Permanent network configuration leads to panic

2015-03-12 Thread Romain FABBRI 
If I configure my network card manually using the following commands the system 
and network work fine :

Ifconfig inet {public_ip_/32_address} 255.255.255.255 media 1000baseTX route 
add -inet {ip_gateway}/32 -link -iface em0 route add default {ip_gateway}


If I attempt to configure using hostname.em0 :

vi /etc/hostname.em0
inet {public_ip_/32_address} 255.255.255.255 NONE media 1000baseTX !route add 
-inet {gateway}/32 -link -iface em0 !route add default {gateway} sh 
/etc/netstart

. I get a panic (smashed stack in ether_output)
panic: smashed stack in ether_output
Stopped at Debugger+0x7:    leave

Have I made an error ???

PS : I also tried putting the gateway IP in /etc/mygate instead of using « 
route add default {ip_gateway} » inside hostname.if file but I'm also getting 
the panic this way.

Romain

Re: dhcpd log issues

2015-03-12 Thread lilit-aibolit 

On 11/07/2014 12:48 PM, Marc Peters wrote:

Hi misc@,

after upgrading our pair of dhcpd servers to 5.6(-stable), i am seeing
strange DHCPACKs in our logs (in both of them):

Nov  7 09:28:34 dhcpd2 dhcpd[9269]: DHCPINFORM from 192.168.20.251
Nov  7 09:28:34 dhcpd2 dhcpd[9269]: DHCPACK on  to
5c:51:4f:56:81:c3 via em0


The entries in the leasesfile are correct and the clients are getting
the right addresses, so this seems merely a logging issue to me.

dmesg dhcpd1 (kvm-host):


Cheers,
Marc



Hi, same here.
I also found this discussion about 
https://lists.isc.org/pipermail/dhcp-users/2008-May/006266.html

Mar 10 17:00:49 gw56 dhcpd[2020]: Listening on rum0 (10.10.10.1).
Mar 10 17:01:04 gw56 dhcpd[11367]: DHCPDISCOVER from 00:1f:3b:12:93:91 
via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPOFFER on 10.10.10.100 to 
00:1f:3b:12:93:91 via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPREQUEST for 10.10.10.100 from 
00:1f:3b:12:93:91 via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPACK on 10.10.10.100 to 
00:1f:3b:12:93:91 via rum0

Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPINFORM from 10.10.10.100
Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPACK on  to 
00:1f:3b:12:93:91 via rum0


# cat /etc/dhcpd.conf
subnet 10.10.10.0 netmask 255.255.255.0 {
option routers 10.10.0.1;
option domain-name "kh.ektos";
option domain-name-servers 10.10.0.1;
max-lease-time 604800;
default-lease-time 604800;
range 10.10.10.100 10.10.10.200; }

# uname -a
OpenBSD gw56 5.6 GENERIC.MP#299 i386

Re: Permanent network configuration leads to panic

2015-03-12 Thread Jonathan Gray 
On Wed, Mar 11, 2015 at 09:57:12PM +, Romain FABBRI wrote:
> If I configure my network card manually using the following commands the 
> system and network work fine :
> 
> Ifconfig inet {public_ip_/32_address} 255.255.255.255 media 1000baseTX route 
> add -inet {ip_gateway}/32 -link -iface em0 route add default {ip_gateway}
> 
> 
> If I attempt to configure using hostname.em0 :
> 
> vi /etc/hostname.em0
> inet {public_ip_/32_address} 255.255.255.255 NONE media 1000baseTX !route add 
> -inet {gateway}/32 -link -iface em0 !route add default {gateway} sh 
> /etc/netstart
> 
> . I get a panic (smashed stack in ether_output)
> panic: smashed stack in ether_output
> Stopped at Debugger+0x7:    leave
> 
> Have I made an error ???
> 
> PS : I also tried putting the gateway IP in /etc/mygate instead of using « 
> route add default {ip_gateway} » inside hostname.if file but I'm also getting 
> the panic this way.

This problem was recently reported on bugs@, try the diff mentioned in

http://marc.info/?l=openbsd-bugs&m=142600183729296&w=2

March 8 snapshot does not boot on Dell E6540

2015-03-12 Thread carsten . kunze 
Hello,

the snapshot amd64/install57.fs (or .iso) from March 8 does not boot on a
Dell Latitude E6540.  The last output line during boot is:

uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1

This is the first snapshot I try on this laptop.  Currently the 5.6
release is installed.  Its dmesg is:

OpenBSD 5.6 (GENERIC.MP) #333: Fri Aug  8 00:20:21 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8474476544 (8081MB)
avail mem = 8240103424 (7858MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xed6e0 (102 entries)
bios0: vendor Dell Inc. version "A05" date 09/03/2013
bios0: Dell Inc. Latitude E6540
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SLIC SSDT SSDT SSDT SSDT HPET SSDT MCFG SSDT 
ASF! SSDT DMAR SSDT TCPA
acpi0: wakeup devices UAR1(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) 
RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) 
RP07(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4300M CPU @ 2.60GHz, 3193.11 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4300M CPU @ 2.60GHz, 3192.61 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-4300M CPU @ 2.60GHz, 3192.61 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4300M CPU @ 2.60GHz, 3192.61 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP01)
acpiprt2 at acpi0: bus 3 (RP03)
acpiprt3 at acpi0: bus 4 (RP05)
acpiprt4 at acpi0: bus 5 (RP06)
acpiprt5 at acpi0: bus 6 (RP07)
acpiprt6 at acpi0: bus 14 (RP08)
acpiprt7 at acpi0: bus 1 (PEG0)
acpiprt8 at acpi0: bus -1 (PEG1)
acpiprt9 at acpi0: bus -1 (PEG2)
acpiec0 at acpi0
acpicpu0 at acpi0: C1, PSS
acpicpu1 at acpi0: C1, PSS
acpicpu2 at acpi0: C1, PSS
acpicpu3 at acpi0: C1, PSS
acpitz0 at acpi0: critical temperature is 107 degC
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PBTN
acpibtn2 at acpi0: SBTN
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "DELL GCJ4839" serial 396 type LION oem "Samsung 
SDI"
acpibat1 at acpi0: BAT1 not present
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: LCD_
cpu0: Enhanced SpeedStep 3193 MHz: speeds: 2601, 2600, 2500, 2300, 2200, 2100, 
2000, 1800, 1700, 1600, 1400, 1300, 1200, 1100, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x0c04 rev 0x06
ppb0 at pci0 dev 1 function 0 "Intel Core 4G PCIE" rev 0x06: msi
pci1 at ppb0 bus 1
"ATI Radeon HD 8790M" rev 0x00 at pci1 dev 0 function 0 not configured
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 4600" rev 0x06
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
drm: Memory usable by graphics device = 2048M
error: [drm:pid0:i915_write32] *ERROR* Unknown unclaimed register before 
writing

Re: Support - update our listing

2015-03-12 Thread Joseph Wolff 
0
C USA
P California
T Fremont
Z 94538
O eRacks Open Source Systems
I Joseph Wolff
A 4035 Clipper Court
M consult...@eracks.com
U http://www.eracks.com/
B 408-455-0010
X 
N We provide ready-to-run OpenBSD servers, both http://eracks.com/rackmount-servers";>rackmount servers 
and other form factors, such as notebooks, desktops, etc. Firewalls, 
Mail/DNS/Web servers, other bastion hosts. 
We also provide Network design, planning, and Cloud architecture services, as 
well as custom-configured OpenBSD systems. 
We will preinstall & configure CARP, firewall rules, pfsync, STP, 
Dual/Bridging, OpenVPN, etc. We've been doing this since 1999.

Re: KVM Switching and CPU and Fan Speed

2015-03-12 Thread Jason Adams 
On 03/08/2015 09:38 PM, Steven wrote:
> I've got a set up between two towers where I use a KVM (KVMS?)
> switch between them. The one running OpenBSD (snaphots and recent as
> of this morning) seems step up it's CPU speed when I'm switched out
> to the other computer. I'm wondering if I'm the only one seeing this.

Can you ssh into the machine and then switch the KVMS away from it and see what 
"top"
says is chewing up CPU cycles?

Also, what about plugging in another keyboard?  I had one old linux server, 
that had similar
issues some years ago, and simply plugging in another cheap keyboard, and 
dropping it behind the
table (never using it) allowed the switch (and the keyboard attached to it) to 
work without issue.


-- 
Those who do not understand Unix are condemned to reinvent it, poorly.

Re: relayd bypass SSL interception for URL

2015-03-12 Thread Felipe Scarel 
On Mon, Mar 9, 2015 at 12:03 PM, Stuart Henderson  wrote:
> On 2015-03-06, Felipe Scarel  wrote:
>> Hello all,
>>
>> I'm currently using relayd as a forward proxy, selectively blocking
>> HTTP and HTTPS requests while doing MitM inspection (as per
>> http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception).
>>
>> To allow certain domains to go through the SSL proxy, a simple 'pass
>> quick url file' is sufficient, and works. However, this option does
>> not prevent the MitM operation from relayd; the request is simply
>> allowed through, and the original certificate is still 'patched' by
>> the local CA. The configuration is shown below:
>>
>> http protocol httpsfilter {
>>   tcp { nodelay, sack, socket buffer 65536, backlog 1024 }
>>   return error
>>
>>   match header set "Keep-Alive" value "$TIMEOUT"
>>   match header set "Connecton" value "close"
>>
>>   pass quick url file "/etc/relayd.d/custom_whitelist"
>>   block url file "/etc/relayd.d/custom_blacklist"
>>   include "/etc/relayd.d/auto_blacklist"
>>
>>   ssl ca key  "/etc/ssl/private/ca.key" password "password"
>>   ssl ca cert "/etc/ssl/ca.crt"
>> }
>>
>> relay httpsproxy {
>>   listen on 127.0.0.1 port 8443 ssl
>>   protocol httpsfilter
>>   forward with ssl to destination
>> }
>>
>> This is a problem for a few sites (especially banking websites) that
>> absolutely demand that the original certificate is not tampered in any
>> way. I'm currently solving the problem with pf passthrough rules
>> (allowing traffic directly to destination on a per-IP basis), which is
>> far from an ideal solution as covered previously in
>> http://openbsd.7691.n7.nabble.com/DNS-lookups-for-hostnames-in-PF-tables-td69546.html
>> (scenarios like round robin DNS, CDNs providing content for multiple
>> organizations, etc.)
>>
>> So, my question is: Is there a way to completely bypass SSL
>> interception for a given URL file?
>>
>> Thanks in advance,
>> fbscarel
>>
>>
>
> relayd doesn't have much information available at the point where it
> decides whether to pick up the request. Specifically it just has IP
> addresses. It can't tell the URL or even the domain name of the request
> to be able to identify the destination.
>
> The domain name *is* available before a full SSL negotiation, at least
> for connections from non-ancient browsers, but it requires opening at
> least the client-side of the connection, and reading the name from the
> ClientHello (this is the first packet sent by the client; server name is
> provided unencrypted by SNI).
>
> It is technically possible to use this information as part of a decision
> process, but it's much more complicated - you first need to identify
> whether interception is wanted, and then either replay the ClientHello
> (and afterwards forward packets directly to the server), or do the
> cert generation/MITM as usual.
>
> relayd doesn't support this yet.
>
> Recent versions of Squid (3.5.x) do; feature is called "peek and
> splice", but I haven't tested it with OpenBSD yet. (Squid's normal
> SSL interception does work, at least in OpenBSD -current). Even then,
> the most you will be able to do is look at the domain name; the URL
> is not available until *after* the SSL handshake, at which point it
> is too late to make the decision whether to spoof the cert or not.
>

The domain name would do, I'll try testing with Squid.
Thanks for the input, Stuart.

Re: how to install a freeze point version of OpenBSD

2015-03-12 Thread Peter N. M. Hansteen 
On Thu, Mar 12, 2015 at 07:41:31AM +, Bogdan Andu wrote:
> Thank you for detailed explanations.
> In conclusion is safer to follow -current, 
> But if I am using a April 1st snapshot, for example I cannot use 
> 5.7 -stable channel to update the tree so I must update the April 1st 
> snapshot to current snapshotin May 1st?
> How it is possible to know when to update my current tree of April 1st to 
> last known -current 5.7, exactly before this becomes 5.8 alfa?

You seem a bit confused about the dates involved (see [1] for a blog post of 
mine which
may or may not help make things clearer).

if you read up on CVS, you may discover a way to check out code equal to the 
-release
version or matching a specific point in time. That would give you a set of 
(hopefully
consistent and buildable) source files, and applying the same tricks to the 
ports tree
will yield similar results - a set of source files and patches you can build.

For a prebuilt, installable system with matching packages, you need to either go
from snapshot to snapshot (making the dive into -current if you want) or follow 
the -release to -stable path.

- P

[1] http://bsdly.blogspot.com/2011/07/what-to-expect-in-openbsd-50-onwards.html
 
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: KVM Switching and CPU and Fan Speed

2015-03-12 Thread Jason Adams 
On 03/10/2015 08:15 PM, W. Steven Schneider wrote:
>
> Damn it, I hate using my phone for this!
>
> On Mar 10, 2015 6:15 PM, "Jason Adams"  > wrote:
> >
> > On 03/08/2015 09:38 PM, Steven wrote:
> > > I've got a set up between two towers where I use a KVM (KVMS?)
> > > switch between them. The one running OpenBSD (snaphots and recent as
> > > of this morning) seems step up it's CPU speed when I'm switched out
> > > to the other computer. I'm wondering if I'm the only one seeing this.
> >
> > Can you ssh into the machine and then switch the KVMS away from it and see 
> > what "top"
> > says is chewing up CPU cycles?
> >
> It appears that the privilege separated Xorg is demanding a high percentage 
> of CPU. I had Xorg
> niced to -10 buy bringing it's back to a nice of 0 didn't change the behavior.
> > Also, what about plugging in another keyboard?  I had one old linux server, 
> > that had similar
> > issues some years ago, and simply plugging in another cheap keyboard, and 
> > dropping it behind the
> > table (never using it) allowed the switch (and the keyboard attached to it) 
> > to work without issue.
> >
> I might yet try that as a workaround if no solution comes to mind or is 
> forthcoming. :-)
>

By the way, the same might be tried with some random mouse plugged directly 
into the offending machine.
It sounds like xorg is expecting to read state from input devices, and failing 
that it works harder.

But I've also seen issues with simply the absense of a monitor causing problems.
Some kvm switches compensate for this by emulating DDC connection to the 
switched away-from machine.
Here is a random example chose from a quick search:
http://linkskey.com/product/ldv-302arc-2-port-dvi-usb-kvm-w-audiomic-plus-quickswitch-remote-button/

There are some KVM switches that handle this condition




-- 
Those who do not understand Unix are condemned to reinvent it, poorly.

Re: March 8 snapshot does not boot on Dell E6540

2015-03-12 Thread carsten . kunze 
Hello Martin, 

Martin Pieuchot  wrote:

> I got some similar reports before and it seems related to anything in
> the BIOS.  It seems that turning the USB setting to USB3 "On" or "Off"
> but not "Auto" prevent this hang.  Sadly I don't have access to such
> hardware and investigate further.

In the BIOS setup of this laptop USB3 can only be switched "on" or
"off".  It had been switched "on".  When switching it to "off" the
problem does not occur anymore, the 5.7-snapshot is now running on
this laptop.  Thank you for your help!

If it would help I could apply patches from you to the kernel source
and do some tests.  But if you're not interessted in that it is ok
for me to live without USB3.

Thanks,
Carsten

newbie setting up calendar & contacts server - would someone mind critiqueing my plan?

2015-03-12 Thread Scott Finnie 
Hello all. Apologies if this is answered somewhere else: couldn't find in the archives or via web search.  If so I'd 
appreciate a pointer - thanks.


I'm looking to set up a calendar & contacts server for family use.  Progress so 
far:

1. Installed openbsd 5.6 & running on an old ppc mac mini.
2. Looked at calendar/contact servers and settled on radicale. Installed and set up local test, all working ok - albeit 
with no auth.


Server is currently on a private lan in the house, so I need to move it to be internet facing (via DMZ on router).  
Before I do I'd be grateful of any guidance on the following:


1. Anything I should do at the OS level?  It's currently a stock install, with ports added to get radicale (v0.8p0 and 
hence python 2.7).  Haven't added or removed anything else.  I'll set up the firewall to only expose the app's IP ports.
2. Is there a recommended way to secure connection to radicale? It supports a wide range of options (TLS, htpasswd, 
IMAP, LDAP, PAM, HTTPAuth).  Having done some reading I'm leaning towards TLS: any reason not to?


The box will only host the calendar/contacts so I don't need to put the app behind a web server - unless there's a good 
reason to do that?


Thanks.

 -Scott.

PS: First post so I hope it's in line with list etiquette (did read 
beforehand).  If not, any pointers appreciated.  Thanks.

5.6 errata patch 006 problem

2015-03-12 Thread Marko Cupać 
Hi,

I have applied errata patch 006 related to relayd to 5.6 source code,
but it does not build. Any advices?

# make
cc   -o relayd parse.o agentx.o ca.o carp.o check_icmp.o check_script.o 
check_tcp.o config.o control.o hce.o log.o name2id.o pfe.o pfe_filter.o 
pfe_route.o proc.o relay.o relay_http.o relay_udp.o relayd.o shuffle.o snmp.o 
ssl.o ssl_privsep.o -levent -lssl -lcrypto -lutil
/usr/lib/libssl.so.27.0: undefined reference to `dtls1_build_sequence_number'
/usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_read'
/usr/lib/libssl.so.27.0: undefined reference to `ssl_cipher_get_evp_aead'
/usr/lib/libssl.so.27.0: undefined reference to `dtls1_heartbeat'
/usr/lib/libssl.so.27.0: undefined reference to `tls1_process_heartbeat'
/usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_end'
collect2: ld returned 1 exit status
*** Error 1 in /usr/src/usr.sbin/relayd (:84 'relayd')

-- 
Marko Cupać
https://www.mimar.rs

Re: 5.6 errata patch 006 problem

2015-03-12 Thread Marko Cupać 
On Thu, 12 Mar 2015 11:55:22 +0100
Marko Cupać  wrote:

> Hi,
> 
> I have applied errata patch 006 related to relayd to 5.6 source code,
> but it does not build. Any advices?

Also with 009:

cc   -o httpd parse.o config.o control.o httpd.o log.o logger.o proc.o server.o 
server_http.o server_file.o server_fcgi.o -levent -lressl -lssl -lcrypto -lutil
/usr/lib/libssl.so.27.0: undefined reference to `dtls1_build_sequence_number'
/usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_read'
/usr/lib/libssl.so.27.0: undefined reference to `ssl_cipher_get_evp_aead'
/usr/lib/libssl.so.27.0: undefined reference to `dtls1_heartbeat'
/usr/lib/libssl.so.27.0: undefined reference to `tls1_process_heartbeat'
/usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_end'
collect2: ld returned 1 exit status
*** Error 1 in /usr/src/usr.sbin/httpd (:84 'httpd')
-- 
Marko Cupać
https://www.mimar.rs

Re: 5.6 errata patch 006 problem

2015-03-12 Thread Ted Unangst 
Marko Cupać wrote:
> Hi,
> 
> I have applied errata patch 006 related to relayd to 5.6 source code,
> but it does not build. Any advices?
> 
> # make
> cc   -o relayd parse.o agentx.o ca.o carp.o check_icmp.o check_script.o 
> check_tcp.o config.o control.o hce.o log.o name2id.o pfe.o pfe_filter.o 
> pfe_route.o proc.o relay.o relay_http.o relay_udp.o relayd.o shuffle.o snmp.o 
> ssl.o ssl_privsep.o -levent -lssl -lcrypto -lutil
> /usr/lib/libssl.so.27.0: undefined reference to `dtls1_build_sequence_number'
> /usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_read'
> /usr/lib/libssl.so.27.0: undefined reference to `ssl_cipher_get_evp_aead'
> /usr/lib/libssl.so.27.0: undefined reference to `dtls1_heartbeat'
> /usr/lib/libssl.so.27.0: undefined reference to `tls1_process_heartbeat'
> /usr/lib/libssl.so.27.0: undefined reference to `OPENSSL_DIR_end'

Those functions were deleted before 5.6. I don't know how you managed to
build a libssl.so.27 that references them.

Re: 5.6 errata patch 006 problem

2015-03-12 Thread Marko Cupać 
On Thu, 12 Mar 2015 07:23:40 -0400
"Ted Unangst"  wrote:

> Marko Cupać wrote:
> > Hi,
> > 
> > I have applied errata patch 006 related to relayd to 5.6 source
> > code, but it does not build. Any advices?
> > 
> > # make
> > cc   -o relayd parse.o agentx.o ca.o carp.o check_icmp.o
> > check_script.o check_tcp.o config.o control.o hce.o log.o name2id.o
> > pfe.o pfe_filter.o pfe_route.o proc.o relay.o relay_http.o
> > relay_udp.o relayd.o shuffle.o snmp.o ssl.o ssl_privsep.o -levent
> > -lssl -lcrypto -lutil /usr/lib/libssl.so.27.0: undefined reference
> > to `dtls1_build_sequence_number' /usr/lib/libssl.so.27.0: undefined
> > reference to `OPENSSL_DIR_read' /usr/lib/libssl.so.27.0: undefined
> > reference to `ssl_cipher_get_evp_aead' /usr/lib/libssl.so.27.0:
> > undefined reference to `dtls1_heartbeat' /usr/lib/libssl.so.27.0:
> > undefined reference to
> > `tls1_process_heartbeat' /usr/lib/libssl.so.27.0: undefined
> > reference to `OPENSSL_DIR_end'
> 
> Those functions were deleted before 5.6. I don't know how you managed
> to build a libssl.so.27 that references them.

I don't think I have built them. If I remember well, this system was
freshly installed with 5.5 release back when it was actual. I have just
upgraded it to 5.6 (following advice from upgrade56, without install
kernel).
-- 
Marko Cupać
https://www.mimar.rs

Re: Permanent network configuration leads to panic

2015-03-12 Thread Romain FABBRI 
I can't find the related entry on bugs@ and the post your refer to isn't 
published or accessible.
But thanks a lot for your answer and I'm glad if it's really a knowed/patched 
issue.

If you you could provide me the patch or tell me how to get it, it would be 
very kind
Or maybe I just have to wait for your link to be published...


-Message d'origine-
De : Jonathan Gray [mailto:j...@jsg.id.au] 
Envoyé : jeudi 12 mars 2015 08:30
À : Romain FABBRI
Cc : misc@openbsd.org
Objet : Re: Permanent network configuration leads to panic

On Wed, Mar 11, 2015 at 09:57:12PM +, Romain FABBRI wrote:
> If I configure my network card manually using the following commands the 
> system and network work fine :
> 
> Ifconfig inet {public_ip_/32_address} 255.255.255.255 media 1000baseTX route 
> add -inet {ip_gateway}/32 -link -iface em0 route add default {ip_gateway}
> 
> 
> If I attempt to configure using hostname.em0 :
> 
> vi /etc/hostname.em0
> inet {public_ip_/32_address} 255.255.255.255 NONE media 1000baseTX !route add 
> -inet {gateway}/32 -link -iface em0 !route add default {gateway} sh 
> /etc/netstart
> 
> . I get a panic (smashed stack in ether_output)
> panic: smashed stack in ether_output
> Stopped at Debugger+0x7:    leave
> 
> Have I made an error ???
> 
> PS : I also tried putting the gateway IP in /etc/mygate instead of using « 
> route add default {ip_gateway} » inside hostname.if file but I'm also getting 
> the panic this way.

This problem was recently reported on bugs@, try the diff mentioned in

http://marc.info/?l=openbsd-bugs&m=142600183729296&w=2

Re: Permanent network configuration leads to panic

2015-03-12 Thread David Coppa 
On Thu, Mar 12, 2015 at 12:41 PM, Romain FABBRI  wrote:
> I can't find the related entry on bugs@ and the post your refer to isn't 
> published or accessible.
> But thanks a lot for your answer and I'm glad if it's really a knowed/patched 
> issue.
>
> If you you could provide me the patch or tell me how to get it, it would be 
> very kind
> Or maybe I just have to wait for your link to be published...

http://marc.info/?l=openbsd-bugs&m=142615317410286

Ciao,
David

Re: Permanent network configuration leads to panic

2015-03-12 Thread Jonathan Gray 
On Thu, Mar 12, 2015 at 11:41:42AM +, Romain FABBRI wrote:
> I can't find the related entry on bugs@ and the post your refer to isn't 
> published or accessible.
> But thanks a lot for your answer and I'm glad if it's really a knowed/patched 
> issue.
> 
> If you you could provide me the patch or tell me how to get it, it would be 
> very kind
> Or maybe I just have to wait for your link to be published...

It seems marc is having some problems, so I've included mpi's diff below.
You can also find it on gmane:
http://article.gmane.org/gmane.os.openbsd.bugs/21621

Index: netinet/if_ether.c
===
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.146
diff -u -p -r1.146 if_ether.c
--- netinet/if_ether.c  11 Feb 2015 23:34:43 -  1.146
+++ netinet/if_ether.c  10 Mar 2015 15:25:48 -
@@ -399,6 +399,13 @@ arpresolve(struct arpcom *ac, struct rte
return (EINVAL);
}
sdl = SDL(rt->rt_gateway);
+   if (sdl->sdl_alen > 0 && sdl->sdl_alen != ETHER_ADDR_LEN) {
+   log(LOG_DEBUG, "%s: %s: incorrect arp information\n", __func__,
+   inet_ntop(AF_INET, &satosin(dst)->sin_addr,
+   addr, sizeof(addr)));
+   m_freem(m);
+   return (EINVAL);
+   }
/*
 * Check the address family and length is valid, the address
 * is resolved; otherwise, try to resolve.
Index: netinet6/nd6.c
===
RCS file: /cvs/src/sys/netinet6/nd6.c,v
retrieving revision 1.131
diff -u -p -r1.131 nd6.c
--- netinet6/nd6.c  11 Feb 2015 23:34:43 -  1.131
+++ netinet6/nd6.c  12 Mar 2015 09:35:34 -
@@ -1868,13 +1868,11 @@ nd6_storelladdr(struct ifnet *ifp, struc
return (EINVAL);
}
sdl = SDL(rt->rt_gateway);
-   if (sdl->sdl_alen == 0) {
+   if (sdl->sdl_alen != ETHER_ADDR_LEN) {
char addr[INET6_ADDRSTRLEN];
-   /* this should be impossible, but we bark here for debugging */
-   printf("nd6_storelladdr: sdl_alen == 0, dst=%s, if=%s\n",
+   log(LOG_DEBUG, "%s: %s: incorrect nd6 information\n", __func__,
inet_ntop(AF_INET6, &satosin6(dst)->sin6_addr,
-   addr, sizeof(addr)),
-   ifp->if_xname);
+   addr, sizeof(addr)));
m_freem(m);
return (EINVAL);
}

Re: ospfd and carp - Almost there, carp issue

2015-03-12 Thread John E.P. Hynes 
Sorry for the long-winded explanation yesterday, but I've got the 
problem narrowed down to the carp interfaces.


Essentially, the routers with the fast line are preemptive carp 
masters.  When the fast line goes down, traffic gets routed correctly 
across the slow line, but once there, it cannot forward to the carp 
interface, as it's then on the carp "backup" side.


This makes sense, since the interface is a backup, but I'm unsure why it 
isn't just routing across the crossover cable in that case. Unplugging 
the carp master on the side in question causes the backup to become 
master, and everything works across the slow line as expected.


Ideas?

Thanks,

-John


On 03/11/2015 03:03 PM, John E.P. Hynes wrote:

Hi all,

I'm having an issue getting my ospf setup working.  It's almost there, 
and I've read Claudio Jecker's excellent guide, and have nearly 
reproduced the setup he describes when discussing ospf with two 
routers on each end, the "remote" end carp'd.  The differences in my 
setup are as follows:


-the "backup" line is an ipsec transport encrypted gre tunnel.
-I have tried carp'ing the "local" end as well, and I think my setup 
is *close*.


Here's what it looks like:

 REMOTE
   nfe0 
192.168.254.1/30 (private fiber link)->private fiber link (local)

   nfe1 (carpdev)
   bge0 (crossover)
192.168.0.0/24192.168.0.1<|
  carp |
   bge0 (crossover)
   nfe1 (carpdev)
   nfe0 
www.xxx.yyy.zzz (public ISP link)
   gre0 (tunnel 
through www.xxx.yyy.zzz to aaa.bbb.ccc.ddd)
   enc0 (ipsec 
transport encryption for gre0)



   LOCAL
nfe0 192.168.254.2/30 
(private fiber link)->private fiber link (remote)

nfe1 (carpdev)
 core router bge0 (crossover)
10.0.0.1-10.0.0.100<   |
  carp  |
bge0 (crossover)
nfe1 (carpdev)
nfe0 aaa.bbb.ccc.ddd 
(public ISP link)
gre0 (tunnel though 
aaa.bbb.ccc.ddd to www.xxx.yyy.zzz)
enc0 (ipsec transport 
encryption for gre0)


(apologies if this diagram gets hosed - I stink at making these...)

First off:  All point to point connections function properly. Traffic 
over the gre PTP connection is encrypted correctly.  Carp works fine, 
and functions as expected with the routers connected to the fast fiber 
line as preemptive masters.  Router at 10.0.0.1 has static routes to 
10.0.0.100 for all networks connected above, including the /30 
crossovers.  The "remote" routers have no default gateway assigned in 
/etc/mygate.  The "local" routers have 10.0.0.1 in /etc/mygate.  The 
public internet interfaces only route to each other.  All sysctl's for 
gre, esp, carp, and forwarding are enabled.


Here's where ospfd comes in.  On the "remote" side, the 
/etc/ospfd.conf files look like this:


-"fiber" router-
router-id 1.1.1.1

area 0.0.0.0 {
auth-type crypt
auth-md 1 "password1"
auth-md 2 "password2"
auth-md-keyid 1

interface nfe0 { metric 10 }
interface bge0 { metric 20 }
interface carp0
}

-"slow" router-
router-id 2.2.2.2

area 0.0.0.0 {
auth-type crypt
auth-md 1 "password1"
auth-md 2 "password2"
auth-md-keyid 1

interface gre0 { metric 10 }
interface bge0 { metric 20}
interface carp0
}

The above is basically what's in the paper I mentioned, except for the 
gre interface taking the place of an ethernet interface.


The "local" side looks like this:

-"fiber" router-
router-id 3.3.3.3
redistribute default

area 0.0.0.0 {
auth-type crypt
auth-md 1 "password1"
auth-md 2 "password2"
auth-md-keyid 1

interface nfe0 { metric 10 }
interface bge0 { metric 20 }
interface carp0
}

-"slow" router-
router-id 4.4.4.4
redistribute default

area 0.0.0.0 {
auth-type crypt
auth-md 1 "password1"
auth-md 2 "password2"
auth-md-keyid 1

interface gre0 { metric 10 }
interface bge0 { metric 20 }
interface carp0
}

WHAT DOES WORK:

Reboot all four routers, traffic from remote 192.168.0.0/24 gets to 
10.0.0.1 no problem.


WHAT DOES NOT WORK:

Unplug either side's carp master and no traffic passes.  The b/u carp 
becomes master, though.  Replace the cable and the original master 
again becomes mas

Re: 5.6 errata patch 006 problem (SOLVED)

2015-03-12 Thread Marko Cupać 
On Thu, 12 Mar 2015 12:32:52 +0100
Marko Cupać  wrote:

> On Thu, 12 Mar 2015 07:23:40 -0400
> "Ted Unangst"  wrote:
> 
> > Marko Cupać wrote:
> > > Hi,
> > > 
> > > I have applied errata patch 006 related to relayd to 5.6 source
> > > code, but it does not build. Any advices?
> > > 
> > > # make
> > > cc   -o relayd parse.o agentx.o ca.o carp.o check_icmp.o
> > > check_script.o check_tcp.o config.o control.o hce.o log.o
> > > name2id.o pfe.o pfe_filter.o pfe_route.o proc.o relay.o
> > > relay_http.o relay_udp.o relayd.o shuffle.o snmp.o ssl.o
> > > ssl_privsep.o -levent -lssl -lcrypto
> > > -lutil /usr/lib/libssl.so.27.0: undefined reference to
> > > `dtls1_build_sequence_number' /usr/lib/libssl.so.27.0: undefined
> > > reference to `OPENSSL_DIR_read' /usr/lib/libssl.so.27.0:
> > > undefined reference to
> > > `ssl_cipher_get_evp_aead' /usr/lib/libssl.so.27.0: undefined
> > > reference to `dtls1_heartbeat' /usr/lib/libssl.so.27.0: undefined
> > > reference to `tls1_process_heartbeat' /usr/lib/libssl.so.27.0:
> > > undefined reference to `OPENSSL_DIR_end'
> > 
> > Those functions were deleted before 5.6. I don't know how you
> > managed to build a libssl.so.27 that references them.
> 
> I don't think I have built them. If I remember well, this system was
> freshly installed with 5.5 release back when it was actual. I have
> just upgraded it to 5.6 (following advice from upgrade56, without
> install kernel).

It went on to install all the errata patches, and after installing 017
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/017_openssl.patch.sig

... I went back to 006 and 009 and they installed fine.

-- 
Marko Cupać
https://www.mimar.rs

Re: Why generate SSH keys at startup?

2015-03-12 Thread John Long 
On Wed, Mar 11, 2015 at 11:13:20PM +, Christian Weisgerber wrote:
> On 2015-03-10, John Long  wrote:

> > But /etc/rc appears to generate all missing key types every
> > startup.
> 
> Only if you delete them!

Yes, that's what I said.

> You can simply configure HostKey in /etc/ssh/sshd_config.  As soon
> as you set it to any value, the complete defaults are gone.  For
> instance, if there are no further HostKey statements,
> 
> HostKey /etc/ssh/ssh_host_ed25519_key
> 
> will make the server only load that Ed25519 key.  No ECDSA, RSA,
> or DSA.  Try it.

With that done a client can still do pubkey auth with a DSA key. (How) can I
stop sshd from accepting client keys a user might include in
~/.ssh/authorized_keys other than RSA keys?

> > What problems do I cause by commenting out the ssh-keygen?
> 
> Well, you would be making a change you obviously don't understand.

Well, I think it's obvious I'm open to that possibility or I wouldn't have
asked the question in the first place.

Given I do understand that if ssh-keygen -A isn't run at startup none of the
keys I deleted will come back, and given that's what I really want even if
new ciphers get added in the future, are there any other issues to be aware
of regarding removing ssh-keygen -A from the startup?

/jl

-- 
ASCII ribbon campaign ( ) Powered by Lemote Fuloong
 against HTML e-mail   X  Loongson MIPS and OpenBSD
   and proprietary/ \http://www.mutt.org
 attachments /   \  Code Blue or Go Home!
 Encrypted email preferred  PGP Key 2048R/DA65BC04

Re: Why generate SSH keys at startup?

2015-03-12 Thread Christian Weisgerber 
On 2015-03-12, John Long  wrote:

>> You can simply configure HostKey in /etc/ssh/sshd_config.
>
> With that done a client can still do pubkey auth with a DSA key. (How) can I
> stop sshd from accepting client keys a user might include in
> ~/.ssh/authorized_keys other than RSA keys?

By setting PubkeyAcceptedKeyTypes accordingly in sshd_config.
This has _nothing_ to do with the server keys.

> Given I do understand that if ssh-keygen -A isn't run at startup none of the
> keys I deleted will come back, and given that's what I really want even if
> new ciphers get added in the future, are there any other issues to be aware
> of regarding removing ssh-keygen -A from the startup?

/etc/rc isn't a configuration file.  When you upgrade OpenBSD,
/etc/rc will be overwritten and your changes will be lost.

I don't understand why you insist on deleting the server keys.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: Why generate SSH keys at startup?

2015-03-12 Thread John Long 
On Thu, Mar 12, 2015 at 04:20:47PM +, Christian Weisgerber wrote:
> On 2015-03-12, John Long  wrote:
> 
> >> You can simply configure HostKey in /etc/ssh/sshd_config.
> >
> > With that done a client can still do pubkey auth with a DSA key. (How) can I
> > stop sshd from accepting client keys a user might include in
> > ~/.ssh/authorized_keys other than RSA keys?
> 
> By setting PubkeyAcceptedKeyTypes accordingly in sshd_config.

Thanks, I looked and looked and could not find it in the man page. It
appears to be only in -current? Is this possible in prior versions
(i.e. undocumented but works) or is it totally new? 

> This has _nothing_ to do with the server keys.

Understood. I want to do an RSA-only setup. After the server key issue was
resolved I looked at what the clients can do.

> /etc/rc isn't a configuration file.  When you upgrade OpenBSD,
> /etc/rc will be overwritten and your changes will be lost.

I realize that. I keep track of local customizations in a notebook.

Thanks,

/jl

-- 
ASCII ribbon campaign ( ) Powered by Lemote Fuloong
 against HTML e-mail   X  Loongson MIPS and OpenBSD
   and proprietary/ \http://www.mutt.org
 attachments /   \  Code Blue or Go Home!
 Encrypted email preferred  PGP Key 2048R/DA65BC04

Re: Why generate SSH keys at startup?

2015-03-12 Thread Stuart Henderson 
On 2015-03-12, John Long  wrote:
> On Thu, Mar 12, 2015 at 04:20:47PM +, Christian Weisgerber wrote:
>> On 2015-03-12, John Long  wrote:
>> 
>> >> You can simply configure HostKey in /etc/ssh/sshd_config.
>> >
>> > With that done a client can still do pubkey auth with a DSA key. (How) can 
>> > I
>> > stop sshd from accepting client keys a user might include in
>> > ~/.ssh/authorized_keys other than RSA keys?
>> 
>> By setting PubkeyAcceptedKeyTypes accordingly in sshd_config.
>
> Thanks, I looked and looked and could not find it in the man page. It
> appears to be only in -current? Is this possible in prior versions
> (i.e. undocumented but works) or is it totally new? 

By looking with "cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes"
and examine the cvs log, you can see that it was added on 2015/01/13.

pre-orders for 5.7

2015-03-12 Thread Theo de Raadt 
We have activated pre-orders for the OpenBSD 5.7 CDs.

See www.openbsd.org/57.html for more details about what is coming
in this release; near the top there is a link to pre-order these
CDs, which are a component of funding for the developments in OpenBSD...

Release date will be May 1.

Re: Why generate SSH keys at startup?

2015-03-12 Thread Josh Grosse 
On Thu, Mar 12, 2015 at 07:19:25PM +, Stuart Henderson wrote:
> By looking with "cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes"
> and examine the cvs log, you can see that it was added on 2015/01/13.

Blame?  Blame?  When did this wonderful, utterly brilliant but 
undocumented synonym for annotate get added to cvs?

I think I'll use it to find out ;)

$ cvs blame main.c | grep blame
Annotations for main.c
***
1.39 (jsg  22-Jul-10): { "annotate", "ann",  "blame", 
annotate,  CVS_CMD_USES_WORK_DIR },

And then I found the commit:

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org 2010/07/22 04:31:10

Modified files:
gnu/usr.bin/cvs/src: main.c 

Log message:
As per OpenCVS, general usage in coversation and apparently newer
upstream versions of this code, add blame as an alias for annotate.

ok henning@ fgsch@ deraadt@ thib@ krw@

Re: Why generate SSH keys at startup?

2015-03-12 Thread Christian Weisgerber 
On 2015-03-12, John Long  wrote:

>> By setting PubkeyAcceptedKeyTypes accordingly in sshd_config.
>
> Thanks, I looked and looked and could not find it in the man page. It
> appears to be only in -current? Is this possible in prior versions
> (i.e. undocumented but works) or is it totally new? 

Unfortunately, it is quite new.
It was added ... *checks CVS history* ... eight weeks ago.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

[cwm] remote shell colorization hack

2015-03-12 Thread Dimitri Sokolyuk 
Hello

I would like to propose a simple, but imho really useful hack for cwm.
It boils down to colorization of remote terminals (Meta-Dot command)
based on crc24 of a hostname.
This way each remote connection gets its own color, such that different
hosts are easier to distinguish.
On the same time, different sessions to the same host gets always same
color, which improves visual feedback.

wbr

-- 
Dimitri Sokolyuk -- http://www.dim13.org/

diff --git a/Makefile b/Makefile
index 4c34ee4..020724f 100644
--- a/Makefile
+++ b/Makefile
@@ -7,12 +7,12 @@ PREFIX?=	/usr/local
 
 SRCS=		calmwm.c screen.c xmalloc.c client.c menu.c \
 		search.c util.c xutil.c conf.c xevents.c group.c \
-		kbfunc.c mousefunc.c parse.y
+		kbfunc.c mousefunc.c parse.y colorize.c
 
 OBJS=		calmwm.o screen.o xmalloc.o client.o menu.o \
 		search.o util.o xutil.o conf.o xevents.o group.o \
 		kbfunc.o mousefunc.o strlcpy.o strlcat.o y.tab.o \
-		strtonum.o fgetln.o
+		strtonum.o fgetln.o colorize.o
 
 CPPFLAGS+=	`pkg-config --cflags fontconfig x11 xft xinerama xrandr`
 
diff --git a/calmwm.h b/calmwm.h
index b56a9d7..40f1fb1 100644
--- a/calmwm.h
+++ b/calmwm.h
@@ -302,6 +302,7 @@ struct conf {
 	struct ignore_q		 ignoreq;
 	struct cmd_q		 cmdq;
 #define	CONF_STICKY_GROUPS		0x0001
+#define	CONF_COLORIZE_SSH		0x0002
 	int			 flags;
 #define CONF_BWIDTH			1
 	int			 bwidth;
@@ -583,4 +584,8 @@ int			 xasprintf(char **, const char *, ...)
 			__attribute__((__format__ (printf, 2, 3)))
 			__attribute__((__nonnull__ (2)));
 
+long			 crc24(char *);
+long			 tint(long);
+long			 shade(long);
+
 #endif /* _CALMWM_H_ */
diff --git a/colorize.c b/colorize.c
new file mode 100644
index 000..c60d75b
--- /dev/null
+++ b/colorize.c
@@ -0,0 +1,67 @@
+/* $Id$ */
+/*
+ * Copyright (c) 2015 Dimitri Sokolyuk 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "calmwm.h"
+
+#define CRC24_INIT	0x0B704CEL
+#define CRC24_POLY	0x1864CFBL
+
+long
+crc24(char *s)
+{
+	long crc;
+	int i;
+
+	for (crc = CRC24_INIT; *s; s++) {
+		crc ^= *s << 0x10;
+		for (i = 0; i < 8; i++) {
+			crc <<= 1;
+			if (crc & 0x100)
+crc ^= CRC24_POLY;
+		}
+	}
+
+	return crc;
+}
+
+long
+shade(long c)
+{
+	unsigned char r = c >> 0x10;
+	unsigned char g = c >> 0x08;
+	unsigned char b = c;
+
+	r >>= 2;
+	g >>= 2;
+	b >>= 2;
+
+	return (r << 0x10) | (g << 0x8) | b;
+}
+
+long
+tint(long c)
+{
+	unsigned char r = c >> 0x10;
+	unsigned char g = c >> 0x08;
+	unsigned char b = c;
+
+	r += (UCHAR_MAX - r) >> 1;
+	g += (UCHAR_MAX - g) >> 1;
+	b += (UCHAR_MAX - b) >> 1;
+
+	return (r << 0x10) | (g << 0x8) | b;
+}
diff --git a/kbfunc.c b/kbfunc.c
index 8ad5b99..3a6c7f8 100644
--- a/kbfunc.c
+++ b/kbfunc.c
@@ -326,6 +326,7 @@ kbfunc_ssh(struct client_ctx *cc, union arg *arg)
 	char			*buf, *lbuf, *p;
 	char			 hostbuf[HOST_NAME_MAX+1];
 	char			 path[PATH_MAX];
+	long			 color;
 	int			 l;
 	size_t			 len;
 
@@ -371,8 +372,16 @@ kbfunc_ssh(struct client_ctx *cc, union arg *arg)
 	search_match_exec, NULL)) != NULL) {
 		if (mi->text[0] == '\0')
 			goto out;
-		l = snprintf(path, sizeof(path), "%s -T '[ssh] %s' -e ssh %s",
-		cmd->path, mi->text, mi->text);
+		if (Conf.flags & CONF_COLORIZE_SSH) {
+			color = crc24(mi->text);
+			l = snprintf(path, sizeof(path),
+			"%s -T '[ssh] %s' -fg #%.6x -bg #%.6x -e ssh %s",
+			cmd->path, mi->text, tint(color), shade(color),
+			mi->text);
+		} else
+			l = snprintf(path, sizeof(path),
+			"%s -T '[ssh] %s' -e ssh %s",
+			cmd->path, mi->text, mi->text);
 		if (l == -1 || l >= sizeof(path))
 			goto out;
 		u_spawn(path);
diff --git a/parse.y b/parse.y
index eb8ed64..9922dc5 100644
--- a/parse.y
+++ b/parse.y
@@ -70,7 +70,7 @@ typedef struct {
 
 %}
 
-%token	FONTNAME STICKY GAP MOUSEBIND
+%token	FONTNAME STICKY GAP MOUSEBIND COLORIZE
 %token	AUTOGROUP BIND COMMAND IGNORE
 %token	YES NO BORDERWIDTH MOVEAMOUNT
 %token	COLOR SNAPDIST
@@ -119,6 +119,12 @@ main		: FONTNAME STRING		{
 			else
 conf->flags |= CONF_STICKY_GROUPS;
 		}
+		| COLORIZE yesno {
+			if ($2 == 0)
+conf->flags &= ~CONF_COLORIZE_SSH;
+			else
+conf->flags |= CONF_COLORIZE_SSH;
+		}
 		| BORDERWIDTH NUMBER {
 			if ($2 < 0 || $2 > UINT_MAX) {
 yyerror("invalid borderwidth: %lld", $2);
@@ -276,6 +282,7 @@ lookup(char *s)
 		{ "bind",

Re: KVM Switching and CPU and Fan Speed

2015-03-12 Thread W. Steven Schneider 
On Mar 11, 2015 5:58 PM, "Jason Adams"  wrote:
>
> On 03/10/2015 08:15 PM, W. Steven Schneider wrote:
> >
> >
> > It appears that the privilege separated Xorg is demanding a high
percentage of CPU. I had Xorg
> > niced to -10 buy bringing it's back to
> >
>
> Also,
> According to ftp://www.x.org/pub/X11R6.8.2/doc/RELNOTES4.html
> there should/might be a optional setting in xorg.conf to disable ddc
(noddc) to prevent xorg from
> trying to pull video resolutions from the monitor.
>
Using Option "NoDDC" just gets me a "Option NoDDC is not used" message by
the radeon driver and CPU usage still goes way up.

Re: KVM Switching and CPU and Fan Speed

2015-03-12 Thread W. Steven Schneider 
On Mar 13, 2015 1:02 AM, "Aaron Fineman"  wrote:
>
> This is likely the issue I ran into, and banged out with Matthieu Herrb.
> I didn't notice this in 5.6, I'm not sure what caused it in 5.7, but the
> thread is here: http://marc.info/?t=14240429644&r=1&w=2
>
Thanks.

> Switching to a text-mode console before toggling the KVM will avoid the
> issue. Flipping back and forth will return the CPU usage to normal.
>
I'll just keep switching to an empty desktop or text console for now until
things change.

Re: pre-orders for 5.7

2015-03-12 Thread Francisco Valladolid H. 
congrats.
On Mar 12, 2015 1:59 PM, "Theo de Raadt"  wrote:

> We have activated pre-orders for the OpenBSD 5.7 CDs.
>
> See www.openbsd.org/57.html for more details about what is coming
> in this release; near the top there is a link to pre-order these
> CDs, which are a component of funding for the developments in OpenBSD...
>
> Release date will be May 1.