Securing communications with OpenBSD
Hi all, I appeal to you to see if you can give me some advice. I need to secure communications between my front-end and back-end servers. First, my infrastructure: Internet --- Public OpenBSD Carp'ed fws --- FreeBSD front-end web servers (https) --- Internal OpenBSD Carp'ed fws --- CentOS back-end servers (http, tomcat and Oracle BBDD 11g). Between these back-end and front-end servers, packet average is 1000 pkt/sec. And as you can imagine, traffic between these back-end and front-end servers goes in clear. I'm planning to deploy OpenBSD based servers between these back/front end servers using these technologies, both or only one. a) Establishing SSL tunnels. b) Establishing IPSec tunnels host to host. It could establish tunnels using these servers directly, but I prefer to avoid the impact of processing and/or performance that would occur. And another thing: I need to secure comms between backend servers also. Oracle BBDD hosts are installed in different hosts than tomcat application servers, for example. Is my approach correct? Any other better solution? Is it stupid this approach? Thanks. P.D: I can use cryptographic cards, if I need it.
Re: xombrero crashes with 'Bus error'
Gesendet: Donnerstag, 02. Oktober 2014 um 17:58 Uhr Von: Ville Valkonen weezeld...@gmail.com An: Stefan Wollny stefan.wol...@web.de Cc: misc@openbsd.org Betreff: Re: xombrero crashes with 'Bus error' Hello Stefan, just shooting in the dark, do you have a dbus daemon running? Regards, Ville Hi Ville, sorry for replying late - I was off for a long weekend. And YES, I had the dbus-daemon running. Last night I reinstalled the system from the latest amd64-snapshot. I have not yet recovered to the state before but a quick try proved xombrero is running... but I have not yet reenabled the dbus-daemon. What's wrong with it??? Cheers, STEFAN
pkg_add ruby 1.9.? non-interactive
I'd like to use the same pkg_add command across multiple OpenBSD versions however installing ruby brings up an interactive choice between 1.8, 1.9, 2.0, 2.1. I've tried the fuzzy match -z ruby-1.9 however it doesn't appear to match version. This works, but it's not desirable if it can be done native.false | pkg_add ruby 21 | perl -n -e 'print `pkg_add $` if $_ =~ /ruby-1.9[\w\.]+/' Thanks,Brad
Re: cvs checkout: Corrupt MAC on input
Gesendet: Donnerstag, 02. Oktober 2014 um 18:17 Uhr Von: Stuart Henderson s...@spacehopper.org An: misc@openbsd.org Betreff: Re: cvs checkout: Corrupt MAC on input On 2014-10-02, Stefan Wollny stefan.wol...@web.de wrote: Hi there! This morning I have had to reinstall my squid-server running amd64-current from scratch (made a dump error...). OpenBSD 5.6-current (GENERIC.MP) #394: Wed Oct 1 12:54:54 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP (Full dmesg at the end) When getting the sources from ftp.hostserver.de I noticed s.th. unpleasant: quote U src/gnu/gcc/gcc/tree-ssa-forwprop.c Corrupted MAC on input. Disconnecting: Packet corrupt cvs [checkout aborted]: end of file from server (consult above message if any) /quote This implies a packet that was corrupted, but still had a valid TCP checksum (otherwise SSH wouldn't have seen the packet at all). This can happen if a NIC has TCP checksum offloading, so it verifies the packet was OK at receipt, but there is some corruption between being received by the NIC and being processed by software. The most probable cause in that case is a hardware problem, though to see it on two different hosts at the same time would be highly unlikely. Another possibility might be if some router/nat box is somehow breaking the contents of packets and regenerating TCP checksums. Are you aware of any changes to hardware that might be common in the network path between both your squid server and laptop? Hi Stuart, sorry for replying late - I was off for a long weekend. To answer your question - no, there have been no changes at all. It is the network in my home office so I know for shure. Last night I reinstalled the laptop from the latest snapshots (#394) and to rule out some kind of 'hickup' of the cable-modem, the router or the switches I power-cycled every instance. Even though I didn't see the error message originally reported I still was not able to get the source-tree by cvs: After a few seconds the system looses its network, entirely. A non-technical description of the impression I got is the system can't take the load by the sheer number of files received. (Of course I know this is not what a bug report should sound like... ;-) ) Calling 'netstat' or 'route' shows ... nothing! Both report the lack of any routes. This only happens with cvs, not with 'pkg_add'! The system won't reattach to the network by '/etc/netstart', I have to reboot to get the routes back up. As others have reported issues with dhclient recently a first 'shot in the dark' would be that this is where a suspect is living... I am not shure what to report exactly tonight as I am off from home in a boring hotel room. E.g. if the routes are lost again: What should I report? Any hints? Thank you! STEFAN
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote: Is my approach correct? Any other better solution? Is it stupid this approach? You did not really state what your goal was. Or what the problem is. Securing communications between front and back end via SSH/SSL is not a goal or problem. It is a solution to a problem. To me it seems a bit strange that you'd want to do this if they are all in the same rack, for example, connected to switches that you control. Is the goal just to make your infrastructure as secure as possible? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:27 PM, Alan McKay alan.mc...@gmail.com wrote: On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote: Is my approach correct? Any other better solution? Is it stupid this approach? You did not really state what your goal was. Or what the problem is. Securing communications between front and back end via SSH/SSL is not a goal or problem. It is a solution to a problem. To me it seems a bit strange that you'd want to do this if they are all in the same rack, for example, connected to switches that you control. Is the goal just to make your infrastructure as secure as possible? Thanks Alan for your answer. Yes, my goal is to secure the infrastructure as much as possible. Our IT Security Dept. has made a request in that direction.
Re: quotas grace period none right away
On Wed, 1 Oct 2014, Otto Moerbeek wrote:
On Tue, Sep 30, 2014 at 07:31:20PM +0200, Otto Moerbeek wrote:
On Tue, Sep 30, 2014 at 11:20:23AM -0500, Boris Goldberg wrote:
Hello Otto,
Wednesday, September 24, 2014, 2:36:58 PM, you wrote:
OM Try to come up with a reproducable test case, include all relevant
OM info and then we can investigate.
I indeed see strange things on sparc64 more or less -current. Not
exactly what you are seeing, but for starters, edquota -t is giving me
what looks like unitialized mem. I hope to find some time to
investigate further...
-Otto
There is indeed a bug in edquota -t in 5.5 and newer due to the time_t
change, but that is unrelated to what you are seeing.
Poked at this last night and came up with this, eliminating the bogus
casting from time_t* to int*.
Index: edquota.c
===
RCS file: /cvs/src/usr.sbin/edquota/edquota.c,v
retrieving revision 1.53
diff -u -p -r1.53 edquota.c
--- edquota.c 20 Jul 2014 01:38:40 - 1.53
+++ edquota.c 6 Oct 2014 15:34:24 -
@@ -77,7 +77,7 @@ int readprivs(struct quotause *, int);
intwritetimes(struct quotause *, int, int);
intreadtimes(struct quotause *, int);
char * cvtstoa(time_t);
-intcvtatos(time_t, char *, time_t *);
+intcvtatos(long long, char *, time_t *);
void freeprivs(struct quotause *);
intalldigits(char *s);
inthasquota(struct fstab *, int, char **);
@@ -569,7 +569,8 @@ readtimes(struct quotause *quplist, int
FILE *fp;
int cnt;
char *cp;
- time_t itime, btime, iseconds, bseconds;
+ long long itime, btime;
+ time_t iseconds, bseconds;
char *fsp, bunits[10], iunits[10], line1[BUFSIZ];
lseek(infd, 0, SEEK_SET);
@@ -594,8 +595,8 @@ readtimes(struct quotause *quplist, int
return(0);
}
cnt = sscanf(cp,
-block grace period: %d %9s file grace period: %d %9s,
- (int *)btime, bunits, (int *)itime, iunits);
+block grace period: %lld %9s file grace period: %lld %9s,
+ btime, bunits, itime, iunits);
if (cnt != 4) {
warnx(%s:%s: bad format, fsp, cp);
return(0);
@@ -639,19 +640,19 @@ cvtstoa(time_t time)
if (time % (24 * 60 * 60) == 0) {
time /= 24 * 60 * 60;
- (void)snprintf(buf, sizeof buf, %d day%s, (int)time,
+ (void)snprintf(buf, sizeof buf, %lld day%s, (long long)time,
time == 1 ? : s);
} else if (time % (60 * 60) == 0) {
time /= 60 * 60;
- (void)snprintf(buf, sizeof buf, %d hour%s, (int)time,
+ (void)snprintf(buf, sizeof buf, %lld hour%s, (long long)time,
time == 1 ? : s);
} else if (time % 60 == 0) {
time /= 60;
- (void)snprintf(buf, sizeof buf, %d minute%s, (int)time,
- time == 1 ? : s);
+ (void)snprintf(buf, sizeof buf, %lld minute%s,
+ (long long)time, time == 1 ? : s);
} else
- (void)snprintf(buf, sizeof buf, %d second%s, (int)time,
- time == 1 ? : s);
+ (void)snprintf(buf, sizeof buf, %lld second%s,
+ (long long)time, time == 1 ? : s);
return(buf);
}
@@ -659,7 +660,7 @@ cvtstoa(time_t time)
* Convert ASCII input times to seconds.
*/
int
-cvtatos(time_t time, char *units, time_t *seconds)
+cvtatos(long long time, char *units, time_t *seconds)
{
if (bcmp(units, second, 6) == 0)
Re: quotas grace period none right away
Yeah. Have something similar in my tree. If -Wall is happy, so am I.
Does it explain 5.4 problems though.
I did not manage to reproduce those so far.
-Otto
Op 6 okt. 2014 om 17:38 heeft Philip Guenther guent...@gmail.com het
volgende geschreven:
On Wed, 1 Oct 2014, Otto Moerbeek wrote:
On Tue, Sep 30, 2014 at 07:31:20PM +0200, Otto Moerbeek wrote:
On Tue, Sep 30, 2014 at 11:20:23AM -0500, Boris Goldberg wrote:
Hello Otto,
Wednesday, September 24, 2014, 2:36:58 PM, you wrote:
OM Try to come up with a reproducable test case, include all relevant
OM info and then we can investigate.
I indeed see strange things on sparc64 more or less -current. Not
exactly what you are seeing, but for starters, edquota -t is giving me
what looks like unitialized mem. I hope to find some time to
investigate further...
-Otto
There is indeed a bug in edquota -t in 5.5 and newer due to the time_t
change, but that is unrelated to what you are seeing.
Poked at this last night and came up with this, eliminating the bogus
casting from time_t* to int*.
Index: edquota.c
===
RCS file: /cvs/src/usr.sbin/edquota/edquota.c,v
retrieving revision 1.53
diff -u -p -r1.53 edquota.c
--- edquota.c20 Jul 2014 01:38:40 -1.53
+++ edquota.c6 Oct 2014 15:34:24 -
@@ -77,7 +77,7 @@ intreadprivs(struct quotause *, int);
intwritetimes(struct quotause *, int, int);
intreadtimes(struct quotause *, int);
char *cvtstoa(time_t);
-intcvtatos(time_t, char *, time_t *);
+intcvtatos(long long, char *, time_t *);
voidfreeprivs(struct quotause *);
intalldigits(char *s);
inthasquota(struct fstab *, int, char **);
@@ -569,7 +569,8 @@ readtimes(struct quotause *quplist, int
FILE *fp;
int cnt;
char *cp;
-time_t itime, btime, iseconds, bseconds;
+long long itime, btime;
+time_t iseconds, bseconds;
char *fsp, bunits[10], iunits[10], line1[BUFSIZ];
lseek(infd, 0, SEEK_SET);
@@ -594,8 +595,8 @@ readtimes(struct quotause *quplist, int
return(0);
}
cnt = sscanf(cp,
- block grace period: %d %9s file grace period: %d %9s,
-(int *)btime, bunits, (int *)itime, iunits);
+ block grace period: %lld %9s file grace period: %lld %9s,
+btime, bunits, itime, iunits);
if (cnt != 4) {
warnx(%s:%s: bad format, fsp, cp);
return(0);
@@ -639,19 +640,19 @@ cvtstoa(time_t time)
if (time % (24 * 60 * 60) == 0) {
time /= 24 * 60 * 60;
-(void)snprintf(buf, sizeof buf, %d day%s, (int)time,
+(void)snprintf(buf, sizeof buf, %lld day%s, (long long)time,
time == 1 ? : s);
} else if (time % (60 * 60) == 0) {
time /= 60 * 60;
-(void)snprintf(buf, sizeof buf, %d hour%s, (int)time,
+(void)snprintf(buf, sizeof buf, %lld hour%s, (long long)time,
time == 1 ? : s);
} else if (time % 60 == 0) {
time /= 60;
-(void)snprintf(buf, sizeof buf, %d minute%s, (int)time,
-time == 1 ? : s);
+(void)snprintf(buf, sizeof buf, %lld minute%s,
+(long long)time, time == 1 ? : s);
} else
-(void)snprintf(buf, sizeof buf, %d second%s, (int)time,
-time == 1 ? : s);
+(void)snprintf(buf, sizeof buf, %lld second%s,
+(long long)time, time == 1 ? : s);
return(buf);
}
@@ -659,7 +660,7 @@ cvtstoa(time_t time)
* Convert ASCII input times to seconds.
*/
int
-cvtatos(time_t time, char *units, time_t *seconds)
+cvtatos(long long time, char *units, time_t *seconds)
{
if (bcmp(units, second, 6) == 0)
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
Except it doesn't, server side code is more universal. I strongly disagree. In server side there is vast amount of different software stacks build top of C library and they are incompatible. Running PHP code top of Java stack just doesn't work. In client side, there has ongoing for several years a huge shift where ~all client code runs top of HTML/JS. And this is very remarkable because client side code doesn't any longer care what is below that HTML/JS environment. The umbilical cord for C language stack or OS is cut off, and practically all major players in IT-industry are committed for that. Imagine that if late ninetees, whole IT industry has decided to cut off all legacy and start to compile only Java byte code to Java API. All applications work every computer without recompiling, and Java runtime removes hardware and OS dependency, isolating all applications to sandboxes that restrict memory, disk space, filesystem access etc. That would have been great, but Sun Microsystem withdraw from standardization process, Microsoft implementation was totally incompatible, and while Java was proprietary it was not accepted by open source communities any more than Sun Microsystem competitors. But now, it is a totally new game. Javascript is standard, there is open source implementations and they are compatible. World is changed that HTML/JS is global standard for application frontends. And then there is local 'standards', ecosystems, if there is need to make exclusive application for Apple or something. These competing local standards keep development running. Any idea how many noscript users there are amongst other filters and browsers like xombrero. Maybe one in thousand. These were more popular back then when computers were slow and browsers immature, something like 7 years ago. Past two years, almost no one used these because applications doesn't work without JS. Simple HTML5 features and CSS3 are welcome by me but even JIT for performance annoys me. I'd rather they fixed the bugs and memory leaks and let me use websites in style and confidence. You can't create applications without JS. Example, think about how mapping software are done with realtime pathfinding. If you had looked into browser vulnerabilities you would see that the *vast* majority even ones which do not mention that javascript is the issue can be avoided by disabling javascript or the issue is javascript related. Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. If I want to run an even more complex app then I would much prefer to to do just that and run the web based dedicated application separately which any decent application needs anyway (application or plugin) and making it pointless bloat. So it is better to download unknown application binary from when you like to see map? And think about effort to make that application to Android API, Cocoa, GTK+ 2, Qt and WinRT. Or, just make application to HTML/JS and that run everywhere in sandbox without hassle. Portability matters.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Mon, 6 Oct 2014, Matti Karnaattu wrote: Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. Sorry, that is totally bogus! The **FIRST** thing one should do when sitting down at a new browser is install NoScript [which is the most important reason TO use Firefox] and CookieMonster, so you can SEE what JS code is running and have the option to block individual sites. I interpreted the comment to which you are referring as 'controlling' what JS is running, so YOU have the choice as to whether to allow tracking code (e.g. googleanalytics) or block. As you state, it is *not* possible to use anything more than a basic website without JS, however it *is* realistic and reasonable to *limit* the cross-site JS code that is only there for the use of other third parties. Lee
Re: Securing communications with OpenBSD
Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 14:20, Matti Karnaattu wrote: I strongly disagree. In server side there is vast amount of different software stacks build top of C library and they are incompatible. Running PHP code top of Java stack just doesn't work. But none of them *require* javascript to function. In client side, there has ongoing for several years a huge shift where ~all client code runs top of HTML/JS. And this is very remarkable because client side code doesn't any longer care what is below that HTML/JS environment. The umbilical cord for C language stack or OS is cut off, and practically all major players in IT-industry are committed for that. Of course it's nice to have a standard on the browsers and they, almost, always speak the same language. But there will always be an umbilical cord with C. Even the almighty browser need an OS to run on top of it. I don't see that changing in the near future. Imagine that if late ninetees, whole IT industry has decided to cut off all legacy and start to compile only Java byte code to Java API. All applications work every computer without recompiling, and Java runtime removes hardware and OS dependency, isolating all applications to sandboxes that restrict memory, disk space, filesystem access etc. That would have been great, but Sun Microsystem withdraw from standardization process, Microsoft implementation was totally incompatible, and while Java was proprietary it was not accepted by open source communities any more than Sun Microsystem competitors. It would never happen. Java isn't all that great and even if Sun painted it gold, it would never take off. There is a reason why the web is dominated by scripting languages these days. And the reason isn't why sun didn't pushed for standardization, or anythin like that. Is because java sucks. But now, it is a totally new game. Javascript is standard, there is open source implementations and they are compatible. World is changed that HTML/JS is global standard for application frontends. And then there is local 'standards', ecosystems, if there is need to make exclusive application for Apple or something. These competing local standards keep development running. On the web, everybody should speak the same language. And that's a good thing. What is not a good thing is to have just one standard. That's never good. Maybe one in thousand. These were more popular back then when computers were slow and browsers immature, something like 7 years ago. Past two years, almost no one used these because applications doesn't work without JS. Well, if you take just the downloads of the tor browser alone, there are a lot of people using noscript. You're speaking bullshit. Things are turning in the oposite direction. Sites that enhance the privacy of their users, will get competitive advantage. You can't create applications without JS. Example, think about how mapping software are done with realtime pathfinding. Cosmetic things that aren't needed unless you're using a mobile browser, even then, you would probably be using an app. Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. A great deal in which javascript is used is to make cosmetic things pop in your browser that you really doesn't need for getting what you need: information. There are good uses of it of course, but it's not needed for making a great application. So it is better to download unknown application binary from when you like to see map? And think about effort to make that application to Android API, Cocoa, GTK+ 2, Qt and WinRT. Yes. It is better. It's made for that. The problem with javascript, that we are pointing and you're not listening, is that you don't control what is run. If I download a binary application, even if it's not ideal, I can inspect what it's doing with debuggers, network capture, etc. It's not the best thing, but you can, if you want to. With JS when I go to a site, they starting pulling third parties scripts, that pull others, and others. And it's a nightmare to see what's happening. Or, just make application to HTML/JS and that run everywhere in sandbox without hassle. Portability matters. That's the job of the browser, and things are headed that way. But until we get there, I'll keep using noscript. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
however it *is* realistic and reasonable to *limit* the cross-site JS code that is only there for the use of other third parties. I agree. I filter too crap away. Javascript itself is not problem.
Re: Securing communications with OpenBSD
Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity.
Re: Securing communications with OpenBSD
On 06-10-2014 16:36, Matti Karnaattu wrote: I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. You pretty much always want to encrypt you drive these days. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Traffic in the clear, even on a switch controlled by you, doesn't mean that anyone with physical access couldn't tap into your switch and see the traffic. There are simple vpn solutions. OP, take a look at iked and OpenVPN. I believe that these two are the most indicated for your case. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 4:17 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Traffic in the clear, even on a switch controlled by you, doesn't mean that anyone with physical access couldn't tap into your switch and see the traffic. Which is why you need to lock down the switch as well. Password protected. Disable all unused ports. Have some kind of MAC detection to detect and alert unknown MACs (e.g. infoblox or something home rolled - not that difficult) Good security is also a matter of the policies and procedures you have in place. Who has root access? How do they access root? (sudo is best - and log it all). Is there a change management policy and procedure? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
But none of them require javascript to function. Node.js What is not a good thing is to have just one standard. That's never good. And this is current status. Apple, Canonical, Google and Microsoft pushing their own competing front end ecosystems. And there is still HTML/JS which is portable. I see current situation very ideal. A great deal in which javascript is used is to make cosmetic things pop in your browser that you really doesn't need for getting what you need: information. Not all applications are for that. Let's say, numerical analysis software, video conferencing, electrical planning software.. or how about IDE with realtime code analysis? It is very useful to see bugs while I write code without need to compile. It is even useful in Word Processing to have real time spell checking. These are not just cosmetic things. The problem with javascript, that we are pointing and you're not listening, is that you don't control what is run. Of course I control. It very possible to white list / black list domains. It possible to limit all scripts to be launched from same trusted domain where I launch application. It is possible to install whole application to own server if I want. It is possible to put whole application instance to sandbox and require permission to camera, or limit memory usage. All data client sends is possible to control and monitor. In security point of view, who manages server can't control what happens in client side. Client is always untrusted and input need to check. Client however can't control what happens in server. Client have to trust server where data is send. Everything else can be controlled. even then, you would probably be using an app. And JS is for making app.
ntpd -s via ssh remote command 'hangs'
Hi,
Dumb question: I'm running 'sudo ntpd -s' as part of a remote command to an
OpenBSD guest[*]; unless I add a 'pkill sshd' to the end of the remote
command, e.g.
ssh guesthost 'sudo pkill -9 ntpd sudo ntpd -s date pkill sshd'
the ssh connection won't disconnect. Why is this ('sudo ntpd -s' by itself,
in a shell, returns a prompt)?
Regards,
Tor
* Yep, it's a clunky work-around for resetting the guest's clock after
VirtualBox startvm'ing a savestate'd guest (perhaps there is a better way?
:-})
Re: Firewall: Where is the bottleneck?
Hi Ville, What I read on the Internet so far about states [1]: The memory counter shows how often pf tries to insert a state but failed. The reason could be a hard limit of state entries. I watched at the memory counter this afternoon and it doesn't increased, still at 8764. pfctl -s memory stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 systat Sorry for pastebin link [2], but the formatting is broken inside a mail Best Regards, Patrick [1] http://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit/ [2] http://pastebin.com/CnfEZDE9 On Fri, 3 Oct 2014, Ville Valkonen wrote: On 3 October 2014 11:11, Ville Valkonen weezeld...@gmail.com wrote: On 2 October 2014 23:36, jum...@yahoo.de wrote: $ sysctl kern.netlivelocks kern.netlivelocks=2 What does this means? I found something like a deadlock, when two processes block each other, I'm right? This is useful information specially under the load. I don't have the source code available at the moment but as far as I know/remember it tells how much interrupts network devices create (this is likely wrong, don't take it as a fact. And please, someone correct me). and interrupt statistics (by systat for example) would be helpful. You mean during peak load. I will send it on Monday. Yes, that's correct. Sorry for not mention this in the first mail. btw. if you could yet provide this information it would be great: $ sudo pfctl -sa |grep -A 5 LIMITS Correction: rather use pfctl -s memory
Re: Securing communications with OpenBSD
The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. -- Ne obliviscaris, vix ea nostra voco.
combination of ssh port fowarding and pf redirection
I have a pf configuration which corectly fowards external conections to port 5432 on a machine on the inside. Iam trying to set up a machine on the outside to use ssh port fowarding to send ackets to port 5432 on the machine runing pf (firewall). Here is my ssh command line: ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N I keep getting errrs in auth.og about falure to connect on that port. Any idea what I am ding wrong? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 17:48, Matti Karnaattu wrote: Node.js I've used it, and there is too much hype about it. It has it's uses, but can be replaced with other non javascript technologies, at least from the server side. And this is current status. Apple, Canonical, Google and Microsoft pushing their own competing front end ecosystems. And there is still HTML/JS which is portable. I see current situation very ideal. If any of these end up being better than JS, I don't see any reason not to use them. Not all applications are for that. Let's say, numerical analysis software, video conferencing, electrical planning software.. or how about IDE with realtime code analysis? I said a great deal is for it. Of course not all of them. But, the examples you gave aren't the best ones. I prefer to use a desktop application for those instead of running them from my browser. Just saying. It is very useful to see bugs while I write code without need to compile. It is even useful in Word Processing to have real time spell checking. These are not just cosmetic things. That's why you have scripting languages. Javascript is just another one that happens to be the *only* one in the client side. Of course I control. It very possible to white list / black list domains. It possible to limit all scripts to be launched from same trusted domain where I launch application. It is possible to install whole application to own server if I want. It is possible to put whole application instance to sandbox and require permission to camera, or limit memory usage. All data client sends is possible to control and monitor. Well, this thread started because the OP not only controls what JS he opens in his browser, but he do not allow any. We already established that you can control, and allow or not it. The main issues are, the huge potential for misuse and the plethora of JS that tag along when you open a site and it start pulling scripts from thirdy parties, most of the time, not even encrypted. In security point of view, who manages server can't control what happens in client side. Not always true. Client is always untrusted and input need to check. This goes without saying. I go even further, you *always* should check your inputs, even software that run only on the server side. Client however can't control what happens in server. Also, not always true. Client have to trust server where data is send. The main point of this discussion. The internet is the most hostile environment possible. The browser, which acts in your behalf, shouldn't *have* to trust whichever the server sends and run it unrestricted. This design is flawed. Everything else can be controlled. Biggest bullshit you wrote in this entire thread. And JS is for making app. But it's not the *only* option. This is one of the greatest points of mobile apps. You can choose how to do things. Even on the apple world, which is way more restricted than the android one. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: ntpd -s via ssh remote command 'hangs'
On 06-10-2014 18:09, Tor Houghton wrote:
Hi,
Dumb question: I'm running 'sudo ntpd -s' as part of a remote command to an
OpenBSD guest[*]; unless I add a 'pkill sshd' to the end of the remote
command, e.g.
ssh guesthost 'sudo pkill -9 ntpd sudo ntpd -s date pkill sshd'
the ssh connection won't disconnect. Why is this ('sudo ntpd -s' by itself,
in a shell, returns a prompt)?
Regards,
Tor
* Yep, it's a clunky work-around for resetting the guest's clock after
VirtualBox startvm'ing a savestate'd guest (perhaps there is a better way?
:-})
You have lots of options. You can install the virtualbox guest additions
(as far as I know the OpenBSD doesn't have it) if your machine is linux.
But in your case, instead of using ntpd, you could run a ntpd on your vm
host and in your guest you should run the rdate(8) command. It will not
daemonize itself, it will just set the clock (or not) and exit. You
could even run it in the machine start, just put it on the
/etc/rc.conf.local.
Cheers,
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
Re: combination of ssh port fowarding and pf redirection
BTW here is the error mesage from auth.log authlog:Oct 6 13:40:45 phfw1 sshd[13604]: error: connect to phfw1 port 5432 failed: Connection refused On Mon, Oct 06, 2014 at 07:59:10PM -0400, stan wrote: I have a pf configuration which corectly fowards external conections to port 5432 on a machine on the inside. Iam trying to set up a machine on the outside to use ssh port fowarding to send ackets to port 5432 on the machine runing pf (firewall). Here is my ssh command line: ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N I keep getting errrs in auth.og about falure to connect on that port. Any idea what I am ding wrong? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: combination of ssh port fowarding and pf redirection
On 06-10-2014 20:59, stan wrote: I have a pf configuration which corectly fowards external conections to port 5432 on a machine on the inside. Iam trying to set up a machine on the outside to use ssh port fowarding to send ackets to port 5432 on the machine runing pf (firewall). Here is my ssh command line: ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N I keep getting errrs in auth.og about falure to connect on that port. Any idea what I am ding wrong? Very confusing. But if I understood correctly, you are trying to make a tcp port on a machine behind your firewall, available to others, in your internal lan, to others, right? Well, for starters, I wouldn't use dns names on the port forwarding part. It's prone to errors, not to mention the fact that you'll get confused wheter the name is resolved locally or remote. But it's remote, IIRC. In your case, you need to add your ip address to the forwarding. In your case, it would become: -L LOCAL IP:6030:REMOTE SIDE IP:5432 If it's not this that you want, please clarify. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: ntpd -s via ssh remote command 'hangs'
On Mon, Oct 6, 2014 at 2:09 PM, Tor Houghton t...@bogus.net wrote:
Hi,
Dumb question: I'm running 'sudo ntpd -s' as part of a remote command to an
OpenBSD guest[*]; unless I add a 'pkill sshd' to the end of the remote
command, e.g.
ssh guesthost 'sudo pkill -9 ntpd sudo ntpd -s date pkill sshd'
the ssh connection won't disconnect. Why is this ('sudo ntpd -s' by itself,
in a shell, returns a prompt)?
By itself, one of the ntpd daemons will keep open the stdin/out/err it
was started with, which in this case will be the pipe or tty created
by of the ssh server.
The easiest solution (if there isn't a virtualbox toolset) is to use
the rc.d framework, which will handle the fds:
ssh guesthost '/etc/rc.d.ntpd restart'
and put the -s in ntpd_flags in rc.conf.local
Philip Guenther
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
Great conversation... Somehow you guys spend all your time whining about complicated deep technologies like Java / Javascript -- condemning them for their nasty complexity -- but at the same time using the conversation to hurt people trying to build something simpler. Who do you work for? Governments?
Re: openbsdstore: enable javascript and buy something or gtfo
You mean, there is _legislation_ on how to write software? Some industries, yes. But this is not related to JS. Practically whole IT-industry supports JS. If you like to do portable application programming, you have to write JS or compile your code to JS if you want to get that working everywhere. You mean, unlike C? Write graphical application, Hello World is enough, that should work on all desktops, workstations, tablet, pocket/phone and game console. It must work all supported versions and all HW architectures. End users must not need to compile code. Just run ready software. Now, do you see why C isn't portable by today standards? Your browser is written in what language exactly? Application programmer doesn't need to know anything below browser. It is very strong interface. Something like libc. When someone writes some command line tool, there is no need to know what is below libc. Running PHP code top of Java stack? What on earth are you talking about? Portable application source is JS or compiled to JS (from Coffeescript, Typescript etc.). There is libraries and frameworks but they all run top of browser where everything is JS. In server side, below is libc and top of that there is Ruby, Java, C#, Python, PHP, C, C++, node.js etc. software stacks. And there is often code mixed from other software stacks and all those stacks of course are running. Browsers are getting slower all the time. Bullshit. Try this: http://peacekeeper.futuremark.com Newer browsers run software faster. Ancient browsers may even fail tests. Wah have had it for decades. There were JS applications made ten years ago, yes. It matured 2009 or something to be very usable. Before it was slow, buggy, some browsers were limited and it required much effort to make the crap working. In past year, JS technology is matured to that level there isn't much limitations any more. You really _are_ trolling, right? I'm not. You just can't practically make portable application without JS or language that is compiled to JS. I think that is the biggest industry changing trend what is caused by iPhone. Before that, there was libc and some nice library like GTK+ or some other, you can write software that can compile and run about everywhere. Then Steve pulled iPhone from jeans pocket, iPhone was very closed ecosystem, useful and popular and changed application programming. You are very ignorant if you didn't notice that. Did you notice that Google, Microsoft and Canonical began to do the same? It also matters when over 99% of frontends are from these companies + game consoles too, which have always been restricted. It is impossible to application programmer to ignore that. Especially when everyone seems to be dropping out, deprecating or put second-class citizen status those technologies that makes possible to write easily portable software without JS. Example: -Apple has removed X from Mac OS -Both Red Hat and Canonical seems to be abanoning X -Microsoft is starting to upgrade OS once a year or something and advertise unified OS. In Windows 8, all but WinRT and HTML5 apps works terribly. -Microsoft restricted new WinRT API to Microsoft store -Apple has deprecated Carbon -Those application stores are under control Simply, application programmer is pushed to JS stack if you want to make application portable, so that it also has a continuity. You never know when Win32, or some other backbone is dropped or it is available only in some embedded edition. It is also realized by Qt, because QML can run top of runtime, in environment where you just can't compile C++ for some reason. Of course it doesn't matter if application doesn't have to be portable. Just write C# for WinRT or C for OpenBSD + GTK+3 and be happy.
Re: openbsdstore: enable javascript and buy something or gtfo
I think Matti is a goverment plant, or quite high in industry. Please people, ignore him.
Re: openbsdstore: enable javascript and buy something or gtfo
I think Matti is a goverment plant, or quite high in industry. Please people, ignore him. Let me explain Matti to you: 1. first I break your chmod. 2. Oh you won't fall for that. bummer 3. next I convince you that JS is good. 4. While there, convince everyone Theo is the reason JS is everywhere. Either he's a plant, or you are all stupid. We can't all be this stupid, and I have never been responsible for any of your actions -- even if you fall for a person on a @gmail.com account like that. He got a fake finnish name, but I bet he lives in the US or UK!
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:09, Theo de Raadt wrote: He got a fake finnish name, but I bet he lives in the US or UK! From the e-mail headers, US. Don't worry Theo, I won't be feeding the troll any further. Just don't like stupid people spreading misinformation. Others might believe it. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
On 06/10/14 9:01 PM, Matti Karnaattu wrote: Browsers are getting slower all the time. Bullshit. Try this: http://peacekeeper.futuremark.com Actually it isn't bullshit. It is the truth. You just fail to understand what he means. Newer browsers run software faster. Ancient browsers may even fail tests. and yet browsers on some of my systems run software slower and each release is getting slower and slower. There is no good reason a quad core system with 6GB of RAM should run a browser like its molasses on a cold winter day, but that's the way it is with the bloated ass crap we have called web browsers. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:09, Theo de Raadt wrote: He got a fake finnish name, but I bet he lives in the US or UK! From the e-mail headers, US. Don't worry Theo, I won't be feeding the troll any further. Just don't like stupid people spreading misinformation. Others might believe it. And you are UK or US as well. Nice Italian name, but you are likely part of the same parcel. Thanks for replying so fast!
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
If any of these end up being better than JS, I don't see any reason not to use them. I think everyone of these are better if you don't care about portability. I prefer to use a desktop application for those instead of running them from my browser. Just saying. There isn't much new desktop applications done lately, except for web.. I have my data in my servers, but I would like if I can manipulate everything directly with web interface in my network. That would be clean architecture. you always should check your inputs, even software that run only on the server side. Sure. I even employ DbC in my functions too..
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:23, Theo de Raadt wrote: And you are UK or US as well. Nice Italian name, but you are likely part of the same parcel. Thanks for replying so fast! Hahahahha. Brazilian Theo. Italian descendent. You can check my headers and you'll see. Don't be so paranoid. And I'm not feeding the troll any further, don't worry. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:23, Theo de Raadt wrote: And you are UK or US as well. Nice Italian name, but you are likely part of the same parcel. Thanks for replying so fast! Hahahahha. Brazilian Theo. Italian descendent. You can check my headers and you'll see. Don't be so paranoid. And I'm not feeding the troll any further, don't worry. You are the troll; he is the plant.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:23, Theo de Raadt wrote: And you are UK or US as well. Nice Italian name, but you are likely part of the same parcel. Thanks for replying so fast! Hahahahha. Brazilian Theo. Italian descendent. You can check my headers=20 and you'll see. Don't be so paranoid. And I'm not feeding the troll any=20 further, don't worry. I love this conversation. Hey don't trust OpenBSD, because the new (outsourced) store uses Javascript. But trust Matti and Giancarlo's email headers. The conversation is not ludicrous. Matti and Giancarlo are either stupid, or they work for someone who wants to fool everyone. Giancarlo, you are really special to me.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:31, Theo de Raadt wrote: You are the troll; he is the plant. All right. Will end the discussion now. Just rest assured I'm not working it any goverment agency, IT big enterprise and do not have any hidden agenda. Bye [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
OT: Old version of CD still available
Hi, I know a few months back the information for the retirement of Austin was sent and as such many things are not available anymore. But sometime money do not always come at the right time and life get you busy making old habit on hold for a while. So, I wonder if it is possible somehow or somewhere to get the earlier DVD release still? My collection have holes in it. I have all of them from when I started (2.7), but now I am sadly missing 4.9 to 5.5 (4.9 and 5.0 are lost) and wonder if I can catch up with it. Puffy fell sadly on the self. I wanted to do it before it was to late, but life got his turn on me and time fly and now I am looking to catch up if at all possible. Sorry Theo, if that's gone for good, then I will forget it, but if not, any clue where or if possible to do? I am truly sorry to asked as I know to well it's to late, but I thought to do so anyway just in case. Best, Daniel PS: No need to make this into an other JavaScript tread please! (: Just yes or no is fine really and if yes, how?
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:37, Theo de Raadt wrote: I love this conversation. Hey don't trust OpenBSD, because the new (outsourced) store uses Javascript. Never, in any moment in the thread I said that the store shouldn't be trusted. But trust Matti and Giancarlo's email headers. While we are at it, why should I trust that you're really Theo? The conversation is not ludicrous. Matti and Giancarlo are either stupid, or they work for someone who wants to fool everyone. Only speaking for myself here, but neither of the options. Giancarlo, you are really special to me. You too Theo. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: OT: Old version of CD still available
Actually 4.8 to 5.4 included are missing. Just getting to old and tired to think straight. My Son got me the 5.5, good boy! (: He learn well... Anyway still the same question. On 10/6/14 9:39 PM, Daniel Ouellet wrote: Hi, I know a few months back the information for the retirement of Austin was sent and as such many things are not available anymore. But sometime money do not always come at the right time and life get you busy making old habit on hold for a while. So, I wonder if it is possible somehow or somewhere to get the earlier DVD release still? My collection have holes in it. I have all of them from when I started (2.7), but now I am sadly missing 4.9 to 5.5 (4.9 and 5.0 are lost) and wonder if I can catch up with it. Puffy fell sadly on the self. I wanted to do it before it was to late, but life got his turn on me and time fly and now I am looking to catch up if at all possible. Sorry Theo, if that's gone for good, then I will forget it, but if not, any clue where or if possible to do? I am truly sorry to asked as I know to well it's to late, but I thought to do so anyway just in case. Best, Daniel PS: No need to make this into an other JavaScript tread please! (: Just yes or no is fine really and if yes, how?
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
but at the same time using the conversation to hurt people trying to build something simpler. It is not meant to hurt anyone. Optimal complexity is when there is nothing you like to add and nothing you like to remove. It is just that sometimes happens event called disruptive innovation. When it happens, it is good to sit down and think, why that happened and why I was so stupid to not to realize that myself, because there are some good reasons always what make that event possible. It is also stupid to ignore that event ever happened. I didn't understand myself right away that iPhone was such a event (and I'm not Apple fanboy at all). This conversation brings me a lot of ideas what should be done when building something simple.. Like removing that stupid web browser idiom that where is addressbar and back/forward buttons. How about changeing web browser to app launcher. Someting like launch https://application.com; and that app launcher is designer to be app container. Application is started for local or remote computer, enforces security restricting access to local resources and remote servers and even know window coordinates so every application is launched on correct position on screen. And Javascript console.log can put stuff to stdout, errors to stderr... That can be also then use to make more complex user interfaces, integrating several applications to one view. Hell yeah, more I think, I just don't even want to use anything else than those, terminal windows and X for legacy apps. It can also change world better if defaults are secure and that app launcher is adopted.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
but at the same time using the conversation to hurt people trying to build something simpler. It is not meant to hurt anyone. I didn't mean to kill that guy when I was doing 250km It is just that sometimes happens event called disruptive innovation. You tried to break chmod. Please innovate elsewhere. When it happens, it is good to sit down and think, why that happened and why I was so stupid to not to realize that myself, because there are some good reasons always what make that event possible. It is also stupid to ignore that event ever happened. Yes, it is good to sit down and think. This conversation brings me a lot of ideas what should be done when building something simple.. Like removing that stupid web browser idiom that where is addressbar and back/forward buttons. You are on the wrong list. How about changeing web browser to app launcher. You must be really full of yourself, because you are on the wrong mailing list. Someting like launch https://application.com; and that app launcher is designer to be app container. Application is started for local or remote computer, enforces security restricting access to local resources and remote servers and even know window coordinates so every application is launched on correct position on screen. And Javascript console.log can put stuff to stdout, errors to stderr... You are on the wrong list. That can be also then use to make more complex user interfaces, integrating several applications to one view. Hell yeah, more I think, I just don't even want to use anything else than those, terminal windows and X for legacy apps. You are on the wrong list.
Re: openbsdstore: enable javascript and buy something or gtfo
next I convince you that JS is good. I said that it crappy, but it happens that crap gets adopted standard. It just happens, it has happened before and when the shit works and solve compatibility issues by having adopted standard, it is useful. What can I do for that?! It is problem in IT-industry that every player want to smuggle patent into standards or want to make own tech to adopted and demand royalties. Then everyone make own incompatible version on same thing and others make new abstraction layer of shit to make things again compatible. The reason why I think JS is great is that all players in IT-industry are commited to support it. ~everyone tried to put own proprietary tech to same use and failed. Now everyone are given up, and support that JS and now it WORKS. It is good to everyone support that portable technology because now their own native ecosystems looks better and they can make users to depend on them. And oneone can't stop supporting JS either because then software stops working.. - we got established standard. I also think that this is again new abstraction layer of shit but it is kind of inevitable while IT industry failed to make standard hardware architecture and top of HW, there is C code that is depending on build technology from 70's. While there, convince everyone Theo is the reason JS is everywhere. I didn't mess you to this discussion and I haven't bashed you everywhere, never. I actually respect your work, but you behave like I've got you on your toes. How I can have you to be more relaxed? With beer?
Re: openbsdstore: enable javascript and buy something or gtfo
Matti Karnaattu wrote snip How I can have you to be more relaxed? With beer? Just what I need. Life support on drunk programs writ by drunk programmers. Please. You are a threat to my continued existence.
Re: packet filter: question about parentheses around self
On 04-10-2014 11:06, Peter N. M. Hansteen wrote: The parentheses denote potentially dynamic addresses, and IIRC the main difference is that with parentheses the list will be expanded IIRC at rule evaluation time, while without the parentheses, the list of addresses is expanded at ruleset load time. The man page talks only about interface names surrounded by parentheses. But, from my experience, (self) work at evaluation time, just as (egress) does. No need to reload the ruleset everytime any address change. Perhaps it would be nice to improve the man page on that subject? Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: OT: Old version of CD still available
On Mon, Oct 06, 2014 at 09:51:03PM -0400, Daniel Ouellet wrote: Actually 4.8 to 5.4 included are missing. Trace your steps back to the announcement: http://undeadly.org/cgi?action=articlesid=20140805141742 which links to the old ordering system. I hope you're able to complete your collection. Good luck! Nicolai
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
You are on the wrong list. Ok. I will unscribe myself for.. eternity. Because I obviously have hurt feelings. Especially yours, Theo. I did not intentionally do that. And I have _never_ bashed you. And I actually never got what makes you so upset. I'm enthusiast to tech without religion. Agnostic doesnt care that much about. something, what is apparently extremely important to you. Kindest thing you have ever said to me is that I'm government plant. Well, I'm not and I don't work Google either. But I think that is kind because I believe that it should be hard to make you to believe that. It is better to me to disappear because it probably more beneficial to me put my free time effort when I'm between jobs to somewhere else than finding bugs from OpenBSD. Theo, bruteforce stress testing for OpenBSD went better than I expected. Surprisingly little amount of fails. Sometimes when I debate, it gets out of hands. I should have quit this thread when I said that. My apologies. For everyone.
Re: ntpd -s via ssh remote command 'hangs'
On Mon, Oct 06, 2014 at 05:34:34PM -0700, Philip Guenther wrote: By itself, one of the ntpd daemons will keep open the stdin/out/err it was started with, which in this case will be the pipe or tty created by of the ssh server. Aha. Thank you very much for the explanation. The easiest solution (if there isn't a virtualbox toolset) is to use the rc.d framework, which will handle the fds: ssh guesthost '/etc/rc.d.ntpd restart' and put the -s in ntpd_flags in rc.conf.local Yes; this is very much the more elegant solution; thanks again. Tor
