Re: Server screen does not wake up
On 2015-03-19, Lars li...@srdn.de wrote: I did something stupid while configuring pf and locked myself out of my server using ssh. So I connected an older lcd-screen and a usb keyboard to my server to get console access. Unfortunately the screen did no wake up and pressing keys on the keyboards didn't help. I waited around 1 minute but the screen didn't show anything. I rebooted the system by pressing the powerbutton to get a working screen. I don't think this is supposed to be right. Is the dmesg below from a boot with the monitor connected or not? Can you show the equivalent of these lines from the other type? Look in /var/log/messages* for old boot messages. root on sd0a (260fbbdcd0c7be61.a) swap on sd0b dump on sd0b drm: initializing kernel modesetting (RS880 0x1002:0x9712 0x103C:0x1609). radeondrm0: VRAM: 32M 0xC000 - 0xC1FF (32M used) radeondrm0: GTT: 512M 0xA000 - 0xBFFF drm: PCIE GART of 512M enabled (table at 0xC004). radeondrm0: 1680x1050 I'm wondering if drm picked a resolution during boot that doesn't work with your monitor. If this is the cause, you could disable radeondrm with config(8)..
Re: Server screen does not wake up
Hi Lars, I am not bsd user. But some my boxes do checks during boot. If no monitor detected during boot. So port is inactive... and if monitor connected later... oh well... no output... Sorry for a spam msg if wrong... On Thu, 19 Mar 2015 22:53 Lars li...@srdn.de wrote: Hi, I did something stupid while configuring pf and locked myself out of my server using ssh. So I connected an older lcd-screen and a usb keyboard to my server to get console access. Unfortunately the screen did no wake up and pressing keys on the keyboards didn't help. I waited around 1 minute but the screen didn't show anything. I rebooted the system by pressing the powerbutton to get a working screen. I don't think this is supposed to be right. wsconsctl shows the following (default settings): display.type=radeondrm display.emulations=vt100 display.screentypes=std display.focus=0 display.screen_on=250 display.screen_off=0 display.vblank=off display.kbdact=on display.msact=on display.outact=on As far as I understand the parameters,the screen shouldn't go blank at all (display.screen_off=0) and wake up on keyboard actions (display.kbdact=on). The man page wsdisplay is a bit difficult to understand, so I am not sure I understand parameters. Any hints what I need to configure differently? thanks a lot for any tips have a great day Lars Here is my dmesg: OpenBSD 5.6-stable (GENERIC.MP) #3: Thu Dec 11 11:20:31 CET 2014 r...@dumper.lan:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 10686627840 (10191MB) avail mem = 10393366528 (9911MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfb330 (35 entries) bios0: vendor HP version O41 date 10/01/2013 bios0: HP ProLiant MicroServer acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC MCFG SPMI OEMB HPET EINJ BERT ERST HEST SSDT acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) P0PC(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Turion(tm) II Neo N54L Dual-Core Processor, 2196.66 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT, CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW, LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW, IBS,SKINIT,NODEID,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Turion(tm) II Neo N54L Dual-Core Processor, 2196.36 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT, CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW, LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW, IBS,SKINIT,NODEID,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_._INI.EXH1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE4) acpiprt4 at acpi0: bus 2 (PCE6) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: 2196 MHz: speeds: 2200 1900 1600 1300 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS880 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Hewlett-Packard, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Mobility Radeon HD 4200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 ppb1 at pci0 dev 6 function 0 AMD RS780 PCIE rev 0x00 pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 Broadcom BCM5723 rev 0x10, BCM5784 A1 (0x5784100): msi, address 38:ea:a7:a6:04:2d brgphy0 at bge0 phy 1: BCM5784 10/100/1000baseT PHY, rev. 4 ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x40: apic 2 int 19, AHCI 1.2 scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: ATA, Samsung SSD 840, DXT0 SCSI3 0/direct
Re: iwm0: fatal firmware error on -current
On Thu, Mar 19, 2015 at 08:50:11AM +0100, Mattieu Baptiste wrote: On Thu, Mar 19, 2015 at 12:38 AM, Stefan Sperling s...@stsp.name wrote: Ok, so I tried reverting one by one every commit. Starting with rev. 1.33 of if_iwm.c, the interface cannot be brought up (no carrier). With rev. 1.32, the connection is OK and rather stable. My AP is capable of 802.11a/b/g/n at 2.4 and 5 GHz. And I guess your AP is configured to use some 2.4GHz channel? Yes, both 2.4 and 5. Revision 1.33 enabled 11a support, which means scans will take much longer since more channels must be scanned. With if_iwm.c at HEAD, if you run 'ifconfig iwm0 media autoselect mode 11g' before doing anything else does it behave better again? It doesn't change anything. As soon as I set an address on the interface (manually or with dhclient), mode 11g is resetted and the errors in the logs are the same. Can you include the output of pcidump -v? It's possible you have an adapter that doesn't support 11a.
Re: iwm0: fatal firmware error on -current
On Thu, Mar 19, 2015 at 9:09 AM, Jonathan Gray j...@jsg.id.au wrote: It doesn't change anything. As soon as I set an address on the interface (manually or with dhclient), mode 11g is resetted and the errors in the logs are the same. Can you include the output of pcidump -v? It's possible you have an adapter that doesn't support 11a. Here it is: Domain /dev/pci0: 0:0:0: Intel Core 4G Host 0x: Vendor ID: 8086 Product ID: 0a04 0x0004: Command: 0006 Status: 2090 0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 0b 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR empty () 0x0014: BAR empty () 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 220c 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00 0x00e0: Capability 0x09: Vendor Specific 0:2:0: Intel HD Graphics 0x: Vendor ID: 8086 Product ID: 0a16 0x0004: Command: 0007 Status: 0090 0x0008: Class: 03 Subclass: 00 Interface: 00 Revision: 0b 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem 64bit addr: 0xf000/0x0040 0x0018: BAR mem prefetchable 64bit addr: 0xe000/0x1000 0x0020: BAR io addr: 0x3000/0x0040 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 220c 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0090: Capability 0x05: Message Signaled Interrupts (MSI) 0x00d0: Capability 0x01: Power Management 0x00a4: Capability 0x13: PCI Advanced Features 0:3:0: Intel Core 4G HD Audio 0x: Vendor ID: 8086 Product ID: 0a0c 0x0004: Command: 0006 Status: 0010 0x0008: Class: 04 Subclass: 03 Interface: 00 Revision: 0b 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR mem 64bit addr: 0xf063/0x4000 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 220c 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0050: Capability 0x01: Power Management 0x0060: Capability 0x05: Message Signaled Interrupts (MSI) 0x0070: Capability 0x10: PCI Express 0:20:0: Intel 8 Series xHCI 0x: Vendor ID: 8086 Product ID: 9c31 0x0004: Command: 0006 Status: 0290 0x0008: Class: 0c Subclass: 03 Interface: 30 Revision: 04 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem 64bit addr: 0xf062/0x0001 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 220c 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0070: Capability 0x01: Power Management 0x0080: Capability 0x05: Message Signaled Interrupts (MSI) 0:22:0: Intel 8 Series MEI 0x: Vendor ID: 8086 Product ID: 9c3a 0x0004: Command: 0006 Status: 0010 0x0008: Class: 07 Subclass: 80 Interface: 00 Revision: 04 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem 64bit addr: 0xf0639000/0x0020 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 220c 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0050: Capability 0x01: Power Management 0x008c: Capability 0x05: Message Signaled Interrupts (MSI) 0:25:0: Intel I218-LM 0x: Vendor ID: 8086 Product ID: 155a 0x0004: Command: 0007 Status: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 04 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem 32bit addr: 0xf060/0x0002 0x0014: BAR mem 32bit addr: 0xf063e000/0x1000 0x0018: BAR io addr: 0x3080/0x0020 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 2214 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x00c8: Capability 0x01: Power Management 0x00d0: Capability 0x05: Message Signaled Interrupts (MSI) 0x00e0: Capability 0x13: PCI Advanced Features 0:27:0: Intel 8 Series HD Audio 0x: Vendor ID: 8086 Product ID: 9c20 0x0004: Command: 0006 Status: 0010 0x0008: Class: 04 Subclass: 03 Interface: 00 Revision: 04 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00
Re: iwm0: fatal firmware error on -current
On Thu, Mar 19, 2015 at 09:59:39AM +0100, Mattieu Baptiste wrote: On Thu, Mar 19, 2015 at 9:09 AM, Jonathan Gray j...@jsg.id.au wrote: It doesn't change anything. As soon as I set an address on the interface (manually or with dhclient), mode 11g is resetted and the errors in the logs are the same. Can you include the output of pcidump -v? It's possible you have an adapter that doesn't support 11a. Here it is: The way your device is handled in Intel's Linux code is: {IWL_PCI_DEVICE(0x08B2, 0xC262, iwl7260_n_cfg)}, Which is Intel(R) Wireless N 7260 http://ark.intel.com/products/75174/Intel-Wireless-N-7260 the 7260 adapters that can do multiple bands are Intel(R) Dual Band Wireless N 7260iwl7260_2n_cfg http://ark.intel.com/products/75440/Intel-Dual-Band-Wireless-N-7260 Intel(R) Dual Band Wireless AC 7260 iwl7260_2ac_cfg,iwl7260_2ac_cfg_high_temp http://ark.intel.com/products/75439/Intel-Dual-Band-Wireless-AC-7260 The driver wrongly assumes all devices support 11a, this needs to be fixed. Though the Linux code seems to make the band decision based on the EEPROM not the sub device id. 3:0:0: Intel Dual Band Wireless AC 7260 0x: Vendor ID: 8086 Product ID: 08b2 0x0004: Command: 0006 Status: 0010 0x0008: Class: 02 Subclass: 80 Interface: 00 Revision: 6b 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR mem 64bit addr: 0xf040/0x2000 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: c262 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 00 Max Lat: 00 0x00c8: Capability 0x01: Power Management 0x00d0: Capability 0x05: Message Signaled Interrupts (MSI) 0x0040: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x1 / x1
Re: iwm0: fatal firmware error on -current
On Thu, Mar 19, 2015 at 12:38 AM, Stefan Sperling s...@stsp.name wrote: Ok, so I tried reverting one by one every commit. Starting with rev. 1.33 of if_iwm.c, the interface cannot be brought up (no carrier). With rev. 1.32, the connection is OK and rather stable. My AP is capable of 802.11a/b/g/n at 2.4 and 5 GHz. And I guess your AP is configured to use some 2.4GHz channel? Yes, both 2.4 and 5. Revision 1.33 enabled 11a support, which means scans will take much longer since more channels must be scanned. With if_iwm.c at HEAD, if you run 'ifconfig iwm0 media autoselect mode 11g' before doing anything else does it behave better again? It doesn't change anything. As soon as I set an address on the interface (manually or with dhclient), mode 11g is resetted and the errors in the logs are the same. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: isolating untrusted programs in ssh chroot jails
here are the scripts i wrote to make this easier. these really were made for my own use, but i hope others may find them useful. i would be interested to know if anyone else actually does find them useful. would also be glad to know of any errors/problems/things that can go wrong i didn't think of. the first one (jail_new) creates a new jail (and possibly the user). the second one (jail_pkgadd) adds a package and its dependencies to an existing jail. they are expected to be in the same directory (jail_new cannot add packages (-p) otherwise). to relate to my earlier examples: $ jail_new -tu _inmate:_chaingang /home/jail will create the jail in /home/jail and also the user _inmate and group _chaingang. this case it will be just be a regular shell account (just chrooted). $ jail_new -t _inmate:_chaingang /home/jail will create the jail, but will not create the user:group. a real case: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub -p w3m,feh:/usr/release/pkg browse /home/browse w3m -B this command sets up the terminal (-t) and X (-x) in a directory (here /home/browse), creates a user (-u) (in this case 'browse'), uses the given key file (-k) for the authorized keys, installs the packages (-p) w3m and feh (and all of their dependencies) from directory /usr/release/pkg, and sets 'w3m -B' to run automatically via ForceCommand in sshd_config. this is the equivalent of: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub browse /home/browse w3m -B $ jail_pkgadd -p /usr/release/pkg w3m /home/browse $ jail_pkgadd -p /usr/release/pkg feh /home/browse if you want bzip2 in there as well, you can always add it later: $ jail_pkgadd -p /usr/release/pkg bzip2 /home/browse or, if PKG_PATH is set (and not remote) you can omit -p $ jail_pkgadd bzip2 /home/browse if PKG_PATH is set, and is remote, you need: $ jail_pkgadd -r bzip2 /home/browse (note: will only allow a single directory for PKG_PATH) this can be used by running: $ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost (side note: w3m runs 'display' to display an image, so i create a symlink to feh to view images) another case: $ jail_new -tuxr -k /home/null/.ssh/id_rsa.pub -p xpdf:scp://null@node02/usr/release/pkg pdf /home/pdf you need to specify -r (remote) directly to use remote pkg src. which is the equivalent of: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub pdf /home/pdf $ jail_pkgadd -r -p scp://null@node02/usr/release/pkg xpdf /home/pdf which can be used: $ cp test.pdf /home/pdf/tmp $ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost xpdf -fullscreen /tmp/test.pdf (in this case it may be best not to use ForceCommand, since you may want to open multiple documents.) WARNING use at your own peril. if you can't read the scripts, you probably shouldn't use them, and then i am certain there are other glaring security flaws you need to know about. i include these because it is a dull pain in the ass to do this manually, and hopefully someone may get some use out of them. other than that, do with it what you wish. they are as fool-proof as i could make them, so that i don't shoot myself in the foot accidently (and i have been around long enough to have done that a few times, even while being careful). but you never know. jail_new: -- #!/bin/ksh USAGE=${0##*/} [-jrtux] [-k authkeys] [-p pkg[,pkg2...][:pkgpath]] user[:group] path [cmd [args ...]] [[ $1 = -h ]] { echo USAGE $USAGE; return 0; } #-t sets PermitTTY and copies files for term #-x sets X11Forwarding and copies files for X (fonts,xauth) #-u creates user; fails if user exists #-j joins group; needed to join existing group #-p pkg[,pkg2...][:pkgpath] #-r allows remote pkg access #uses existing PKG_PATH #pkgpath arg overrides PKG_PATH #only accepts a lone pkgpath PATH=/sbin:/bin:/usr/sbin:/usr/bin echov() { eval echo \\$$1\; } isemptyv() { eval [ \${#$1} -eq 0 ]; } notemptyv() { eval [ \${#$1} -gt 0 ]; } alias xt='set -o xtrace' alias xt-='set +o xtrace' if [ $(id -u) -eq 0 ];then echo ERR cannot run as root return 1 fi _sshd_config=/etc/ssh/sshd_config _sshd_config_tmp=/tmp/sshd_config trap rm -f $_sshd_config_tmp 0 2 #for convenience _fontdir=/usr/X11R6/lib/X11/fonts _terminfo=/usr/share/misc/terminfo.db _termcap=/usr/share/misc/termcap _do_x=no _do_tty=no _do_useradd= _do_joingrp= _do_remote= _authkeys= _pkg= _pkgpath= _userhome=/home/cell while getopts :jrtuxk:p: _opt;do case $_opt in j) _do_joingrp=yes ;; r) _do_remote=-r ;; t) _do_tty=yes ;; u) _do_useradd=yes ;; x) _do_x=yes ;; k) _authkeys=$OPTARG if [ ! -f $_authkeys ];then echo ERR no such file '$_authkeys' return 1 fi ;; p) _pkg=$OPTARG if [[ $_pkg = *:* ]];then _pkgpath=${_pkg#*:} _pkg=${_pkg%%:*} export PKG_PATH=$_pkgpath else if isemptyv PKG_PATH;then echo ERR PKG_PATH not set and none given return 1
Re: isolating untrusted programs in ssh chroot jails
You said at beginning of your comments now i don't use firefox (or any 'modern browser) may I ask which browser you like to use? And for what reasons? thanks in advance On Thu, Mar 19, 2015 at 7:56 PM, dan mclaughlin thev...@openmailbox.org wrote: here are the scripts i wrote to make this easier. these really were made for my own use, but i hope others may find them useful. i would be interested to know if anyone else actually does find them useful. would also be glad to know of any errors/problems/things that can go wrong i didn't think of. the first one (jail_new) creates a new jail (and possibly the user). the second one (jail_pkgadd) adds a package and its dependencies to an existing jail. they are expected to be in the same directory (jail_new cannot add packages (-p) otherwise). to relate to my earlier examples: $ jail_new -tu _inmate:_chaingang /home/jail will create the jail in /home/jail and also the user _inmate and group _chaingang. this case it will be just be a regular shell account (just chrooted). $ jail_new -t _inmate:_chaingang /home/jail will create the jail, but will not create the user:group. a real case: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub -p w3m,feh:/usr/release/pkg browse /home/browse w3m -B this command sets up the terminal (-t) and X (-x) in a directory (here /home/browse), creates a user (-u) (in this case 'browse'), uses the given key file (-k) for the authorized keys, installs the packages (-p) w3m and feh (and all of their dependencies) from directory /usr/release/pkg, and sets 'w3m -B' to run automatically via ForceCommand in sshd_config. this is the equivalent of: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub browse /home/browse w3m -B $ jail_pkgadd -p /usr/release/pkg w3m /home/browse $ jail_pkgadd -p /usr/release/pkg feh /home/browse if you want bzip2 in there as well, you can always add it later: $ jail_pkgadd -p /usr/release/pkg bzip2 /home/browse or, if PKG_PATH is set (and not remote) you can omit -p $ jail_pkgadd bzip2 /home/browse if PKG_PATH is set, and is remote, you need: $ jail_pkgadd -r bzip2 /home/browse (note: will only allow a single directory for PKG_PATH) this can be used by running: $ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost (side note: w3m runs 'display' to display an image, so i create a symlink to feh to view images) another case: $ jail_new -tuxr -k /home/null/.ssh/id_rsa.pub -p xpdf:scp://null@node02/usr/release/pkg pdf /home/pdf you need to specify -r (remote) directly to use remote pkg src. which is the equivalent of: $ jail_new -tux -k /home/null/.ssh/id_rsa.pub pdf /home/pdf $ jail_pkgadd -r -p scp://null@node02/usr/release/pkg xpdf /home/pdf which can be used: $ cp test.pdf /home/pdf/tmp $ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost xpdf -fullscreen /tmp/test.pdf (in this case it may be best not to use ForceCommand, since you may want to open multiple documents.) WARNING use at your own peril. if you can't read the scripts, you probably shouldn't use them, and then i am certain there are other glaring security flaws you need to know about. i include these because it is a dull pain in the ass to do this manually, and hopefully someone may get some use out of them. other than that, do with it what you wish. they are as fool-proof as i could make them, so that i don't shoot myself in the foot accidently (and i have been around long enough to have done that a few times, even while being careful). but you never know. jail_new: -- #!/bin/ksh USAGE=${0##*/} [-jrtux] [-k authkeys] [-p pkg[,pkg2...][:pkgpath]] user[:group] path [cmd [args ...]] [[ $1 = -h ]] { echo USAGE $USAGE; return 0; } #-t sets PermitTTY and copies files for term #-x sets X11Forwarding and copies files for X (fonts,xauth) #-u creates user; fails if user exists #-j joins group; needed to join existing group #-p pkg[,pkg2...][:pkgpath] #-r allows remote pkg access #uses existing PKG_PATH #pkgpath arg overrides PKG_PATH #only accepts a lone pkgpath PATH=/sbin:/bin:/usr/sbin:/usr/bin echov() { eval echo \\$$1\; } isemptyv() { eval [ \${#$1} -eq 0 ]; } notemptyv() { eval [ \${#$1} -gt 0 ]; } alias xt='set -o xtrace' alias xt-='set +o xtrace' if [ $(id -u) -eq 0 ];then echo ERR cannot run as root return 1 fi _sshd_config=/etc/ssh/sshd_config _sshd_config_tmp=/tmp/sshd_config trap rm -f $_sshd_config_tmp 0 2 #for convenience _fontdir=/usr/X11R6/lib/X11/fonts _terminfo=/usr/share/misc/terminfo.db _termcap=/usr/share/misc/termcap _do_x=no _do_tty=no _do_useradd= _do_joingrp= _do_remote= _authkeys= _pkg= _pkgpath= _userhome=/home/cell while getopts :jrtuxk:p: _opt;do case $_opt in j) _do_joingrp=yes ;; r) _do_remote=-r ;; t) _do_tty=yes ;; u) _do_useradd=yes ;; x) _do_x=yes ;; k) _authkeys=$OPTARG if [ ! -f
isolating untrusted programs in ssh chroot jails
there seems to be some interest in this, so i thought i would post my notes, made more presentable. here i detail ways to use ssh to restrict access to the filesystem as well as X, mitigating the 'security nightmare' that is X11, not to mention preventing possible leaking of local data. this uses more proven code so may be better than eg virtualization for some things. comments/questions/corrections/etc welcome. i'm sure i missed something. this subject of isolating untrusted programs has been coming up recently, though mostly in regards to web browsers (firefox, xombrero). now i don't use firefox (or any 'modern browser'), but other X programs i have tested work fine (xpdf mplayer xloadimage djview4 feh). there are some that don't seem to work that i haven't tracked down the exact cause yet (qiv zathura; something to do with glib). this works well with w3m+feh for me though. if someone is ambitious enough to try firefox, for a start, they should read faq 10.16 which has a basic method of working out dependences, though i've expanded on that here. also Johnathon Thornburg's work here saved me some time, and gets into the security issues: http://marc.info/?l=openbsd-miscm=141616701418506w=1 still, i'm not sure you can do this for firefox, but this may get you started. if not, your best bet may be J. Thornburg's method here: https://marc.info/?l=openbsd-miscm=141867559504962w=2 which you should read anyway. much of the rest of the information is spread around various man pages (eg sshd_config(5)) also note Xephyr is required for some programs using 'ssh -X' eg xpdf 0. intro for simplicity, i will be setting up a single jail for multiple programs. you could isolate each program with it's own user and jail. one issue though would be that many dependencies would be duplicated. on the other hand you could then use ssh's ForceCommand. for future reference, i will assume there is a user: /etc/passwd: _inmate:*:::public jail account:/home/cell:/bin/sh /etc/group: _chaingang:*:: 1. setting up ssh to chroot: you need to add an entry like the following to /etc/ssh/sshd_config: Match User _inmate ChrootDirectory /home/jail AuthorizedKeysFile /home/jail.authorized_keys X11Forwarding yes AllowTcpForwarding no # PermitTTY no # ForceCommand xpdf /tmp/*pdf you may have to tweak this a bit depending on your use. if you are using X11 programs you will need X11Forwarding yes if you are using a terminal (eg a console web browser) you may need PermitTTY yes. (some X programs also require a terminal for some functions eg mplayer). if you are using a single command, you will want to use ForceCommand. remember also that the authorized_keys file must be owned by _inmate, but in the above example i keep it outside of the jail so the user doesn't have access. N.B. remember that when the user's directory is processed, the home directory in /etc/passwd will be appended to the above ChrootDirectory. in our example, the ChrootDirectory is /home/jail and the user _inmate's home directory in /etc/passwd is /home/cell, which ssh will be combine into /home/jail/home/cell. example using ForceCommand: Match User _inmate ChrootDirectory /home/jail AuthorizedKeysFile /home/jail.authorized_keys X11Forwarding no AllowTcpForwarding no PermitTTY yes ForceCommand w3m -B 2. setting up basic chroot filesystem there are some files you need in the chroot in order for various programs to function, at a minimum you need shared library support and the user's homedir: essential user files /home/jail/home/cell/ /home/jail.authorized_keys (must be owned by user ie _inmate) NOTE: all following files are relative to chroot directory ($_chroot), in this case /home/jail. for the most part you can 'cp -p file $_chroot/file'. to handle shared libs (required): /sbin/ldconfig /usr/libexec/ld.so /var/run/ after these files are installed, you will need to run ldconfig $ chroot $_chroot ldconfig /usr/{,X11R6,local}/lib which will create /var/run/ld.so.hints. basic directories that are needed: /bin /sbin /etc /usr/{,X11R6,local}/lib /tmp and since we are going to be installing packages, create: /var/db/pkg/ to run X you will need a minimum: /etc/fonts/ /usr/X11R6/lib/X11/fonts/ /usr/X11R6/bin/xauth you will also need the shared libraries xauth depends on: $ ldd /usr/X11R6/bin/xauth /usr/X11R6/bin/xauth: StartEnd Type Open Ref GrpRef Name 1669e000 366a3000 exe 10 0 /usr/X11R6/bin/xauth 09606000 2960a000 rlib 02 0 /usr/X11R6/lib/libXau.so.10.0 0b3fd000 2b401000 rlib 01 0 /usr/X11R6/lib/libXext.so.13.0 0e418000 2e41c000 rlib 01 0 /usr/X11R6/lib/libXmuu.so.6.0 0092e000 209ad000 rlib 03 0 /usr/X11R6/lib/libX11.so.16.0 0b40b000 2b43b000 rlib 01 0
Re: Server screen does not wake up
On 03/19/15 18:38, Stuart Henderson wrote: On 2015-03-19, Lars li...@srdn.de wrote: I did something stupid while configuring pf and locked myself out of my server using ssh. So I connected an older lcd-screen and a usb keyboard to my server to get console access. Unfortunately the screen did no wake up and pressing keys on the keyboards didn't help. I waited around 1 minute but the screen didn't show anything. I rebooted the system by pressing the powerbutton to get a working screen. I don't think this is supposed to be right. yes, there is NO screen saver on the text (or DRM) console with OpenBSD, thank goodness. That's one of my many hated features of Linux. Is the dmesg below from a boot with the monitor connected or not? Can you show the equivalent of these lines from the other type? Look in /var/log/messages* for old boot messages. root on sd0a (260fbbdcd0c7be61.a) swap on sd0b dump on sd0b drm: initializing kernel modesetting (RS880 0x1002:0x9712 0x103C:0x1609). radeondrm0: VRAM: 32M 0xC000 - 0xC1FF (32M used) radeondrm0: GTT: 512M 0xA000 - 0xBFFF drm: PCIE GART of 512M enabled (table at 0xC004). radeondrm0: 1680x1050 I'm wondering if drm picked a resolution during boot that doesn't work with your monitor. If this is the cause, you could disable radeondrm with config(8).. or as has often been the case with some drm configs, if no monitor is attached at boot it just doesn't work with /any/ known monitor. Same fix, but as I've run around and plugged some pretty capable and tolerant monitors into these dead video ports, I wouldn't spend a lot of time looking for a better monitor. Nick.
[R] trouble with fetching cran repos index
Thanks for your answer. That's quite weird, since the ftp works. Maybe connected to openbsd version? I am on 5.6 release. This is not a drama though, it will motivate me to use as less additionnal packages as possible. Damien Thiriet I just tested install.packages(maptools, repos = http://r.meteo.uni.wroc.pl;) and it worked fine. Does $ ftp http://r.meteo.uni.wroc.pl/src/contrib/PACKAGES work? --
Re: isolating untrusted programs in ssh chroot jails
On Thu, 19 Mar 2015 08:52:09 -0600 Jorge Gabriel Lopez Paramount jorge.lopez.paramo...@googlemail.com wrote: Quoting dan mclaughlin thev...@openmailbox.org: there seems to be some interest in this, so i thought i would post my notes, made more presentable. here i detail ways to use ssh to restrict access to the filesystem as well as X, mitigating the 'security nightmare' that is X11, not to mention preventing possible leaking of local data. this uses more proven code so may be better than eg virtualization for some things. This looks interesting but really complicated. As I commented before I use a virtual machine for running Firefox due to security concerns, now with OpenBSD at last. I know that a virtual machine would not resist a targeted attack, but since it would be complicated breaking away from a virtual machine and this is not a common setup I do not think a generic attack/worm/trojan would be able to do any harm. Also, I'm running Firefox for browsing but since it's common to get PDF files I have installed along a PDF viewer as well. And sometimes I want to print documents so I installed cups (fortunately everything works on OpenBSD as expected, thanks by the way!). Firefox, a PDF viewer and cups have a lot of dependencies, and I have not tried yet to forward sound so my Firefox is soundless. And Firefox alone eats lots of memory, I have reserved for this VM one gigabyte of RAM. To me that's one of the biggest virtual machines I have, and very likely would make a big jail. If I wanted to do it the OpenBSD way (the one I imagine) I would reserve an old laptop or netbook and put there OpenBSD with Firefox and friends instead of setting up a big and complicated jail. -- Best regards, Jorge Lopez. you have a point about it being complicated, which is why i said i don't think it would work with firefox. i mention already that i had trouble with a few simpler ports like qiv. and physical separation on its own machine is probably the best practice anyway (i use physical separation for security myself). but there may be cases where one may not be able to dedicate a whole machine to it, and it's something. it depends on one's use case. hence my statement above 'for some things'. firefox isn't in my use case. phsical separation would be more difficult for one of my main use cases, reading pdfs on my desktop. and not everybody always has access to such resources. the intent though was to make it possible to run any code, and also to use openbsd base, as that is a more trusted code base to build upon (ssh -X, chroot). one use is xpdf for instance. (which is only about ~135M of space, a good half of that X11 fonts). some do get bigger, like djview4 which has 70 packages and ~712M space. (i also use it for w3m, since one must be particularly careful with browsers given QUANTUMINSERT and the like.) as to RAM, this wouldn't take hardly any more than is already used. and it is much less complicated with scripts (i already invested time in them so i don't have to invest it later setting them up (and making mistakes)). it's a single command now. i also have scripts that automate starting up/taking down Xephyr and launching the proper account/commands (i just type 'open file' and everything is already done for me.) the beauty of scripts (and unix).
Re: Libre/OpenSSL Patches in Latest amd64 Snapshot?
On 3/19/2015 9:36 AM, Bryan Steele wrote: On Thu, Mar 19, 2015 at 08:53:57AM -0700, Scott Vanderbilt wrote: Given that the patches in tedu's announcement to the tech@ list are all time-stamped circa 18 Mar 2015 06:01:34 -, may I safely assume they are included in the amd64 snapshot dated 18-Mar-2015, the earliest file of which has a timestamp of 18:55? I need to bring my snapshots up-to-date anyway, and upgrading will probably be as fast or faster than re-building the libraries. Thanks. No, assuming the contents of a snapshot seems like a particularly unsafe thing to do. Agreed. Assuming is a bad idea. My question was inartfully posed. Let me try again. A quick perusal of the patches gives no evidence of a bump in version number. How is it possible to know whether these patches are included in a given snapshot or not?
Re: isolating untrusted programs in ssh chroot jails
Quoting dan mclaughlin thev...@openmailbox.org: there seems to be some interest in this, so i thought i would post my notes, made more presentable. here i detail ways to use ssh to restrict access to the filesystem as well as X, mitigating the 'security nightmare' that is X11, not to mention preventing possible leaking of local data. this uses more proven code so may be better than eg virtualization for some things. This looks interesting but really complicated. As I commented before I use a virtual machine for running Firefox due to security concerns, now with OpenBSD at last. I know that a virtual machine would not resist a targeted attack, but since it would be complicated breaking away from a virtual machine and this is not a common setup I do not think a generic attack/worm/trojan would be able to do any harm. Also, I'm running Firefox for browsing but since it's common to get PDF files I have installed along a PDF viewer as well. And sometimes I want to print documents so I installed cups (fortunately everything works on OpenBSD as expected, thanks by the way!). Firefox, a PDF viewer and cups have a lot of dependencies, and I have not tried yet to forward sound so my Firefox is soundless. And Firefox alone eats lots of memory, I have reserved for this VM one gigabyte of RAM. To me that's one of the biggest virtual machines I have, and very likely would make a big jail. If I wanted to do it the OpenBSD way (the one I imagine) I would reserve an old laptop or netbook and put there OpenBSD with Firefox and friends instead of setting up a big and complicated jail. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: isolating untrusted programs in ssh chroot jails
On Thu, 19 Mar 2015 20:08:34 +0800 Jeff St. George f...@speednet.com wrote: You said at beginning of your comments now i don't use firefox (or any 'modern browser) may I ask which browser you like to use? And for what reasons? thanks in advance like in the examples, i use w3m. which is one of the reasons i wanted to make this jail, since i don't trust the code at all. the reasons why, well, i'm an old unix guy, who still spends most of his time in a text console! there is also the bloat. my machines are too old to run firefox even if i wanted to (i tried some years ago with a livecd project i was doing, and i could not believe how SLOW it was). i use my computer mostly to read anyway, and unless there is a pdf i cannot convert, i have little need of graphics at all (mostly my own nature photos/ videos). besides, its also much quicker without all of those pictures. if i choose, i can view the one photo i want (which pops up in the Xephyr window).
Re: Libre/OpenSSL Patches in Latest amd64 Snapshot?
Scott Vanderbilt wrote: On 3/19/2015 9:36 AM, Bryan Steele wrote: On Thu, Mar 19, 2015 at 08:53:57AM -0700, Scott Vanderbilt wrote: Given that the patches in tedu's announcement to the tech@ list are all time-stamped circa 18 Mar 2015 06:01:34 -, may I safely assume they are included in the amd64 snapshot dated 18-Mar-2015, the earliest file of which has a timestamp of 18:55? I need to bring my snapshots up-to-date anyway, and upgrading will probably be as fast or faster than re-building the libraries. Thanks. No, assuming the contents of a snapshot seems like a particularly unsafe thing to do. Agreed. Assuming is a bad idea. My question was inartfully posed. Let me try again. A quick perusal of the patches gives no evidence of a bump in version number. How is it possible to know whether these patches are included in a given snapshot or not? It's not. The 18th snapshot definitely doesn't have them though.
Server screen does not wake up
Hi, I did something stupid while configuring pf and locked myself out of my server using ssh. So I connected an older lcd-screen and a usb keyboard to my server to get console access. Unfortunately the screen did no wake up and pressing keys on the keyboards didn't help. I waited around 1 minute but the screen didn't show anything. I rebooted the system by pressing the powerbutton to get a working screen. I don't think this is supposed to be right. wsconsctl shows the following (default settings): display.type=radeondrm display.emulations=vt100 display.screentypes=std display.focus=0 display.screen_on=250 display.screen_off=0 display.vblank=off display.kbdact=on display.msact=on display.outact=on As far as I understand the parameters,the screen shouldn't go blank at all (display.screen_off=0) and wake up on keyboard actions (display.kbdact=on). The man page wsdisplay is a bit difficult to understand, so I am not sure I understand parameters. Any hints what I need to configure differently? thanks a lot for any tips have a great day Lars Here is my dmesg: OpenBSD 5.6-stable (GENERIC.MP) #3: Thu Dec 11 11:20:31 CET 2014 r...@dumper.lan:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 10686627840 (10191MB) avail mem = 10393366528 (9911MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfb330 (35 entries) bios0: vendor HP version O41 date 10/01/2013 bios0: HP ProLiant MicroServer acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC MCFG SPMI OEMB HPET EINJ BERT ERST HEST SSDT acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) P0PC(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Turion(tm) II Neo N54L Dual-Core Processor, 2196.66 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Turion(tm) II Neo N54L Dual-Core Processor, 2196.36 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_._INI.EXH1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE4) acpiprt4 at acpi0: bus 2 (PCE6) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: 2196 MHz: speeds: 2200 1900 1600 1300 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS880 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Hewlett-Packard, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Mobility Radeon HD 4200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 ppb1 at pci0 dev 6 function 0 AMD RS780 PCIE rev 0x00 pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 Broadcom BCM5723 rev 0x10, BCM5784 A1 (0x5784100): msi, address 38:ea:a7:a6:04:2d brgphy0 at bge0 phy 1: BCM5784 10/100/1000baseT PHY, rev. 4 ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x40: apic 2 int 19, AHCI 1.2 scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: ATA, Samsung SSD 840, DXT0 SCSI3 0/direct fixed naa.50025385a0060dff sd0: 114473MB, 512 bytes/sector, 234441648 sectors, thin sd1 at scsibus1 targ 1 lun 0: ATA, SAMSUNG HD154UI, 1AG0 SCSI3 0/direct fixed naa.50024e90037f1bad sd1: 1430799MB, 512 bytes/sector, 2930277168 sectors sd2 at scsibus1 targ 2 lun 0: ATA, SAMSUNG HD154UI, 1AG0 SCSI3 0/direct fixed naa.50024e90037f1bae sd2: 1430799MB, 512
Libre/OpenSSL Patches in Latest amd64 Snapshot?
Given that the patches in tedu's announcement to the tech@ list are all time-stamped circa 18 Mar 2015 06:01:34 -, may I safely assume they are included in the amd64 snapshot dated 18-Mar-2015, the earliest file of which has a timestamp of 18:55? I need to bring my snapshots up-to-date anyway, and upgrading will probably be as fast or faster than re-building the libraries. Thanks.
ospfd: OSPF Inter-Area-Redistribution not working
Hallo misc, I have two OSPF-Areas (1 and 2) that are connected through OSPF-Area 0: router-1 -- [OSPF-Area 1] -- router-abr1 -- [OSPF-Area 0] -- router-abr2 -- [OSPF-Area 2] router-2 All adjacencies are established and all routes are redistributed within an area and to all Area-0-Routers. But the routes to the connected networks ('redistribute connected') and networks reachable over static routes ('redistribute static') are not redistributed from Area 1 to 2 and vice versa. My question is: How can I redistribute the connected and static-routed networks on router-1 to router-2 and vice versa? The /etc/ospfd.conf of the routers are: # router-abr1: area 0.0.0.0 { interface vio1 # to router-abr2 } area 0.0.0.1 { interface vio0 # to router-1 } # router-1: redistribute connected redistribute static area 0.0.0.1 { interface vio0 # to router-abr1 } # router-abr2: area 0.0.0.0 { interface vio1 # to router-abr1 } area 0.0.0.2 { interface vio0 # to router-2 } # router-2: redistribute connected redistribute static area 0.0.0.2 { interface vio0 # to router-abr2 } Thanks for your help!
Re: Libre/OpenSSL Patches in Latest amd64 Snapshot?
On Thu, Mar 19, 2015 at 08:53:57AM -0700, Scott Vanderbilt wrote: Given that the patches in tedu's announcement to the tech@ list are all time-stamped circa 18 Mar 2015 06:01:34 -, may I safely assume they are included in the amd64 snapshot dated 18-Mar-2015, the earliest file of which has a timestamp of 18:55? I need to bring my snapshots up-to-date anyway, and upgrading will probably be as fast or faster than re-building the libraries. Thanks. No, assuming the contents of a snapshot seems like a particularly unsafe thing to do. -Bryan.