 bit of guidance.  Sorry for the trouble with probably such a simple
 task.

 Did quite a bit of googling, no luck

You could create them yourself by running ssh-keygen -A as root.
However, that is run at every boot by /etc/rc (it only generates keys if
there are no existing keys), so I would guess either a) you haven't
rebooted yet or b) something is wrong with your system that is
preventing these files from getting created.

You don't need sshd_flags in /etc/rc.conf.local unless you want to
change the default set in /etc/rc.conf.

-- 
Matthew Weigel
hacker
unique  idempot . ent

Re: Network appliance recomendation.

[Paul de Weerd]

On Sat, Aug 10, 2013 at 08:09:02PM +, Stuart Henderson wrote:
| These can be hard to get via the usual axiomtek reseller channels, but these 
are
| the same thing with a different front plate:
| 
| 
https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html
| https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html

I have the 6a16e (i.e. the non-rackmountable version) and have been
very happy with it.  Highly recommmend it!

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Re: SSHD setup

[L. V. Lammert]

On Sat, 10 Aug 2013, Lance Ferrer wrote:

 Thank you for the help, I think I hadn't done a reboot. I saw sshd
 starting during the boot I believe.

 What else would I need to do to be able to use my MacBook to ssh to the
 openbsd system? My domain is hostname.my.domain. On my MacBook I type
 ssh hostname.my.domain and after awhile it returns operation timed
 out.

That would probably be a DNS issue; check the IP of the OBSD box

ifconfig -a to see all interfaces
ifconfig active interface to see just the active one

If you ssh to that IP from your MacBook you will not need a DNS or hosts
entry.

Lee

Re: Network appliance recomendation.

[Francisco Valladolid H.]

On Sat, Aug 10, 2013 at 5:15 PM, Paul de Weerd we...@weirdnet.nl wrote:
 On Sat, Aug 10, 2013 at 08:09:02PM +, Stuart Henderson wrote:
 | These can be hard to get via the usual axiomtek reseller channels, but 
 these are
 | the same thing with a different front plate:
 |
 | 
 https://shop.bytemine.net/startseitenprodukte/bytemine-openbsd-appliance-6a16e.html
 | https://shop.bytemine.net/startseitenprodukte/bytemine-appliance-6a16er.html

 I have the 6a16e (i.e. the non-rackmountable version) and have been
 very happy with it.  Highly recommmend it!

Thank you Paul.

This model is very expensive plus the shipping and import duties to Mexico..

Regards


 Paul 'WEiRD' de Weerd

 --
[++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/




-- 
Francisco Valladolid H.
 -- http://blog.bsdguy.net - Jesus Christ follower.