Mozilla + GStreamer1 = Problem
Hi there! (Again) I'd like to bring an issue to the attention of those who are skilled enough to handle this... To begin with: The following relates to current-i386 (current-amd64 was effected too but I didn't test lately). With /usr/local/libexec/gstreamer-1.0/gst-plugin-scanner enabled mozilla-firefox as well as mozilla-thunderbird freeze. Repeatabel, everytime. This issue pervails for a loong time now - I simply disable the plugin-scanner by renaming it and both mozilla-programms are doing fine. I didn't deliberately install GStreamer1 - it came as a dependency. Anybody around who can give sound advice? - TIA! Best, STEFAN +++ OpenBSD 5.8-beta (GENERIC.MP) #1056: Thu Jul 23 01:48:15 MDT 2015 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR real mem = 3219472384 (3070MB) avail mem = 3142455296 (2996MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 12/22/06, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries) bios0: vendor LENOVO version 79ETC9WW (2.09 ) date 12/22/2006 bios0: LENOVO 2007VG2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 166MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 2, remapped to apid 1 acpimcfg0 at acpi0 addr 0xf000, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus 4 (EXP2) acpiprt5 at acpi0: bus 12 (EXP3) acpiprt6 at acpi0: bus 21 (PCI1) acpicpu0 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7 acpitz0 at acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical temperature is 99 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 92P1139 serial 2887 type LION oem Panasonic acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit offline acpithinkpad0 at acpi0 acpidock0 at acpi0: GDCK not docked (0) bios0: ROM list: 0xc/0xfe00 0xd/0x1000 0xd1000/0x1000 0xdc000/0x4000! 0xe/0x1! cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1667, 1333, 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: apic 1 int 16 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 0 function 0 ATI Radeon Mobility X1300 M52-64 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 1 int 16 azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog Devices AD1981HD audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 1 int 20 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel 82573L rev 0x00: msi, address 00:15:58:81:15:fb ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 1 int 21 pci3 at ppb2 bus 3 wpi0 at pci3 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: msi, MoW2, address 00:19:d2:85:6f:4d ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: apic 1 int 22 pci4 at ppb3 bus 4 xhci0 at pci4 dev 0 function 0 Renesas uPD720202 xHCI rev 0x02: msi usb0 at xhci0: USB revision 3.0 uhub0 at usb0 Renesas xHCI root hub rev 3.00/1.00 addr 1 ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: apic 1 int 23 pci5 at ppb4 bus 12 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 16 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 17 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18 uhci3 at pci0 dev 29 function 3 Intel
Re: Alleged OpenSSH bug
On 23 Jul 2015, at 17:38, Marc Espie wrote: Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code. I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember. I recall discussing things with one of the authors of PAM, about ten years ago (forgive me for not remembering names at this point). What struck me is that it looks as if PAM wasn't designed to be secure. It's an authentication system, yet it's surprisingly easy to get it to fail open. Yet it's complex enough that there are bad interactions all over the place. Heck, you have to write software defensively if you want PAM to not fuck you over. It happens that I'm setting up some new (to me) RHEL 7 systems right now, and way too much time has been spent fighting with PAM (and I'm not done yet). So I'll energetically agree with everything Marc says here. Just a few days ago I was talking with one of other systems-programmers here at RPI saying how all of PAM should be ripped out and done over. We happened to be talking about a different failure scenario, but it (PAM) has always been a headache for me, almost every time I've dealt with it. -- Garance Alistair Drosehn= dro...@rpi.edu Senior Systems Programmer or g...@freebsd.org Rensselaer Polytechnic Institute; Troy, NY; USA
Re: Alleged OpenSSH bug
On Thu, Jul 23, 2015 at 5:10 PM, Ted Unangst t...@tedunangst.com wrote: Come on. Calling it an oversight is not condescending. I think it's perfectly reasonable to say it was an oversight. He did't say it was the hole of the century. There's no need to be so defensive. Given that the last (and first) remote exploit against openssh *was* in the last century, IIRC, he could still be correct to call it the hole of the century... :) Heh. (apologies for the previous blank email :( )
Re: elementary opensmtpd setting on rental server
Gilles's advices is essential ! i read http://yama-ga.seesaa.net/article/394367473.html too. so i rewrite smtpd.conf listen on lo0 listen on em0 port 25 listen on em0 port 465 listen on em0 port 587 table aliases db:/etc/mail/aliases.db accept from any for domain aoiyuma.mydns.jp alias aliases deliver to maildir accept from any for domain aoiyuma.mydns.jp deliver to maildir accept for localalias aliases deliver to maildir accept for local deliver to maildir mynetwork = 61.214.236.211/32 accept from source $mynetwork for any relay reject from any for any in this setting , i can send mail to x...@gmail.com and recieve mail from x...@gmail.com. and at http://www.rbl.jp/svcheck.php Mail Relay testing. Connecting to aoiyuma.mydns.jp for test ... 220 aoiyuma.mydns.jp ESMTP OpenSMTPD HELO h.rbl.jp 250 aoiyuma.mydns.jp Hello h.rbl.jp [115.125.246.68], pleased to meet you Relay test 0 RSET 250 2.0.0: Reset state MAIL FROM: rly...@h.rbl.jp 250 2.0.0: Ok RCPT TO: rlyt...@rbl.jp 550 Invalid recipient relay NOT accepted!! Relay test 1 RSET 250 2.0.0: Reset state MAIL FROM: rlychk relay NOT accepted!! Relay test 2 RSET relay NOT accepted!! Relay test 3 RSET relay NOT accepted!! Relay test 4 RSET relay NOT accepted!! Relay test 5 RSET relay NOT accepted!! Relay test 6 RSET relay NOT accepted!! Relay test 7 RSET relay NOT accepted!! Relay test 8 RSET relay NOT accepted!! Relay test 9 RSET relay NOT accepted!! Relay test 10 RSET relay NOT accepted!! Relay test 11 RSET relay NOT accepted!! Relay test 12 RSET relay NOT accepted!! Relay test 13 RSET relay NOT accepted!! Relay test 14 RSET relay NOT accepted!! Relay test 15 RSET relay NOT accepted!! Relay test 16 RSET relay NOT accepted!! Relay test 17 RSET relay NOT accepted!! Relay test 18 RSET relay NOT accepted!! Relay test 19 RSET relay NOT accepted!! Closing connection ... QUIT Relay test result All tests performed, no relays accepted. without fellows helps , i cannot . thanks for all tuyosi
Re: Alleged OpenSSH bug
Em 23-07-2015 16:43, Garance A Drosehn escreveu: As noted in my message, I did actually test it on a variety of systems. You mentioned FreeBSD boxes and a Mac. That ain't a variety of systems. I happened to avoid it on my systems, but that was more by luck than any cleverness on my part. This says a lot about you. The original post wondered if this was some mis-timed April Fool's joke. My reply was just to say that it's a real issue, although many people won't see this issue due to the way sshd is configured on their systems. You were condescending, admit it. Quoting you: I'm also told that there is a patch for the oversight in OpenSSH's code There was no oversight. There were people using the OpenSSH code in unintended ways. The OpenSSH portable is only provided by the OpenSSH project because there are developers that care for it. People should stop being lazy and use OpenSSH as close as upstream as possible and even better, with no portable glue code. You don't need PAM, specially if you're using PubKeyAuthentication. If you must use OpenSSH portable, at least bother enough to secure it. The patch wasn't provided because of a bug in OpenSSH code, it was provided because people are lazy, and wouldn't fix their own PAM configuration. Cheers, Giancarlo Razzolini
Re: Alleged OpenSSH bug
On Thu, Jul 23, 2015 at 5:10 PM, Ted Unangst t...@tedunangst.com wrote: Giancarlo Razzolini wrote: The original post wondered if this was some mis-timed April Fool's joke. My reply was just to say that it's a real issue, although many people won't see this issue due to the way sshd is configured on their systems. You were condescending, admit it. Quoting you: I'm also told that there is a patch for the oversight in OpenSSH's code There was no oversight. There were people using the OpenSSH code in unintended ways. The OpenSSH portable is only provided by the OpenSSH project because there are developers that care for it. People should Come on. Calling it an oversight is not condescending. I think it's perfectly reasonable to say it was an oversight. He did't say it was the hole of the century. There's no need to be so defensive.
Re: Alleged OpenSSH bug
On Thu, Jul 23, 2015 at 12:29:37PM -0400, Garance A Drosehn wrote: On 23 Jul 2015, at 10:06, Emilio Perea wrote: To me it looks like a mistimed April Fools' joke, but hope somebody more knowledgeable will respond: https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ It is a real issue. Your servers might not see the issue depending on what options have been set for sshd_config. My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. I can reproduce the problem on my Macs, because they are setup with 'ChallengeResponseAuthentication yes', and I do not turn it off. I'm told that another way to avoid the problem is to set 'KbdInteractiveAuthentication no'. I'm also told that there is a patch for the oversight in OpenSSH's code, and that can be seen at: https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code. I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember. I recall discussing things with one of the authors of PAM, about ten years ago (forgive me for not remembering names at this point). What struck me is that it looks as if PAM wasn't designed to be secure. It's an authentication system, yet it's surprisingly easy to get it to fail open. Yet it's complex enough that there are bad interactions all over the place. Heck, you have to write software defensively if you want PAM to not fuck you over. I really don't see why it's still used. Why the systems that think they must have PAM haven't scraped that pile of goo and tried to put something sensible in its stead. (I have some hypothesis about that. That some kids love complexity, and think that more complex is more shiny, hence better) Okay, let's admit that the *portable* version of openssh wasn't programmed in a way that's paranoid enough about the failure modes of pam.
rdomain with BGP dynamic route
Hi all, I am configuring OpenBSD bgpd so that it can relay the routes learned from customer BGP servers to a route reflector (RR). Customer BGP servers only speak IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and route-target to the dynamic routes learned from each customer BGP neighbor before forwarding to RR. As I understand, I should be able to use rdomain to implement this. What I really need conceptually is to attach a BGP neighbor to a rdomain, so that dynamic routes learned from that BGP neighbor are added to the specified rdomain. But I failed to find a way to do this in OpenBSD. Does anyone know if this is possible and give me an BGP configure example? Many thanks in advance, -Yang
Re: Audio Boost for Sndio
Some sound cards have two volume controls: one is for the specific source and the other is for the whole card. Both must be at 100% for maximum output. On 07/23/2015 06:55 AM, ropers wrote: I'm talking out my arse here, but: To me, your submission vaguely reminds me of the CD Loudness War https://en.wikipedia.org/wiki/Loudness_war. It sounds to me as if your hardware may be inherently a bit too quiet, but to an extent it's possible to compensate for that by pre-processing the signal in a similar way Loudness War CD vendors did when producing their master – but this reduces dynamic range. It may well be that those Windows drivers are doing just that, to compensate for buggy, craptastic audio hardware. But again, I really don't know; I just thought I'd mention this since nobody else has. On 11 July 2015 at 17:30, tekk t...@parlementum.net wrote: On 07/11/2015 08:24 AM, Jan Stary wrote: On Jul 10 19:15:31, h...@stare.cz wrote: On Jul 10 06:01:17, t...@parlementum.net wrote: I'm having a bit of trouble with audio on my 5.7 box (Thinkpad T430.) Audio is just a bit too quiet to be comfortable even when I have everything maxed out. I had a similar problem on Linux Are you sure the audio hardware is actually capable of playing louder than it does? How exactly are you playing what? I'm pretty sure. I mainly see it when playing youtube videos via mpv, https://www.youtube.com/watch?v=d3IidGmVLo4 was giving me trouble for example. I know for sure that the hardware is capable of being much louder since I'm able to play it at a good volume in Windows and Linux (both Pulseaudio and ALSA, after I add a boost device to ALSA.)
Re: OpenBSD projects
On 28 December 2014 at 15:14, Ingo Schwarze schwa...@usta.de wrote: Hi, as this request met quite a bit of interest, i have drafted a list at this *temporary* URI: http://mdocml.bsd.lv/openbsd_projects.html If developers want it, moving it to the OpenBSD web site would be fine with me. Looks like doas, tame and resflash need to be added! What about rcctl? Nice work, devs! -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si
Re: Alleged OpenSSH bug
On 23 Jul 2015, at 13:33, Theo de Raadt wrote: My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. So try it on some other system without that setting. We'll wait. Then come come back and report whether your observations are identical or subtly different. As noted in my message, I did actually test it on a variety of systems. I can reproduce the problem on my Macs, because they are setup with 'ChallengeResponseAuthentication yes', and I do not turn it off. That has effectively the same authentication system as FreeBSD, same fast password check, etc. I'm also told that there is a patch for the oversight in OpenSSH's code, and that can be seen at: https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab It was an oversight, and on most systems it has limited impact, because repeated session connects can still be used by people to run the passwd check ciphers at full speed. It affects some operating systems to a much larger degree. Your statements sound like advocacy. No, it was not meant as advocacy. I'm just reporting what I found out from my own tests, and tests that others have done. And even by my own reports, the default FreeBSD config does exhibit this problem. I happened to avoid it on my systems, but that was more by luck than any cleverness on my part. The original post wondered if this was some mis-timed April Fool's joke. My reply was just to say that it's a real issue, although many people won't see this issue due to the way sshd is configured on their systems. -- Garance Alistair Drosehn= dro...@rpi.edu Senior Systems Programmer or g...@freebsd.org Rensselaer Polytechnic Institute; Troy, NY; USA
Re: elementary opensmtpd setting on rental server
On Fri, Jul 24, 2015 at 02:09:53AM +0900, Tuyosi Takesima wrote: thanks for Denis |Tell me if I'm wrong but you don't listen on port 25 or 465. your advise is great ! /etc/mail/smtpd.conf is rewriten . listen on lo0 listen on em0 port 25-to recieve mail from gmx listen on em0 port 465 -to recieve mail from gmail table aliases db:/etc/mail/aliases.db accept from any for domain aoiXXX.mydns.jp alias aliases deliver to maildir accept from any for domain aoiXXX.mydns.jp deliver to maildir accept for localalias aliases deliver to maildir accept for local deliver to maildir reject from any for any -- then i can get mails from x...@gmail.com x...@gmx.com . buti cannot send mails to x...@gmail.com x...@gmx.com . but this is great progress . Jumping in to put an end to this thread: Let's look at what you want to do: send mail to @gmail.com @gmx.de Then, let's check if your ruleset has any rule matching these: accept from any for domain aoiXXX.mydns.jp [...] - no accept from any for domain aoiXXX.mydns.jp [...] - no accept for local [...] - no accept for local [...] - no reject from any for any - yes Your ruleset doesn't allow for your own users to send mail to anything but your local domains. You need a rule that states: accept from local for any relay It needs to be at the bottom of your config, right where you added this reject rule (which serves no purpose btw since this is the default). -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Alleged OpenSSH bug
Giancarlo Razzolini wrote: The original post wondered if this was some mis-timed April Fool's joke. My reply was just to say that it's a real issue, although many people won't see this issue due to the way sshd is configured on their systems. You were condescending, admit it. Quoting you: I'm also told that there is a patch for the oversight in OpenSSH's code There was no oversight. There were people using the OpenSSH code in unintended ways. The OpenSSH portable is only provided by the OpenSSH project because there are developers that care for it. People should Come on. Calling it an oversight is not condescending. I think it's perfectly reasonable to say it was an oversight. He did't say it was the hole of the century. There's no need to be so defensive.
Re: Alleged OpenSSH bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/15 16:06, Emilio Perea wrote: To me it looks like a mistimed April Fools' joke, but hope somebody more knowledgeable will respond: https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ I'll bite. In my *very* limited testing, using variations of the first ssh command in that blog post, none of my OpenBSD boxes with fairly pristine out of the box /etc/ssh/sshd_config permitted more than three tries before closing the connection. I also tested some Linux boxes (CentOS 6.something) with the same result. However, running that command pinting at a FreeBSD 10.1 box in my care gave more than three tries. I aborted well before reaching 1 for obvious reasons. I'm sure developers with more intimate knowledge of the code in question can fill in some gaps. - -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. iQIcBAEBAgAGBQJVsPcvAAoJELJiGF9h4Dye0PUP+gNAIEKaZuLxN3wtpGF2+cbk pgeU2ktuEXHHSm3Zo0OEoUGOQcyb01oAR4jtBn8ofHqy5pl1nkFz44bbttjfwKoQ tuCjtt4SKTe9rth1rfNQnUXKZeMCJfoUuupi+tShj61zlfq3xlYfa33wotx2FOy9 XKaX6Nq9k6pFsHJJeDuka/jsiFcMq4nxT6kgZACW4owolDuzIRhLbLRDwPOi+do6 JyBrOitPVBO52uhH1LFDQIYuut7oLMqA7FHvFOUVap2YsQfsqV1KqQrETrT8dwSE rzuV0ZKd8wO7DsvpJX3X4p1Ww3Y+XviGdBx30tbuG/99evhiWhH26zf4D05tzzJu TegsLgwcPvg1HjE8CjFnPx3XkYvRlD7oVWpG66QixdW2mW7dNKA2qnm/saaA9q3s zMtFk3e+I98iDR03lLzYaASFPKEwIw1o/nvr2WYq9RZtyzKSR2NT9yYsdbfdcHJu Vb3qtrsX1lZFfNQT8ojcREbK8s2w+Zptt/poWe8E+u43VtgtvcQUsML0KZQPCObk ZMJexU3+YSdIRKbpM5D2tvdgvhgHXGwt+HAJKhEt8clf/X1s+cv13ktU9iim/O3V brTXZWM/SAM49Hg/9i2p8zHQQft/bvDWlu6hyvrViMAjIDqhrUYd7m2gTzuAgQaL BKIu5nNh58RfIPeUDDax =Xum/ -END PGP SIGNATURE-
Alleged OpenSSH bug
To me it looks like a mistimed April Fools' joke, but hope somebody more knowledgeable will respond: https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
Re: Bluetooth Support
All bluetooth support was removed some releases ago. The code rotted. If someone wants to work on this again, they are welcome to. On 2015 Jul 23 (Thu) at 10:02:55 -0400 (-0400), Richard E. Thornton wrote: :I am just curious - is Bluetooth supported on any bluetooth enabled :computers? Or is this a dead topic? : : :Richard : -- A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral. -- Antoine de Saint-Exupery
Bluetooth Support
I am just curious - is Bluetooth supported on any bluetooth enabled computers? Or is this a dead topic? Richard
Re: smplayer and mpv freeze my computer
I had similar situations this week in #1024, in two different ways: - The ffmpeg can't input mpeg (this include ffplay), but lib-vpx is normal. The Xenocara does not freeze, it just can't play; Reproduced in i386 #1024, almost all mp4 files this happen, but may be just a upgrade bug. - The 'mupdf' could not open a specific file. This one freezed all Xenocara. I came to root, and then killed the process manually. Can't reproduce. I'll try with a amd64 snapshot, if possible, soon. dmesg: http://marc.info/?l=openbsd-miscm=143692017331643w=2
Re: USB CD/DVD burner
LG/Hitachi GP08NU6B has done the job for a few years although usb2 and discontinued now. On 7/23/15, L.R. D.S. arrowscr...@mail.com wrote: I don't know about this Samsung, but I have one TSSTcorp TS-H653G and this one work fine with cdio.
Re: elementary opensmtpd setting on rental server
so , accordingly i rewrite /etc/mail/smtpd.conf listen on lo0 listen on em0 port 587 Tell me if I'm wrong but you don't listen on port 25 or 465.
Building Tor with libevent 2.x (from ports)
Hi Pascal, as we have learned from Nicholas, OpenBSD will stay with libevent 1.4.x for the time being. Do you have any plans to make the Tor port use libevent 2.x from ports? Background: Tor on OpenBSD using libevent 1.4.15 is significantly slower (less throughput) compared to other OSes with libevent 2.x on the same machine. I don't know whether libevent is related to this issue in any way but I simply wanted to see whether Tor with libevent 2.x on OpenBSD is any different in this regard compared to Tor with libevent 1.4.x on OpenBSD. If you managed to build Tor on -stable with libevent 2.x from ports I'm also happy to try any custom patches you might have applied. thank you, nusenu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD release with libevent 2.x?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 No we have pretty much settled on a (mildly forked) 1.4 now and there are no plans to update the base system. Thanks for your answer. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVsQq6AAoJEFv7XvVCELh0fNkP/17w6ZopeuWUvqLqPzNzoakd 9QiZemNTcWcFc/9Y4GdiNK46muYG+X64cB0vb+f7uKs4Ei5eGJIcBdoV3o++BDcj TCWD/KGR4KuIANiDE+48BQ4Z5qwFdg2CQDuvkPrVK/FNfJ7PolQo2tWJZ7+CFfND KNxwY/8gMZrK3qhSbgKht7HFmXQf1EyMqyjBBcWFyLoSexdbGZEpPa2qmjdXrPNS MpF8pQpcmT8MGVfPZvawCGSM7bTlW/X0hhpEtzuLtqskDsPbF6OcCGMweZniffZD zRl3MmEQhMWMrxisto7LdB80g1eewgtDFVnMr5e+MlhB35sqaRK84dIw8UjtF//v CGnqE0VhqrSO8iOpgr+9VxhI62PpWwIqBtW65Acv1ruG7kOPC/FHuijG/k1Gdobk L1Kjq8eToe5wiDzOj0CnqrHT8uHmonKMnsWWVf4nvz8N1pM7TcXnigy3hRAcvuD6 1Xw5Q2tzujAmak2jJcLRLAu6h6qF2QLuannyRdRu2ZDDMUtWSFvlvwdLlD15Il8D X2c8bnDVNbfNW49/yH4hm/hXMEPNqyz2zHk4HGP1spPnOVld91fcfRJa0hnretLB xwhDWVfnWUm5IybjzwHGLlfzmfBnWVd6+3LiQcgdS67f1wcJJN2oWDsYL6+Gaebl WIUCf6tWxWS5z8HfbSUG =Ny6Z -END PGP SIGNATURE-
Re: Alleged OpenSSH bug
Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu: In my *very* limited testing, using variations of the first ssh command in that blog post, none of my OpenBSD boxes with fairly pristine out of the box /etc/ssh/sshd_config permitted more than three tries before closing the connection. I also tested some Linux boxes (CentOS 6.something) with the same result. I have tested the command with various linux (CentOS 6, Ubuntu 12.04, 14.04, 15.04, Archlinux, plus some others) and OpenBSD (5.4, 5.5, 5.6 and 5.7) machines, and none of them were vulnerable. I don't have any FreeBSD machine available to test it. But it seems to be the only OS affected. I'm betting that they have some bad interaction between the openssh configuration and their PAM configuration. Cheers, Giancarlo Razzolini
Re: Alleged OpenSSH bug
It seems to affect only FreeBSD. But it's bad, and affect a lot of versions, dating back to 2007. And also, as I guessed, interaction with PAM is the culprit. That's why Dr. House doesn't allow exotic things to be ported to OpenBSD. You Can't Always Get What You Want. Seriously, dlopen of kerberos-grade software never hurt anyone (yet).
Re: elementary opensmtpd setting on rental server
thanks for Denis |Tell me if I'm wrong but you don't listen on port 25 or 465. your advise is great ! /etc/mail/smtpd.conf is rewriten . listen on lo0 listen on em0 port 25-to recieve mail from gmx listen on em0 port 465 -to recieve mail from gmail table aliases db:/etc/mail/aliases.db accept from any for domain aoiXXX.mydns.jp alias aliases deliver to maildir accept from any for domain aoiXXX.mydns.jp deliver to maildir accept for localalias aliases deliver to maildir accept for local deliver to maildir reject from any for any -- then i can get mails from x...@gmail.com x...@gmx.com . buti cannot send mails to x...@gmail.com x...@gmx.com . but this is great progress .
Re: Alleged OpenSSH bug
On 23 Jul 2015, at 10:06, Emilio Perea wrote: To me it looks like a mistimed April Fools' joke, but hope somebody more knowledgeable will respond: https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ It is a real issue. Your servers might not see the issue depending on what options have been set for sshd_config. My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. I can reproduce the problem on my Macs, because they are setup with 'ChallengeResponseAuthentication yes', and I do not turn it off. I'm told that another way to avoid the problem is to set 'KbdInteractiveAuthentication no'. I'm also told that there is a patch for the oversight in OpenSSH's code, and that can be seen at: https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab -- Garance Alistair Drosehn= dro...@rpi.edu Senior Systems Programmer or g...@freebsd.org Rensselaer Polytechnic Institute; Troy, NY; USA
Re: elementary opensmtpd setting on rental server
i have done my homework buti cannot send mails to x...@gmail.com x...@gmx.com . Do you have any error code or message ? thunderbird says --- An error occurred while sending mail. The mail server responded: Invalid recipient. --- Please check the message recipient n...@gmail.com and try again.Jul 24 04:06:43 aoiyuma /var/log/maillog says -- Jul 24 04:06:43 aoiYYY smtpd[6328]: smtp-in: New session d5af55f155071cfa from host pYYY.akita.ocn.ne.jp [6.2.222.333] Jul 24 04:06:44 aoiYYY smtpd[6328]: smtp-in: Failed command on session d5af55f1 55071cfa: RCPT TO:n...@gmail.com = 550 Invalid recipient - Invalid recipient !! - regards
MPLS configuration problem
Hi misc I want to implement simple MPLS network according to this page http://lteo.net/blog/2013/09/03/a-small-mpls-test-network-built-with-openbsd/ but when configuring PE1 , after run this command ifconfig mpe0 mplslabel 666 i got this log ifconfig: SIOCSETLABEL: Network is unreachable , why i can't define label for mpe0 group ? can any help me please ?
Re: MPLS configuration problem
Reza, I am doing something similar, and I followed https://2011.eurobsdcon.org/papers/jeker/MPLS.pdf. I don't see a problem when running ifconfig mpe2 rdomain 2;ifconfig mpe2 mplslabel 999;ifconfig mpe2 192.168.238.2/32. I run on OpenBSD 5.5. -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of reza kakhki [rezakakhki@gmail.com] Sent: 23 July 2015 07:46 To: misc@openbsd.org Subject: MPLS configuration problem Hi misc I want to implement simple MPLS network according to this page http://lteo.net/blog/2013/09/03/a-small-mpls-test-network-built-with-openbsd/ but when configuring PE1 , after run this command ifconfig mpe0 mplslabel 666 i got this log ifconfig: SIOCSETLABEL: Network is unreachable , why i can't define label for mpe0 group ? can any help me please ?
Re: elementary opensmtpd setting on rental server
buti cannot send mails to x...@gmail.com x...@gmx.com . Do you have any error code or message ?
Re: Alleged OpenSSH bug
Em 23-07-2015 13:29, Garance A Drosehn escreveu: It is a real issue. Your servers might not see the issue depending on what options have been set for sshd_config. My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. Yes, it seems so. Going through the source code and the openssh-unix-dev mail list, I see that it's indeed an issue that could affect a lot of machines. But it depends on the right (wrong) combination of factors which, unfortunately, FreeBSD has. Using the default ssh configuration you need to append the Konsole output -o NumberOfPasswordPrompts=1 option for being able to test this bug. My first attempts didn't had this. But I still can't replicate it on linux hosts. I can reproduce it on Mac's too. And it's as nasty as on FreeBSD. The problem is with the KbdInteractiveAuthentication option, which defaults to the same value of ChallengeResponseAuthentication which in turn has the yes default. If there are any forms of PAM authentication delays, they still apply. But that could perhaps be overcome with some kind of distributed attack, with many connections opened. Cheers, Giancarlo Razzolini Konsole output
Re: Alleged OpenSSH bug
It is a real issue. Your servers might not see the issue depending on what options have been set for sshd_config. Some operating systems have extremely fast passwd checks, others have slow ones. FreeBSD seems to be the worst affected because their PAM integration does not terminate the loop itself; it think it has no limit. Pay close attention and you will see you are replying to others who actually tested it on other systems. The issue is being overplayed by a fair bit. Yes, on some systems with careless authentication systems, many passwd checks can happen in one pre-auth session. However, even with this fixed, someone can do many, many sequential pre-auth sessions with less setup, and approach the same speeds. Only downside is they may be exposed by the extra logging. The issue comes to the fore *because* each passwd check is so cheap. In 1999, OpenBSD made moves to improve things, you may have heard of something called bcrypt... 16 years later, FreeBSD is now on their second successive generation of passwd crypt algorithm, having ignored the lessons. These layers fit together. One specific system had zero mitigations. My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. So try it on some other system without that setting. We'll wait. Then come come back and report whether your observations are identical or subtly different. This issue does not have the same scale of impact on all operating systems. One operating system is affected far more than the others. I can reproduce the problem on my Macs, because they are setup with 'ChallengeResponseAuthentication yes', and I do not turn it off. That has effectively the same authentication system as FreeBSD, same fast password check, etc. I'm also told that there is a patch for the oversight in OpenSSH's code, and that can be seen at: https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab It was an oversight, and on most systems it has limited impact, because repeated session connects can still be used by people to run the passwd check ciphers at full speed. It affects some operating systems to a much larger degree. Your statements sound like advocacy. I'll throw some back at you for fun. It seems too easy for FreeBSD folk to throw accusations at OpenSSH and the greater OpenBSD dev community, when the rich commercial sphere surrounding FreeBSD has never given a penny and gets all this for free. Why does FreeBSD PAM not have a counter in it to prevent this by itself? Why does it have super-fast passwd checks? Are those not oversights as well?
Re: Alleged OpenSSH bug
But it depends on the right (wrong) combination of factors which, unfortunately, FreeBSD has. Exactly.
Re: Alleged OpenSSH bug
On 7/23/2015 12:29 PM, Garance A Drosehn wrote: On 23 Jul 2015, at 10:06, Emilio Perea wrote: [snip] It is a real issue. Your servers might not see the issue depending on what options have been set for sshd_config. My freebsd boxes do *not* have the problem, but that's because I have set 'ChallengeResponseAuthentication no'. I don't even remember why I set that on my freebsd boxes. I change very few settings, but for some reason I decided to change that one. [snip] When you set ChallengeResponseAuthentication to no, the pop-up Enter your Authentication Response that appears after you enter your password is suppressed.
Re: Alleged OpenSSH bug
On 23 July 2015 at 09:15, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu: However, running that command pinting at a FreeBSD 10.1 box in my care gave more than three tries. I aborted well before reaching 1 for obvious reasons. Digging some more, I've found this: http://seclists.org/oss-sec/2015/q3/156 It seems to affect only FreeBSD. But it's bad, and affect a lot of versions, dating back to 2007. And also, as I guessed, interaction with PAM is the culprit. And there's this: https://lists.freebsd.org/pipermail/freebsd-security/2015-July/008527.html Hopes to have it corrected before the next freebsd release. Cheers, Giancarlo Razzolini -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si
Re: Building Tor with libevent 2.x (from ports)
On Thu, Jul 23, 2015 at 05:40:54PM +0200, nusenu wrote: as we have learned from Nicholas, OpenBSD will stay with libevent 1.4.x for the time being. Do you have any plans to make the Tor port use libevent 2.x from ports? Background: Tor on OpenBSD using libevent 1.4.15 is significantly slower (less throughput) compared to other OSes with libevent 2.x on the same machine. I don't know whether libevent is related to this issue in any way but I simply wanted to see whether Tor with libevent 2.x on OpenBSD is any different in this regard compared to Tor with libevent 1.4.x on OpenBSD. I suspect it'll be a noticeable difference, maybe a big one. Most of the Libevent performance improvements I've heard of involve systems with many connections, and exit nodes have thousands. If you managed to build Tor on -stable with libevent 2.x from ports I'm also happy to try any custom patches you might have applied. It may be easier to get upstream to use pkg-config first. I'm planning to look at their autoconf script and open a ticket today. That said, I think they're phasing out Libevent 1.x support, so we can't wait too long.
Re: Alleged OpenSSH bug
Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu: However, running that command pinting at a FreeBSD 10.1 box in my care gave more than three tries. I aborted well before reaching 1 for obvious reasons. Digging some more, I've found this: http://seclists.org/oss-sec/2015/q3/156 It seems to affect only FreeBSD. But it's bad, and affect a lot of versions, dating back to 2007. And also, as I guessed, interaction with PAM is the culprit. Cheers, Giancarlo Razzolini
Re: LibreSSL and easy-rsa
On 2015-07-22, Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, I apologize if this was asked earlier. I am using easy-rsa to generate certificates for my new OpenVPN gateway. Could somebody confirm if easy-rsa is now using LibreSSL? Quick inspection of It uses the openssl command which, on OpenBSD, is libressl. /usr/local/share/easy-rsa/vars reveales that export OPENSSL=openssl however # which openssl /usr/bin/openssl which together with man pages http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1?query=opensslsec=1 indicate that easy-rsa should be using LibreSSL now. I have found this bug report https://forums.openvpn.net/topic17800.html on the easy-rsa mailing list. Apparently there is even OpenBSD community of OpenVPN users that I was not aware of http://www.openbsdsupport.org/openvpn-on-openbsd56.html Best, Predrag That bug report relates to easy-rsa 3.x, the security/easy-rsa port uses 2.x.
Re: Alleged OpenSSH bug
It seems to affect only FreeBSD. But it's bad, and affect a lot of versions, dating back to 2007. And also, as I guessed, interaction with PAM is the culprit. That's why Dr. House doesn't allow exotic things to be ported to OpenBSD. You Can't Always Get What You Want.
Re: elementary opensmtpd setting on rental server
On 2015-07-23 Thu 11:27 AM |, Tuyosi Takesima wrote: Gmail server reject mail from PC2 because Gmail server thinks that it is relayed by aoi. Post logs. and aoi server reject mail from PC1 because aoi server thinks that it is relayed by Gmail. Post logs. ssh -l user aoi.jp and directory echo '---mail to Gmail from aoi --'| mail x...@gmail.com then surely Gmail has this mail bcaue it is not relayed but directly . Post logs. By the way, the OpenSMTPD mailing list is best for detailed or unusual OpenSMTPD configuration questions, that aren't dependant on the OS.
Re: Audio Boost for Sndio
I'm talking out my arse here, but: To me, your submission vaguely reminds me of the CD Loudness War https://en.wikipedia.org/wiki/Loudness_war. It sounds to me as if your hardware may be inherently a bit too quiet, but to an extent it's possible to compensate for that by pre-processing the signal in a similar way Loudness War CD vendors did when producing their master â but this reduces dynamic range. It may well be that those Windows drivers are doing just that, to compensate for buggy, craptastic audio hardware. But again, I really don't know; I just thought I'd mention this since nobody else has. On 11 July 2015 at 17:30, tekk t...@parlementum.net wrote: On 07/11/2015 08:24 AM, Jan Stary wrote: On Jul 10 19:15:31, h...@stare.cz wrote: On Jul 10 06:01:17, t...@parlementum.net wrote: I'm having a bit of trouble with audio on my 5.7 box (Thinkpad T430.) Audio is just a bit too quiet to be comfortable even when I have everything maxed out. I had a similar problem on Linux Are you sure the audio hardware is actually capable of playing louder than it does? How exactly are you playing what? I'm pretty sure. I mainly see it when playing youtube videos via mpv, https://www.youtube.com/watch?v=d3IidGmVLo4 was giving me trouble for example. I know for sure that the hardware is capable of being much louder since I'm able to play it at a good volume in Windows and Linux (both Pulseaudio and ALSA, after I add a boost device to ALSA.)