Re: using ifstated(8) to monitor wireless connections?

[Fred Snurd]

> On Monday, October 28, 2013 6:10 AM, Stefan Sperling  wrote:
>> On Sun, Oct 27, 2013 at 10:43:05PM -0700, Fred Snurd wrote:
>> 
>> $ sudo ifconfig ath0 nwid  wpakey 
>> $ ifconfig ath0ath0: flags=8822 mtu 
>> 1500
>>     lladdr a8:54:b2:23:da:80
>>     priority: 4
>>     groups: wlan
>>     media: IEEE802.11 autoselect
>>     status: no network
>>     ieee80211: nwid  
>> wpakey  wpaprotos wpa1,wpa2 wpaakms psk wpaciphers 
>> tkip,ccmp wpagroupcipher tkip
>> $
>> 
>> ...which still shows that the link has not changed as expected.>
>
> The interface isn't marked UP in the flags= line.
> So try 'ifconfig ath0 up' here.
>
> dhclient does this automatically before requesting a lease.


Thanks Stefan & Reyk for replying.

Further testing tonight showed that the original /etc/ifstated.conf file did 
indeed work.  I had thought that the link would be re-established quickly, but 
this was not the case.  In fact, re-establishing the link took ~3-4 minutes to 
complete (but this factors in the time the AP needed to get reinitialized 
too...).  I added logger(1) messages to my ifstated.conf(5) observing that the 
link state bounces about before stabilizing.  I don't know if this peculiarity 
is associated with the ath(4) driver, WIstron CM9 card, Alix hardware, or the 
cheap ActionTec AP used.  If there is any interest, I can submit a report with 
more details.  I simply would like to take more time determining if there is 
anything else I can observe.

Thanks again for your timely replies.

Re: Occasionally connected mail access

[Anders Langworthy]

On Sun, Oct 27, 2013 at 07:01:49PM +, Chris Smith wrote:
> Hi,
> 
> I'm currently running a simple OpenSMTPD/procmail/mutt setup on the end
> of a hosted machine on 5.3. To access mail, I'm SSH'ing into
> the box and firing up mutt. However I need to get "occasionally 
> connected" mail working on my laptop so I can read/respond to it there
> and deliver back to the hosted machine. I'm using mbox as the mailbox
> format at the moment. I may be offline for 2-3 days at a time.
> 
> I'm considering doing the following things:
> 
> * Move to maildir at both ends.
> * Set up OpenSMTPD on the laptop and set it to "pause mta" while 
>   disconnected. Also set it up to relay through the hosted machine
>   via auth+TLS.
> * Write a script that will (when I know I'm connected):
>   1. unpause the MTA and flush the queues, then pause it again.
>   2. rsync (over SSH) the maildir from the hosted machine.
> 
> Can anyone see any flaws in this plan or know of a better solution?

I run postfix on both my laptop and mail server, and then use UUCP over
a SSH tunnel to shuttle mail between them.  No special config is
required if the tunnel is down, incoming mail queues on the server and
outgoing mail queues on the laptop automatically.  When I connect to the
network again I just run uucico and the queues are flushed.  I don't
know if its the best solution, but I've been using it for years and it
it works great with a minimal of extra software.  One nice benefit is
that UUCP appears to be very tolerant of cruddy internet connections, so
even when I can't really do anything else on the internet I can move
mail.

Cheers,
Anders

5.4 CDs

[zeloff]

Ordered them on Sep, 26th from Zednax (openbsdeurope.com), got them
with today's mail, here in Lisbon, Portugal.

Thanks to everyone and congrats on another fine release

Question about relayd

[Leonardo Santagostini]

Hello Misc, again me, bothering you.

Im getting plenty of "buffer event timeout" in my /var/gol/daemon. I was
trying to find what exactly means whithout success.

Anyone can give me a clue?

Im using OpenBSD 5.2 GENERIC#278 i386

Relayd from base install.

Saludos / Regards
Leonardo Santagostini

Request to OpenBSD Dev's - Beer on offer

[Andy]

Hi all,

Would any of the esteemed OpenBSD developers be interested in adding 
support for BFD (Bidirectional Forward Detection) to OpenBSD.


The protocol itself seems pretty simple and provides a sub-second 
keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure 
BGP or OSPF can be torn down etc thus allowing for sub-second 
re-convergence of i/eBGP!


I can only offer a crate of beer to anyone who has the skills and is 
willing :)


'+1's welcome from others who would be interested to show signs of 
support/interest..


Cheers, Andy.

Re: RAID Crypt dual booting

[Adam Thompson]

On 13-10-27 03:49 PM, Predrag Punosevac wrote:

This is definitelly a thread which I followed with great interest. In
the light of Stefan's diff I have three questions.

1. Does that make

http://blog.cochard.me/2012/03/openbsd-51-installation-on-sofraid4.html

accurate? That would mean that I can crypt everything on my laptop
including /.


That link, one of the ones I found, is now *partially* obsolete, see below.
The undeadly article is also now *partially* obsolete in the same way.
The individual steps and tools used are still 100% accurate, but the 
underlying assumption of where /boot and /bsd must be placed is now wrong.



2. My second question is in the light of Stephan's

"It writes data to each chunk in sequence to provide increased capacity.
CONCAT does not provide redundancy."

Does above mean that if I want to use RAID 1/altroot for redundancy
purposes I still have to follow FAQ and create to identical root and
swap partitions on two separate HDD before using RAID 1 for the rest?


RAID1 and /altroot are two different, and complementary strategies.
The point of this thread is that you do *not* have to create identical 
root and swap partitions, despite what the FAQ implies.



As of (at least) 5.4-RELEASE (and probably much earlier), after booting 
from CD (or PXE, or bsd.rd), instead of choosing "Install" right away at 
the first step, choose "shell".

Follow the same MAKEDEV steps that all the FAQ and blog entries talk about.
Zero out the MBR/partition table/disklabel (using "fdisk -iy") just like 
before.

=== Here's where it changes: ===
Using "disklabel -E", create *one* partition, which can fill the entire 
disk, of type "raid", on each disk.
No need for wd0a=/, wd0b=swap, wd0m=raid, just create a single wd0a=raid 
and nothing else.

=== That's the change. ===
In my case, a system with three SATA drives, once I used bioctl(8) to 
create the RAID1 volume, it attached as "sd3".
Now exit the shell, and enter the Installer.  (I think you can reboot at 
this point, if you need to, but I didn't test that.)
Tell the installer to use the newly-attached softraid(4) volume, not any 
of the physical disks.
Auto-partitioning works, or you can do custom partitioning (in which 
case the simplest is usually an 'a' slice covering most of the RAID 
volume, and a 'b' slice for swap).



3. Are there any strong opinions on CARP/pfsync vs RAID 1/altroot for
firewall redundancy for small office use.


In my case, I've chosen to do sd0+sd1 as RAID1, and sd2 will mount as 
/altroot.  Then I have another entire identical system using both CARP 
and iBGP.
This gives me two layers of *redundancy* (RAID1 and CARP), and one layer 
of *recoverability* (altroot).  In other words, I should never be 
without a router in the first place, and if I completely !@#$%^& them up 
(by human error), I still might be able to just pull the RAID1 disks and 
boot off /altroot instead, and be back up and running in <5 minutes.


(Rationale: I don't feel like paying Cisco or Juniper $250k for this 
capability when I can build it myself using OpenBSD.  OK, those boxes do 
several things much better than OpenBSD, but not $250k better, at least 
not in my use case.  The cheapest-possible way to do this with hardware 
routers that I know of is to buy two refurb Catalyst 6500/SUP-720-VSE 
chassis, or two Catalyst 3750X L3 switches, either of which would still 
cost me ~$20k+.  The OpenBSD solution is better in many ways and the 
refurb servers running this only cost $1700 total including spare parts.)


RAID1, CARP, and /altroot solve three different problems.
They all happen to address the problem of a hard disk dying, but in 
different ways.

RAID1 prevents a dead disk from affecting a running system.
CARP prevents an entire dead system from affecting a running network.  
(in theory, anyway :-)
Altroot prevents corruption of a root partition from being completely 
fatal; it's a point-in-time backup copy of / that you can restore from - 
and in the worst-case scenario, replace the entire root disk with.


--
-Adam Thompson
 athom...@athompso.net

Re: Yubikey login: bad file descriptor.

[Pieter Verberne]

On 2013-10-25 08:14, Pieter Verberne wrote:

On 2013-10-24 19:44, Daniel Hartmeier wrote:

On Thu, Oct 24, 2013 at 03:07:19PM +0200, Pieter Verberne wrote:


-r--r-  1 root  auth  33 Oct 24 14:47 pieter.key
-r--r-  1 root  auth  10 Oct 24 14:47 pieter.uid


Your uid file looks too small, it's usually 13 bytes, with 12 hex 
digits

and a newline (optional).


Fixed that.


# /usr/libexec/auth/login_yubikey -d -s login pieter
Password:
reject

authlog:
Oct 24 14:52:51 lilium login_yubikey: user pieter: fdopen: Bad file
descriptor
Oct 24 14:53:08 lilium login_yubikey: user pieter: reject


The first error must be from a different invokation. If you get the
Password: prompt, that error condition is already passed.

Daniel


*Facepalm* My keyboard layout is Dvorak. :-)

Thanks,
 Pieter


What I actually wanted to do: I want to use two-factor authentication
over ssh using passwd+yubikey. Is this possible? It looks like yubikey
will 'replace' passwd authentication, and cannot supplement it.

Off topic:
How safe is certificate authentication? I'll use an encrypted private
key on my client computers. If someone gets his hands on the encrypted
key, they can do an offline password attack, which seems less safe than
an online attack.

Re: using ifstated(8) to monitor wireless connections?

[Reyk Floeter]

On 28.10.2013, at 01:43, Fred Snurd  wrote:

> On Monday, October 28, 2013 12:38 AM, Fred Snurd  wrote:
> 
> I found the following article on undeadly which uses ifstated(8) to 
> automatically acquire a DHCP lease upon link state 
> changes on an Ethernet interface:
> 
> http://undeadly.org/cgi?action=article&sid=20071012140725&mode=expanded
> 

I don’t get why you’re doing this. The article is from 2007 and dhclient has 
been fixed in 2008:


dhclient.c revision 1.118
date: 2008/05/09 05:19:14;  author: reyk;  state: Exp;  lines: +27 -15
- don't give up when the link is not available on startup: dhclient
goes to background and listens on the routing socket for link to come
up before it retries.
- renew the lease whenever the link was lost and becomes active again.
- listen for link state changes on non-ethernet devices like wireless,
the link state becomes active when the wireless has been associated to
the AP and becomes active. this helps to automatically renew the lease
when the user is roaming.

ok beck@, deraadt@


> ...& thought that it would be simple to modify this for wireless links.  To 
> prove this to myself, I looked at the output of 
> ifconfig(8) on an Alix system as it was connecting to an access point.  
> Before doing any interface configuration:
> 
> $ ifconfig ath0
> ath0: flags=8822 mtu 1500
> lladdr a8:54:b2:23:da:80
> priority: 4
> groups: wlan
> media: IEEE802.11 autoselect
> status: no network
> ieee80211: nwid ""
> $
> 
> ...where "status" indicates the link state.  Upon connecting to the AP,
> 
> $ sudo ifconfig ath0 nwid  wpakey 
> $ ifconfig ath0ath0: flags=8822 mtu 
> 1500
> lladdr a8:54:b2:23:da:80
> priority: 4
> groups: wlan
> media: IEEE802.11 autoselect
> status: no network
> ieee80211: nwid  
> wpakey  wpaprotos wpa1,wpa2 wpaakms psk wpaciphers 
> tkip,ccmp wpagroupcipher tkip
> $
> 
> ...which still shows that the link has not changed as expected.  Upon getting 
> a DHCP lease,
> 
> $ sudo dhclient ath0
> DHCPREQUEST on ath0 to 255.255.255.255 on port 67
> DHCPACK from 192.168.0.1 (..:..:..:..:..:..)
> bound to 192.168.0.4 -- renewal in 43200 seconds.
> $ ifconfig ath0
> ath0: flags=8863 mtu 1500
> lladdr a8:54:b2:23:da:80
> priority: 4
> groups: wlan egress
> media: IEEE802.11 autoselect (DS11 mode 11b)
> status: active
> ieee80211: nwid homestead chan 1 bssid 00:26:b8:d4:1c:49 wpakey  displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp 
> wpagroupcipher tkip
> inet6 fe80::aa54:b2ff:fe23:da80%ath0 prefixlen 64 scopeid 0x4
> inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255
> $
> 
> ...which now shows that the link is active.  After turning off the AP, the 
> link is seen to go down:
> 
> $ ifconfig ath0
> ath0: flags=8863 mtu 1500
> lladdr a8:54:b2:23:da:80
> priority: 4
> groups: wlan egress
> media: IEEE802.11 autoselect (DS11 mode 11b)
> status: no network
> ieee80211: nwid homestead wpakey  wpaprotos wpa1,wpa2 
> wpaakms psk wpaciphers 
> tkip,ccmp wpagroupcipher tkip
> inet6 fe80::aa54:b2ff:fe23:da80%ath0 prefixlen 64 scopeid 0x4
> $
> 
> Upon turning the AP back on, the link is seen again to become active:
> 
> $ ifconfig ath0
> ath0: flags=8863 mtu 1500
> lladdr a8:54:b2:23:da:80
> priority: 4
> groups: wlan egress
> media: IEEE802.11 autoselect (DS11 mode 11b)
> status: active
> ieee80211: nwid homestead wpakey  wpaprotos 
> wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip
> inet6 fe80::aa54:b2ff:fe23:da80%ath0 prefixlen 64 scopeid 0x4
> $
> 
> ...so I assumed that ifstated.conf file shown in the article doesn't require 
> much modification.  Below is the minimal changes made:
> 
> $ cat /etc/ifstated.conf
> wireless_up = 'ath0.link.up'
> wireless_down = '!ath0.link.up'
> 
> state auto {
> if $wireless_up
> set-state main
> }
> 
> state main {
> init {
> run 'ifconfig ath0 nwid  wpakey '
> run 'dhclient ath0'
> }
> if $wireless_down {
> #   run 'ifconfig ath0 delete'
> set-state auto
> }
> }
> 
> init-state auto
> $
> 
> ifstated has been enabled in /etc/rc.conf.local, & the system has been 
> rebooted:
> 
> $ grep ifstated /etc/rc.conf.local
> ifstated_flags=''
> $
> 
> No /etc/hostname.ath0 file has been created.  ath0 comes up as expected at 
> system boot, but cycling the AP 
> doesn't result in the network connection to be re-established.
> 
> Can someone point out what I am missing for I'm not seeing it.  Thanks for 
> any clarification shared.

Re: nvidia driver what do you recommend

[Brett Mahar]

On Mon, 28 Oct 2013 11:20:32 +0100
"Peter J. Philipp"  wrote:

| I remember someone else writing to this list before saying the nvidia
| driver is really slow.  I just upgraded my main workstation from 5.3 to
| 5.4 and it indeed is.
| 
| So I'm wondering what driver I should use because the choppyness of
| moving windows is laughable, a sad kind of laugh.
| 
| Do you recommend I get an ATI/AMD card?  What sorts of models would you
| recommend?
| 

The "ATI Radeon HD 5450" works great with the recently added radeon KMS code, I 
got one for A$30 a few weeks ago, no problems seen, definitely no chopppyness 
using mplayer -vo xv in fullscreen 1080p, did have problems with a 96fps 
4096x2304 video I tried out, however:-) 

Brett.

Re: using ifstated(8) to monitor wireless connections?

[Stefan Sperling]

On Sun, Oct 27, 2013 at 10:43:05PM -0700, Fred Snurd wrote:
> $ sudo ifconfig ath0 nwid  wpakey 
> $ ifconfig ath0ath0: flags=8822 mtu 
> 1500
>     lladdr a8:54:b2:23:da:80
>     priority: 4
>     groups: wlan
>     media: IEEE802.11 autoselect
>     status: no network
>     ieee80211: nwid  
> wpakey  wpaprotos wpa1,wpa2 wpaakms psk wpaciphers 
> tkip,ccmp wpagroupcipher tkip
> $
> 
> ...which still shows that the link has not changed as expected.

The interface isn't marked UP in the flags= line.
So try 'ifconfig ath0 up' here.

dhclient does this automatically before requesting a lease.

Re: nvidia driver what do you recommend

[Jonathan Gray]

On Mon, Oct 28, 2013 at 11:20:32AM +0100, Peter J. Philipp wrote:
> I remember someone else writing to this list before saying the nvidia
> driver is really slow.  I just upgraded my main workstation from 5.3 to
> 5.4 and it indeed is.
> 
> So I'm wondering what driver I should use because the choppyness of
> moving windows is laughable, a sad kind of laugh.
> 
> Do you recommend I get an ATI/AMD card?  What sorts of models would you
> recommend?

Try to avoid GCN/Southern Islands Radeons as we don't do acceleration on
those because they don't support normal x style acceleration only a mess
of EGL/glamor/LLVM that doesn't work yet.

So Radeon HD < 77xx, 8000 < Radeon HD < 85xx, Radeon R5 2xx should work.

Keeping in mind all the recent Radeon KMS work and the mesa update isn't
in 5.4 only -current.

5.4 only supports acceleration with up to R600/R700 class hardware it
isn't possible to buy new anymore.

nvidia driver what do you recommend

[Peter J. Philipp]

I remember someone else writing to this list before saying the nvidia
driver is really slow.  I just upgraded my main workstation from 5.3 to
5.4 and it indeed is.

So I'm wondering what driver I should use because the choppyness of
moving windows is laughable, a sad kind of laugh.

Do you recommend I get an ATI/AMD card?  What sorts of models would you
recommend?

Thanks for any clue,

-peter

OpenBSD takes on a storm.

[Robert Blacquiere]

Hi,

My OpenBSD 5.4 just arrived. Today weather forecast warned and gave code
Red for our country. But brave postmen still on their bikes delivered me
my shiny new OpenBSD 5.4 CD box. 

To all OpenBSD delevopers and postmen out there 

THANKS!!!

Robert

Re: RAID Crypt dual booting

[Janne Johansson]

2013/10/27 Predrag Punosevac 

>
> 3. Are there any strong opinions on CARP/pfsync vs RAID 1/altroot for
> firewall redundancy for small office use.
>
>
> I really don't see how those two options would be pitted against each
other.

Most of the time I don't see the firewall rules as super secrets, the
effect of them on a firewall will mostly be detectable anyhow. If someone
get to read them offline by stealing your FW and you miss the fact that one
of your carped firewalls is missing, you have other problems than "someone
read pf.conf on the stolen fw since I didn't encrypt the root fs".




-- 
May the most significant bit of your life be positive.