Re: fvwm in base [was: "X -configure" segmentation fault]

[Carson Chittom]

Zoran Kolic  writes:

> In fact, fvwm is in base part. 

A while ago, there was a message to misc from the fvwm developer about
relicensing fvwm to allow a more recent version into base.  I wonder if
there is any status update?

Re: "X -configure" segmentation fault

[Carson Chittom]

Heptas Torres  writes:

> Does this mean that obsd as a desktop is not really supported on the long run?

I run OpenBSD as a desktop every day.  Depends on how you mean
"supported."  (Read: The fact that upstream code isn't maintained isn't
OpenBSD's fault.  If X's autoconfigure system doesn't work for you,
then that's a bug that should be filed--presumably upstream, with X.)

Re: sudo configuration !ttytickets?

[Andy Bradford]

Thus said "Michael W. Lucas" on Wed, 11 Sep 2013 20:59:08 -0400:

> This, well, kind of surprised me. I'm sure you folks have thought this
> through in much more detail than I  have, but I can't find anything on
> the rationale behind it.

Is sudo enabled for any non-root users by default?

Andy
-- 
TAI64 timestamp: 40005231482b

sudo configuration !ttytickets?

[Michael W. Lucas]

Hi,

I've noticed that the sudo on OpenBSD seems to have !ttytickets set by
default. In other words, I authenticate sudo once on, say, ttyp4, and
all of my login sessions on all my other ttyp* have authenticated to
sudo.

This, well, kind of surprised me. I'm sure you folks have thought this
through in much more detail than I have, but I can't find anything on
the rationale behind it.

It seems insecure. Can anyone enlighten me as to the thinking here?

Thanks,
==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.

Quick question on PFS in ipsec

[Jeff Simmons]

The man page for ipsec.conf states, in regards to crypto 'suites':

"Perfect Forward Security (PFS) is enabled unless group none is specified."

So is PFS required if a group is specified or is it optional for the remote 
party? And is there a way to determine if PFS is being used by an existing 
connection?

I'm especially interested in OpenBSD <-> Cisco tunnels.

-- 
Jeff Simmons   jsimm...@goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise.  Are you sure you're doing it right?"
--  My Life With The Thrill Kill Kult

Re: No sound on Intel-iMac w/ NVIDIA MCP79

[Stefan Wollny]

Am Wed, 11 Sep 2013 14:17:50 +1000
schrieb Jonathan Gray :

> On Tue, Sep 10, 2013 at 09:28:38PM +0200, Stefan Wollny wrote:
> > Hi there,
> >  
> > hope, s.o. can provide a clue on why I have no sound on my iMac,
> > which with OS-X has no issues with sound at all. Full dmesg at the
> > end.
> 
> Most/all? of the apple machines seem to have audio wired up strangely
> and require various quirks.  Try this
> 
> Index: azalia_codec.c
> ===
> RCS file: /cvs/src/sys/dev/pci/azalia_codec.c,v
> retrieving revision 1.154
> diff -u -p -r1.154 azalia_codec.c
> --- azalia_codec.c27 May 2013 21:19:31 -  1.154
> +++ azalia_codec.c11 Sep 2013 04:11:32 -
> @@ -137,11 +137,13 @@ azalia_codec_init_vtbl(codec_t *this)
>   this->qrks |= AZ_QRK_WID_CDIN_1C |
> AZ_QRK_WID_BEEP_1D; if (this->subid == 0x00a1106b ||  /*
> APPLE_MB3 */ this->subid == 0x00a0106b || /* APPLE_MB3_1 */
> - this->subid == 0x00a3106b) {/* APPLE_MB4
> */
> + this->subid == 0x00a3106b ||/* APPLE_MB4
> */
> + this->subid == 0x4300106b) {/* iMac 9,1
> */ this->qrks |= AZ_QRK_GPIO_UNMUTE_0;
>   }
>   if (this->subid == 0x00a1106b ||
> - this->subid == 0x00a0106b)
> + this->subid == 0x00a0106b ||
> + this->subid == 0x4300106b)
>   this->qrks |= AZ_QRK_WID_OVREF50;
>   break;
>   case 0x10ec0888:


Hi Jonathan,

thank you very much for taking your time to look at my problem.

I applied your patch and rebuild the kernel. Unfortunately I still have
no sound on the iMac.

BTW: I didn't explicitly mention if but I am using -current (amd64).
With the i386-version there was no sound either.

If I can provide any other info on the system please let me know.

All the best,
STEFAN

Mit freundlichen Grüßen,

STEFAN WOLLNY

Regulatory Reporting Consultancy
Tel.: +49 (0) 177 655 7875
Fax.: +49 (0) 3212 655 7875
Mail: ste...@wollny.de
GnuPG-Key ID: 0x9C26F1D0

Re: OpenBSD crypto and NSA/Bruce Schneier

[David Eisner]

On Wed, Sep 11, 2013 at 2:56 PM, Geoff Steckel  wrote:

> Disk drives are (presumably) trivial to take over. They have firmware
> and mechanisms to
> use alternate physical blocks for a given logical block.
>


You're absolutely correct, and this is not theoretical: (page navigation is
in the links on the right):

  http://spritesmods.com/?art=hddhack&page=1

His proof-of-concept (for a remotely-compromised HD on a web server)
involves requesting a URL with a trigger string in it. When the URL gets
written to the web server's log file, the HD firmware sees this and arms
itself. Now, when /etc/shadow is next read, the firmware adds a hidden
account to it.

-David

Re: OpenBSD crypto and NSA/Bruce Schneier

[Geoff Steckel]

On 09/11/2013 05:42 AM, Rudolf Leitgeb wrote:
>> Second, low hanging fruit.
> Contrary to what some hysterical reports may claim, and some violations
> of rules aside, NSA is mostly after bad guys, some of which know quite
> well what they are doing. These bad guys will not necessarily be kind
> enough to present NSA with unpatched Windows desktops.
>
>> why bother with us ? people are most generally NOT careful. So, hey,
>> what if you can't break in OpenBSD ?
> This is not a marketing operation run by NSA which can claim success if
> they catch the 90% dumbest. Quite to the contrary, they should be most
> interested in the most sophisticated ones, and why wouldn't bad guys
> use OpenBSD if they had the impression it was more secure?
>
>
> As I have mentioned before: what good is perfect security in an OS if you
> have no control over the hardware? Put some back doors into the CPU or the
> networking hardware and OpenSSH will fall. There is really no point in
> trying to outwit three letter agencies with our laptops.
Disk drives are (presumably) trivial to take over. They have firmware 
and mechanisms to
use alternate physical blocks for a given logical block.

Scenario:

Reset - request for block 0 within a timeout window - substitute 
alternate boot
record & subsequent interesting code. Modern drives contain enough spare 
sectors
to have acomplete software universe hidden in them.

no reset or timeout - request for block 0 -return "good" data

Very hard to detect without a reasonably high level of suspicion and
a properly set up test jig.

The conditions for substituting "interesting" data could be made
arbitrarily complexand/or sophisticated, including scanning data
read and written for patterns.

Almost anything with microcodeor firmware can be subverted with
very few traces. That means network interfaces, CPUs, disk controllers,
USB interfaces, .

Oh yes - cars & trucks.

Geoff Steckel

Re: OpenBSD crypto and NSA/Bruce Schneier

[David Eisner]

On Wed, Sep 11, 2013 at 10:00 AM, John Long  wrote:

>
> You think they need to target protocols? There are much easier ways of
> doing
> things. Strong crypto works if you do all the management stuff. Most people
> have no idea what's involved with that. Like Espie says there's plenty low
> hanging fruit. If you're somebody they want to know about the methods they
> use don't have anything to do with technology.
>
>
There's more than one threat model, though. Here are two:

1. "They" are targeting a specific individual or a small group. In that
case, protecting your electronic communications is going to be difficult.
They'll get around the crypto if they need to.

2. "They" are dipping their net into a fiber optic stream and fishing
(automated search) for interesting traffic.

Targeting protocols would be attractive to them for threat model 2, even if
they can handle threat model 1. And even in the case of threat model 1, a
vulnerable protocol makes their job cheaper, in terms of both money and
risk.

-David

Re: OpenBSD crypto and NSA/Bruce Schneier

[carlos albino garcia grijalba]

full agree with John look gov its gov they have the power to do things, they
have the money to do it, they have the law protecting them and if all of this
its not enough they have people that can close  your business if u dont
cooperate so go to china or any other country that are not going to cooperate
build your own devices, and software with strong crypto and no security
problems and maybe u will have a good channel to check out  your facebook or
chat with grandma

> Date: Wed, 11 Sep 2013 14:00:38 +
> From: codeb...@inbox.lv
> To: misc@openbsd.org
> Subject: Re: OpenBSD crypto and NSA/Bruce Schneier
>
> On Wed, Sep 11, 2013 at 10:49:46AM +0200, Martin Schr?der wrote:
> > 2013/9/11 Marc Espie :
> > > Second, low hanging fruit.
> > >
> > > There's so much crappy software and hardware out there that you have to
be
> > > REALLY paranoid to think the NSA would target us. I mean, come on,
there
> >
> > You think openssh isn't a valuable target?
>
> You think they need to target protocols? There are much easier ways of
doing
> things. Strong crypto works if you do all the management stuff. Most people
> have no idea what's involved with that. Like Espie says there's plenty low
> hanging fruit. If you're somebody they want to know about the methods they
> use don't have anything to do with technology.
>
> > You think openbsd isn't used in commercial firewall/vpn appliances?
>
> You think that government doesn't cultivate "healthy" relationships with
> "security" product vendors that makes whatever protocol or OS they claim to
> run irrelevant? Do you really believe they only got google, yahoo, gmx,
> msn/hotmail/aol/skype to open up their services but not router and vpn and
> appliance vendors? Don't be so naive... any company that has an office in
> the U.S. that wants to stay in business is going to bend over. How many
> Lavabit stories did we read about where somebody had the integrity to say
NO
> and lose his ass? Exactly one. Guess what happened to the rest.
>
> You want security, run OpenBSD on a Chinese router or SBC or fab your own
> chips and build your own hardware. And stay the hell off the net.
>
> > Think again.
>
> Your turn.
>
> /jl
>
> --
> ASCII ribbon campaign ( ) Powered by Lemote Fuloong
>  against HTML e-mail   X  Loongson MIPS and OpenBSD
>and proprietary/ \http://www.mutt.org
>  attachments /   \  Code Blue or Go Home!
>  Encrypted email preferred  PGP Key 2048R/DA65BC04

Re: OpenBSD crypto and NSA/Bruce Schneier

[bofh]

On Wed, Sep 11, 2013 at 3:58 AM, Peter N. M. Hansteen wrote:

> on that front. On a related note, I quite enjoyed reading FreeBSD
> developer Colin Percival's take on the various revelations and claims:
> http://www.daemonology.net/blog/2013-09-10-I-might-be-a-spook.html


Isn't that classic reverse psychology though?! :P


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: OpenBSD crypto and NSA/Bruce Schneier

[Reyk Floeter]

On Wed, Sep 11, 2013 at 02:00:38PM +, John Long wrote:
> You want security, run OpenBSD on a Chinese router or SBC or fab your own
> chips and build your own hardware. And stay the hell off the net.
> 

Sorry for posting the following link, but this reminds me of an
incredibly bad movie: http://www.dragondaymovie.com/ ;-)

reyk

Re: Can't get PostgreSQL to run on startup

[opendaddy]

On 11. september 2013 at 3:19 PM, "Antoine Jacoutot"  
wrote:
>
>This is not how pkg_scripts works.
>See rc.conf.local(5).

Thanks a lot Vijay, Antoine. Works great now. Can't recall where I got the 
pkg_scripts=foo,bar format from though.

O.D.

Re: Can't get PostgreSQL to run on startup

[Vijay Sankar]

Quoting openda...@hushmail.com:


Hi,

Anybody else having trouble getting PostgreSQL to run on startup? I  
always have to do "/etc/rc.d/postgresql start" manually. My line in  
/etc/rc.conf.local reads: pkg_scripts=postgresql,enginx. Nothing  
fishy in the logs. I'm using postgresql-server-9.2.3 (initdb -D  
/var/postgresql/data/) on OpenBSD 5.3.


Thanks.

O.D.




We usually do something like the following:

pkg_scripts="clamd squid havp postgresql nginx"

and it works properly


Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

-
This message was sent using ForeTell-POST 4.9

Re: OpenBSD crypto and NSA/Bruce Schneier

[Zoran Kolic]

> After all, we could change to hardware that does not have theses things.

I'd like to hear more about this.

  Zoran

Re: "X -configure" segmentation fault

[Zoran Kolic]

> I was referring to what's in the base system. I am looking for a
> minimal window manager in the base system, so no external packages. I
> wanted to try out cwm but when I run it I get " cwm: unable to open
> display "" ". Is some special configuration needed to run it properly?

In fact, fvwm is in base part. It is highly customable and
able to follow the way I use "the desktop".
Reading manual pages is necessary to get the best of almost
every application in the world.
Best regards

   Zoran

Re: Modern C++ Compiler for OpenBSD

[John Long]

On Tue, Sep 10, 2013 at 06:21:56PM -0400, Brad Smith wrote:
> On 10/09/13 6:10 PM, Gregor Best wrote:
> >On Tue, Sep 10, 2013 at 05:40:19PM -0400, Jeffrey Walton wrote:
> >>[...]
> >>Does anyone have a C++ compiler recommendation for OpenBSD?
> >>[...]
> >
> >What about GCC? Clang++'s C++11 support is spotty at best, at least it
> >was the last time I tried.
> 
> Clang's C++11 support doesn't work properly because it isn't using
> the proper release of libstdc++.
> 

@Brad since he does a lot of the MIPS stuff, or anybody else who might know,
is there going to be a newish gcc and gfortran for mips64el in 5.4?

/jl

Re: Help troubleshooting ehci_idone hang.

[RD Thrush]

On 09/10/13 07:56, Martin Pieuchot wrote:
> On 10/09/13(Tue) 07:15, RD Thrush wrote:
>> On 09/10/13 04:42, Martin Pieuchot wrote:
>>> [...]
>>>
>>> Thanks for this detailed bug report.
>>>
>>> You're saying that you have 2 amd64 systems with the same problem but
>>> I see only the dmesg for one machine, does the other has the same ehci
>>> controller?
>>
>> Apparently one is ATI and the other Intel.  
>>  has two console captures, 
>> "v1.1" and "v1.2", for the other machine after an ehci_idone hang (I hadn't 
>> made the panic patch yet).  I was able to generate a ddb interrupt to stop 
>> the spew and gather some additional ddb info.  The forementioned directory 
>> also has acpidump, pcidump, biosdecode, and dmidecode previously collected 
>> from the same kernel.
>>
>> If you want/need further info about the 'v1' machine, let me know and I'll 
>> boot OpenBSD and get the info.
> 
> It would be nice if you could reproduce the manipulation you did with
> the other machine and set ehcidebug to 5 before switching your kvm.

With ehcidebug=5 on the v1 machine, switching the kvm resulted in a continual
ddb loop,  I wasn't able to generate a ddb interrupt via the serial console;
however, the pc keyboard was able to drop into ddb where I collected some
additional info.

'boot sync' resulted in the panic I'd patched (earlier in thread) to stop the
initial hang.  I had to do a hard reset to regain control.

 has the capture of the serial
console for that session.


WRT to the other machine, x4, I installed the patch and have not yet had a
problem.  However, with ehcidebug=5, the following 2 line message is issued
about once per second:
ehci_intrlist_timeout
ehci_check_intr: ex=0x80238c00

That periodic message did not occur with the v1 machine.

Sorry for the delay in reporting...

Can't get PostgreSQL to run on startup

[opendaddy]

Hi,

Anybody else having trouble getting PostgreSQL to run on startup? I always have 
to do "/etc/rc.d/postgresql start" manually. My line in /etc/rc.conf.local 
reads: pkg_scripts=postgresql,enginx. Nothing fishy in the logs. I'm using 
postgresql-server-9.2.3 (initdb -D /var/postgresql/data/) on OpenBSD 5.3.

Thanks.

O.D.

Re: OpenBSD crypto and NSA/Bruce Schneier

[John Long]

On Wed, Sep 11, 2013 at 10:49:46AM +0200, Martin Schr?der wrote:
> 2013/9/11 Marc Espie :
> > Second, low hanging fruit.
> >
> > There's so much crappy software and hardware out there that you have to be
> > REALLY paranoid to think the NSA would target us. I mean, come on, there
> 
> You think openssh isn't a valuable target?

You think they need to target protocols? There are much easier ways of doing
things. Strong crypto works if you do all the management stuff. Most people
have no idea what's involved with that. Like Espie says there's plenty low
hanging fruit. If you're somebody they want to know about the methods they
use don't have anything to do with technology.

> You think openbsd isn't used in commercial firewall/vpn appliances?

You think that government doesn't cultivate "healthy" relationships with
"security" product vendors that makes whatever protocol or OS they claim to
run irrelevant? Do you really believe they only got google, yahoo, gmx,
msn/hotmail/aol/skype to open up their services but not router and vpn and
appliance vendors? Don't be so naive... any company that has an office in
the U.S. that wants to stay in business is going to bend over. How many
Lavabit stories did we read about where somebody had the integrity to say NO
and lose his ass? Exactly one. Guess what happened to the rest.

You want security, run OpenBSD on a Chinese router or SBC or fab your own
chips and build your own hardware. And stay the hell off the net.

> Think again.

Your turn.

/jl

-- 
ASCII ribbon campaign ( ) Powered by Lemote Fuloong
 against HTML e-mail   X  Loongson MIPS and OpenBSD
   and proprietary/ \http://www.mutt.org
 attachments /   \  Code Blue or Go Home!
 Encrypted email preferred  PGP Key 2048R/DA65BC04 

Re: Can't get PostgreSQL to run on startup

[Antoine Jacoutot]

On Wed, Sep 11, 2013 at 03:03:07PM +, openda...@hushmail.com wrote:
> Hi,
> 
> Anybody else having trouble getting PostgreSQL to run on startup? I always 
> have to do "/etc/rc.d/postgresql start" manually. My line in 
> /etc/rc.conf.local reads: pkg_scripts=postgresql,enginx. Nothing fishy in the 
> logs. I'm using postgresql-server-9.2.3 (initdb -D /var/postgresql/data/) on 
> OpenBSD 5.3.

This is not how pkg_scripts works.
See rc.conf.local(5).

-- 
Antoine

Re: OpenBSD crypto and NSA/Bruce Schneier

[josef . winger]

> Gesendet: Mittwoch, 11. September 2013 um 11:42 Uhr
> Von: "Rudolf Leitgeb" 
> An: es...@nerim.net
> Cc: misc@openbsd.org
> Betreff: Re: OpenBSD crypto and NSA/Bruce Schneier
>
> > Second, low hanging fruit.
> 
> Contrary to what some hysterical reports may claim, and some violations
> of rules aside, NSA is mostly after bad guys, some of which know quite
> well what they are doing. These bad guys will not necessarily be kind
> enough to present NSA with unpatched Windows desktops.

I think that is not true. What they (and others) are after are 
CORRELATIONS, as much correlation as one can get. Thats because from
a Bayesian POV causality it isn't really needed to understand beaviour
if you have enough correlation.

Social Science becomes obsolete, if enough correlation is gathered.
See for example 
http://www.wired.com/science/discoveries/magazine/16-07/pb_theory

That paper really sounds strange on a first sight, but with big data, it is
anoter situation.

So back on topic, even if they are after the 'bad guys' they are by getting
as much data i.e.correlations as they can get...




> 
> > why bother with us ? people are most generally NOT careful. So, hey, 
> > what if you can't break in OpenBSD ?
> 
> This is not a marketing operation run by NSA which can claim success if
> they catch the 90% dumbest. Quite to the contrary, they should be most
> interested in the most sophisticated ones, and why wouldn't bad guys
> use OpenBSD if they had the impression it was more secure?

No they want it all, because much data is better than any behaviour theory
can be, just because you don't have tomake assumptions.

> 
> 
> As I have mentioned before: what good is perfect security in an OS if you
> have no control over the hardware? Put some back doors into the CPU or the
> networking hardware and OpenSSH will fall. There is really no point in 
> trying to outwit three letter agencies with our laptops.
> 

Do you have any example for that? I mean the hardware needs software
to run, not? So you say that there a cases where there is firmware
that makes the hardware do things we can not control or encapsulate?

After all, we could change to hardware that does not have theses things.


Another think is, that today mathematically proven correct (aka zero-bug)
software is more and more faseable. See te guys from seL4.. 
Ok it is still a bit future, but soner or later we will become able to 
proof our algorithms; at least partly...

/jo

Re: "X -configure" segmentation fault

[Zé Loff]

On Wed, Sep 11, 2013 at 09:15:57AM +, Heptas Torres wrote:
> On 9/11/13, David Coppa  wrote:
> > On Wed, Sep 11, 2013 at 10:37 AM, Heptas Torres  wrote:
> >> On 9/10/13, Martin Brandenburg  wrote:
> >>> On Tue, Sep 10, 2013 at 10:18:43PM +, Heptas Torres wrote:
>  I am trying to generate a starting xorg.conf file by running "X
>  -configure" but get a segmentation fault error (output below). Any
>  ideas what could go wrong? Have tried this both in a VMware guest and
>  on real hardware but I get the same problems. dmesg is at the end.
>  thanks
>  -h
> >>>
> >>> A similar problem was discussed about a month ago here[1]. The code of X
> >>> -configure is not maintained. See Matthieu Herrb's suggestions in the
> >>> archive or enclosed below.
> >>
> >> Thanks for the pointer. Wanted to run cwm but could not make it work -
> >> I guess it's related to the problem you mention.
> >>
> >> Does this mean that obsd as a desktop is not really supported on the long
> >> run?
> >
> > Don't make me laugh.
> >
> > I use OpenBSD for my desktop on a daily-basis since years:
> > http://dcoppa.deviantart.com/gallery/
> 
> I was referring to what's in the base system. I am looking for a
> minimal window manager in the base system, so no external packages. I
> wanted to try out cwm but when I run it I get " cwm: unable to open
> display "" ". Is some special configuration needed to run it properly?
> -h
> 

man xinitrc

Re: Help with ISAKMP Nat Traversal Problem needed

[Christoph Leser]

There seems to be no interest in this issue on @misc.

Would it be ok to file a bug for this?

> -Ursprüngliche Nachricht-
> Von: Christoph Leser
> Gesendet: Montag, 9. September 2013 16:45
> An: Christoph Leser; misc@openbsd.org
> Betreff: AW: Help with ISAKMP Nat Traversal Problem needed
> 
> Here is another debug output and tcpdump for the same problem.
> Following the advice from Stuart Henderson I change the debug levels to
> 
> isakmpd -D0=29 -D1=49 -D2=10 -D3=30 -D6=99 -D7=99 -D8=99 -D9=30 -D10=20
> -K -L
> 
> Here again the tcpdump and the new debug output
> 
> 
> 16:08:35.114550 0.0.0.0.500 > 217.86.184.8.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
>   cookie: 1a0208d771df46ef-> msgid:  len:
> 184
>   payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>   payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
>   payload: TRANSFORM len: 36
>   transform: 0 ID: ISAKMP
>   attribute ENCRYPTION_ALGORITHM = AES_CBC
>   attribute HASH_ALGORITHM = MD5
>   attribute AUTHENTICATION_METHOD = PRE_SHARED
>   attribute GROUP_DESCRIPTION = MODP_1024
>   attribute LIFE_TYPE = SECONDS
>   attribute LIFE_DURATION = 3600
>   attribute KEY_LENGTH = 128
>   payload: VENDOR len: 20
>   payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-
> ike-02)
>   payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-
> ike-03)
>   payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
>   payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
> 
> 16:08:35.184157 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp
> v1.0 exchange ID_PROT
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len:
> 116
>   payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>   payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
>   payload: TRANSFORM len: 36
>   transform: 1 ID: ISAKMP
>   attribute ENCRYPTION_ALGORITHM = AES_CBC
>   attribute KEY_LENGTH = 128
>   attribute HASH_ALGORITHM = MD5
>   attribute GROUP_DESCRIPTION = MODP_1024
>   attribute AUTHENTICATION_METHOD = PRE_SHARED
>   attribute LIFE_TYPE = SECONDS
>   attribute LIFE_DURATION = 3600
>   payload: VENDOR len: 12
>   payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len
> 144)
> 
> 16:08:35.275577 217.110.66.79.500 > 217.86.184.8.500: [udp sum ok] isakmp
> v1.0 exchange ID_PROT
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len:
> 220
>   payload: KEY_EXCH len: 132
>   payload: NONCE len: 20
>   payload: NAT-D len: 20
>   payload: NAT-D len: 20 [ttl 0] (id 1, len 248)
> 
> 16:08:35.363848 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp
> v1.0 exchange ID_PROT
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len:
> 268
>   payload: KEY_EXCH len: 132
>   payload: NAT-D len: 20
>   payload: NAT-D len: 20
>   payload: NONCE len: 24
>   payload: VENDOR len: 12
>   payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-
> 06.txt)
>   payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 296)
> 
> 16:08:35.454563 217.110.66.79.4500 > 217.86.184.8.4500: [bad udp cksum
> c9d0!] udpencap: isakmp v1.0 exchange ID_PROT
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len:
> 88
>   payload: ID len: 12 type: IPV4_ADDR = 217.110.66.79
>   payload: HASH len: 20
>   payload: NOTIFICATION len: 28
>   notification: INITIAL CONTACT (1a0208d771df46ef-
> >be3ad6b901947e8e) [ttl 0] (id 1, len 120)
> 
> 16:08:35.523331 217.86.184.8.4500 > 217.110.66.79.4500: [bad udp cksum
> 1c00!] udpencap: isakmp v1.0 exchange ID_PROT
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len:
> 60
>   payload: ID len: 12 type: IPV4_ADDR = 192.168.50.253
>   payload: HASH len: 20 [ttl 0] (id 1, len 92)
> 
> 16:08:35.615285 217.110.66.79.4500 > 217.86.184.8.4500: [udp sum ok]
> udpencap: isakmp v1.0 exchange QUICK_MODE
>   cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid: ceee06b6 len:
> 288
>   payload: HASH len: 20
>   payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>   payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x4dc1e13b
>   payload: TRANSFORM len: 32
>   transform: 1 ID: AES
>   attribute LIFE_TYPE = SECONDS
>   attribute LIFE_DURATION = 1200
>   attribute ENCAPSULATION_MODE = TUNNEL
>   attribute AUTHENTICATION_ALGORITHM = HMAC_

Re: OpenBSD crypto and NSA/Bruce Schneier

[Indunil Jayasooriya]

> As I have mentioned before: what good is perfect security in an OS if you
> have no control over the hardware? Put some back doors into the CPU or the
> networking hardware and OpenSSH will fall. There is really no point in
> trying to outwit three letter agencies with our laptops.
>
>

Both good and bad things exist in the world. It is the way of the world.
It  is quite normal. It is the True Nature of the world.  Intention (
volition ) to add protection (security) is the WISE man's characteristic.
So this wise man is always protected. He will win his life.








-- 
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Re: pf set prio

[Stuart Henderson]

On 2013-09-10, Andy  wrote:
> Ah I feared as much as its so close to the 5.4 release date.
> "Good things come to those who wait"

In order to give time to build packages for release, prepare CDs, etc, the
release was cut around the end of July. (Exact timings vary from release to
release, iirc this one was a little earlier than usual to give plenty of 
time to handle any fallout from the 64-bit time_t flag day).

Re: OpenBSD crypto and NSA/Bruce Schneier

[Rudolf Leitgeb]

> Second, low hanging fruit.

Contrary to what some hysterical reports may claim, and some violations
of rules aside, NSA is mostly after bad guys, some of which know quite
well what they are doing. These bad guys will not necessarily be kind
enough to present NSA with unpatched Windows desktops.

> why bother with us ? people are most generally NOT careful. So, hey, 
> what if you can't break in OpenBSD ?

This is not a marketing operation run by NSA which can claim success if
they catch the 90% dumbest. Quite to the contrary, they should be most
interested in the most sophisticated ones, and why wouldn't bad guys
use OpenBSD if they had the impression it was more secure?


As I have mentioned before: what good is perfect security in an OS if you
have no control over the hardware? Put some back doors into the CPU or the
networking hardware and OpenSSH will fall. There is really no point in 
trying to outwit three letter agencies with our laptops.

Re: daily insecurity output: Login operator is off but still....

[Antoine Jacoutot]

On Wed, Sep 11, 2013 at 10:37:12AM +0100, Craig R. Skinner wrote:
> For backups, I set up operator to dump & scp to another box, so he needs
> $HOME/.ssh/:
> 
> $ sudo usermod -L daemon operator
> $ sudo chsh -s /bin/ksh operator
> $ sudo mkdir /operator
> $ sudo chown operator:operator /operator
> $ sudo chmod 750 operator /operator
> 
> 
> $ userinfo operator
> login   operator
> passwd  *
> uid 2
> groups  operator
> change  NEVER
> class
> gecos   System &
> dir /operator
> shell   /bin/ksh
> expire  NEVER
> 
> From the daily security email:
> 
> Running security(8):
> 
> Checking the /etc/master.passwd file:
> Login operator is off but still has a valid shell and alternate access
> files in home directory are still readable.
> 
> Which I think could be part of security(8) .Check the master.passwd(5)
> and group(5) files for syntax, empty passwords, partially closed
> accounts.
> 
> $ sudo fgrep operator /etc/master.passwd
> operator:*:2:5::0:0:System &:/operator:/bin/ksh
> 
> master.passwd(5) says:
>   Similarly, login accounts not allowing password authentication but
>   allowing other authentication methods, for example public key
>   authentication, conventionally have 13 asterisks in the password field.
> 
> The alert comes from check_access_file() in /usr/libexec/security
> Which comes from approx line 94 in check_passwd():
>   $pwd ne '' &&
>   $pwd ne 'skey' &&
>   length $pwd != 13 &&
>   $pwd !~ /^\$[0-9a-f]+\$/ &&
> 
> 
> 
> Do I need to change operator's password to be 13 *'s?
> 
> What's the best way to do that as I have this in /etc/login.conf:
> default:\
>   :passwordcheck=/usr/local/bin/pwqcheck -1:\

vipw(8)


-- 
Antoine

daily insecurity output: Login operator is off but still....

[Craig R. Skinner]

For backups, I set up operator to dump & scp to another box, so he needs
$HOME/.ssh/:

$ sudo usermod -L daemon operator
$ sudo chsh -s /bin/ksh operator
$ sudo mkdir /operator
$ sudo chown operator:operator /operator
$ sudo chmod 750 operator /operator


$ userinfo operator
login   operator
passwd  *
uid 2
groups  operator
change  NEVER
class
gecos   System &
dir /operator
shell   /bin/ksh
expire  NEVER

>From the daily security email:

Running security(8):

Checking the /etc/master.passwd file:
Login operator is off but still has a valid shell and alternate access
files in home directory are still readable.

Which I think could be part of security(8) .Check the master.passwd(5)
and group(5) files for syntax, empty passwords, partially closed
accounts.

$ sudo fgrep operator /etc/master.passwd
operator:*:2:5::0:0:System &:/operator:/bin/ksh

master.passwd(5) says:
  Similarly, login accounts not allowing password authentication but
  allowing other authentication methods, for example public key
  authentication, conventionally have 13 asterisks in the password field.

The alert comes from check_access_file() in /usr/libexec/security
Which comes from approx line 94 in check_passwd():
$pwd ne '' &&
$pwd ne 'skey' &&
length $pwd != 13 &&
$pwd !~ /^\$[0-9a-f]+\$/ &&



Do I need to change operator's password to be 13 *'s?

What's the best way to do that as I have this in /etc/login.conf:
default:\
:passwordcheck=/usr/local/bin/pwqcheck -1:\

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: "X -configure" segmentation fault

[David Coppa]

On Wed, Sep 11, 2013 at 11:15 AM, Heptas Torres  wrote:

> I was referring to what's in the base system. I am looking for a
> minimal window manager in the base system, so no external packages. I
> wanted to try out cwm but when I run it I get " cwm: unable to open
> display "" ". Is some special configuration needed to run it properly?
> -h

I'm sorry to say but this is Unix 101.

Re: "X -configure" segmentation fault

[Heptas Torres]

On 9/11/13, David Coppa  wrote:
> On Wed, Sep 11, 2013 at 10:37 AM, Heptas Torres  wrote:
>> On 9/10/13, Martin Brandenburg  wrote:
>>> On Tue, Sep 10, 2013 at 10:18:43PM +, Heptas Torres wrote:
 I am trying to generate a starting xorg.conf file by running "X
 -configure" but get a segmentation fault error (output below). Any
 ideas what could go wrong? Have tried this both in a VMware guest and
 on real hardware but I get the same problems. dmesg is at the end.
 thanks
 -h
>>>
>>> A similar problem was discussed about a month ago here[1]. The code of X
>>> -configure is not maintained. See Matthieu Herrb's suggestions in the
>>> archive or enclosed below.
>>
>> Thanks for the pointer. Wanted to run cwm but could not make it work -
>> I guess it's related to the problem you mention.
>>
>> Does this mean that obsd as a desktop is not really supported on the long
>> run?
>
> Don't make me laugh.
>
> I use OpenBSD for my desktop on a daily-basis since years:
> http://dcoppa.deviantart.com/gallery/

I was referring to what's in the base system. I am looking for a
minimal window manager in the base system, so no external packages. I
wanted to try out cwm but when I run it I get " cwm: unable to open
display "" ". Is some special configuration needed to run it properly?
-h

Re: "X -configure" segmentation fault

[David Coppa]

On Wed, Sep 11, 2013 at 10:37 AM, Heptas Torres  wrote:
> On 9/10/13, Martin Brandenburg  wrote:
>> On Tue, Sep 10, 2013 at 10:18:43PM +, Heptas Torres wrote:
>>> I am trying to generate a starting xorg.conf file by running "X
>>> -configure" but get a segmentation fault error (output below). Any
>>> ideas what could go wrong? Have tried this both in a VMware guest and
>>> on real hardware but I get the same problems. dmesg is at the end.
>>> thanks
>>> -h
>>
>> A similar problem was discussed about a month ago here[1]. The code of X
>> -configure is not maintained. See Matthieu Herrb's suggestions in the
>> archive or enclosed below.
>
> Thanks for the pointer. Wanted to run cwm but could not make it work -
> I guess it's related to the problem you mention.
>
> Does this mean that obsd as a desktop is not really supported on the long run?

Don't make me laugh.

I use OpenBSD for my desktop on a daily-basis since years:
http://dcoppa.deviantart.com/gallery/

Re: OpenBSD crypto and NSA/Bruce Schneier

[Marc Espie]

On Wed, Sep 11, 2013 at 10:49:46AM +0200, Martin Schröder wrote:
> 2013/9/11 Marc Espie :
> > Second, low hanging fruit.
> >
> > There's so much crappy software and hardware out there that you have to be
> > REALLY paranoid to think the NSA would target us. I mean, come on, there
> 
> You think openssh isn't a valuable target?

portable openssh relies on posix interfaces. Corrupt the interfaces, and
you have a broken openssh.  Remember the one bug in openssh, the one that
was mitigated by privsep, but where linux couldn't get the mitigation because
their privsep was broken ?

> You think openbsd isn't used in commercial firewall/vpn appliances?

So buy the guys building commercial appliances. This being BSD, it doesn't
have to be opensource. It's much simpler to corrupt the derivative product,
and ways less dangerous.

Re: "X -configure" segmentation fault

[Antoine Jacoutot]

> Thanks for the pointer. Wanted to run cwm but could not make it work -
> I guess it's related to the problem you mention.
> 
> Does this mean that obsd as a desktop is not really supported on the long run?

Considering that several OpenBSD developers also have commit access (and/or a 
high position in) to GNOME, KDE, LibreOffice, Mozilla, X.org ... and use these 
softwares everyday on OpenBSD -- then I would say yes, obviously OpenBSD as a 
Desktop is doomed for eternity.
Oh and we have the best KMS support of all BSDs, but it's only needed on the 
VAX obviously -- no Desktop would ever need that.

-- 
Antoine

Re: OpenBSD crypto and NSA/Bruce Schneier

[Martin Schröder]

2013/9/11 Marc Espie :
> Second, low hanging fruit.
>
> There's so much crappy software and hardware out there that you have to be
> REALLY paranoid to think the NSA would target us. I mean, come on, there

You think openssh isn't a valuable target?
You think openbsd isn't used in commercial firewall/vpn appliances?

Think again.

Best
 Martin

Re: OpenBSD crypto and NSA/Bruce Schneier

[Marc Espie]

On Wed, Sep 11, 2013 at 09:58:12AM +0200, Peter N. M. Hansteen wrote:
> Re-evaluation and auditing is very much a part of the general OpenBSD
> development process (see eg http://www.openbsd.org/goals.html and 
> http://www.openbsd.org/security.html, with links therein) already, 
> but I wouldn't be surprised if recent revelations lead to more activity
> on that front. On a related note, I quite enjoyed reading FreeBSD
> developer Colin Percival's take on the various revelations and claims:
> http://www.daemonology.net/blog/2013-09-10-I-might-be-a-spook.html

I'm not sure there will be that much more activity.

First, we had several "scares" in the past already, and we're perpetually
paranoid, so... business as usual.

Second, low hanging fruit.

There's so much crappy software and hardware out there that you have to be
REALLY paranoid to think the NSA would target us. I mean, come on, there
are BROADSIDE BARNS in
- windows
- iOS
- linux

why bother with us ? people are most generally NOT careful. So, hey, what
if you can't break in OpenBSD ? you've got all kinds of access to people's
web activity, cellphone records, credit card records, hospital records,
whatever.

If there's one thing that's sure, it's that there is exactly ZERO security
in administration's infrastructures in general.

Yes, some of them do care. But most of them don't care enough. And there
are IDIOTS everywhere.

I suspect the NSA spooks are good hackers. And so they're lazy.  The challenge
is extracting useful information from TB of unencrypted traffic and broken
encryptions.  Breaking secure encryption ? sure... you think it's going to
give you new data ? think again...

Re: "X -configure" segmentation fault

[Heptas Torres]

On 9/10/13, Martin Brandenburg  wrote:
> On Tue, Sep 10, 2013 at 10:18:43PM +, Heptas Torres wrote:
>> I am trying to generate a starting xorg.conf file by running "X
>> -configure" but get a segmentation fault error (output below). Any
>> ideas what could go wrong? Have tried this both in a VMware guest and
>> on real hardware but I get the same problems. dmesg is at the end.
>> thanks
>> -h
>
> A similar problem was discussed about a month ago here[1]. The code of X
> -configure is not maintained. See Matthieu Herrb's suggestions in the
> archive or enclosed below.

Thanks for the pointer. Wanted to run cwm but could not make it work -
I guess it's related to the problem you mention.

Does this mean that obsd as a desktop is not really supported on the long run?

Maybe the page at http://www.openbsd.org/faq/faq11.html#amd64i386
should be updated so that it gives an indication that the info is not
updated? Thought quality of the documentation was a core goal of obsd
:)

-H


> [1] http://mid.gmane.org/20130819055603.ga12...@nebraska.herrb.net
>
> - Martin
>
> On Mon, 19 Aug 2013 07:56:04 +0200, Matthieu Herrb wrote:
>> I've written to a number of mailing lists of a long time that the code
>> behind X -configure is not maintained (and there are a number of knwon
>> issues) and that I strongly recommend not using it. Running X without
>> a config file is much more likely to produce a working result.
>>
>> And for the few cases where an xorg.conf file is needed, just read the
>> xorg.conf(5) man page and use a text editor to create one containing
>> only the needed section(s).

Re: OpenBSD crypto and NSA/Bruce Schneier

[Martin Schröder]

2013/9/11 Jiri B :
> neither I want to troll, but my curiousity is if OpenBSD devs
> follow Bruce Schneier arguments and whole topic and if they
> have done, do or will do some re-evaluation of crypto in OpenBSD
> to minimalize being vulnerable to describe attacks.

The monkeys will probably keep on masturbating. :-)

>http://article.gmane.org/gmane.linux.kernel/706950

Best
 Martin

Re: OpenBSD crypto and NSA/Bruce Schneier

[Peter N. M. Hansteen]

On Wed, Sep 11, 2013 at 03:26:07AM -0400, Jiri B wrote:
 
> I don't understand very much technical details of this topic,
> neither I want to troll, but my curiousity is if OpenBSD devs
> follow Bruce Schneier arguments and whole topic and if they
> have done, do or will do some re-evaluation of crypto in OpenBSD
> to minimalize being vulnerable to describe attacks.
> 
> http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

Re-evaluation and auditing is very much a part of the general OpenBSD
development process (see eg http://www.openbsd.org/goals.html and 
http://www.openbsd.org/security.html, with links therein) already, 
but I wouldn't be surprised if recent revelations lead to more activity
on that front. On a related note, I quite enjoyed reading FreeBSD
developer Colin Percival's take on the various revelations and claims:
http://www.daemonology.net/blog/2013-09-10-I-might-be-a-spook.html

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Modern C++ Compiler for OpenBSD

[Marc Espie]

On Tue, Sep 10, 2013 at 05:40:19PM -0400, Jeffrey Walton wrote:
> I'd like to use some C++ language features that are relatively new.
> They include intializer lists, rvalue references and regex (and
> perhaps a lambda on occasion).
> 
> Does anyone have a C++ compiler recommendation for OpenBSD?

g++ 4.8.1 is reasonably modern and supports all of these.

just install the package.

OpenBSD crypto and NSA/Bruce Schneier

[Jiri B]

Hi all,

I don't understand very much technical details of this topic,
neither I want to troll, but my curiousity is if OpenBSD devs
follow Bruce Schneier arguments and whole topic and if they
have done, do or will do some re-evaluation of crypto in OpenBSD
to minimalize being vulnerable to describe attacks.

http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

j.

Re: Modern C++ Compiler for OpenBSD

[David Coppa]

On Tue, Sep 10, 2013 at 11:40 PM, Jeffrey Walton  wrote:
> I'd like to use some C++ language features that are relatively new.
> They include intializer lists, rvalue references and regex (and
> perhaps a lambda on occasion).
>
> Does anyone have a C++ compiler recommendation for OpenBSD?

As of now, your best bet is installing gcc-4.8 from packages.

# export PKG_PATH=ftp://ftp.fr.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/

# pkg_add -v g++-4.8.1p0.tgz

Ciao,
David