Re: xscreensaver locking disabled

[Stuart Henderson]

On 2018/09/21 07:22, Ken M wrote:
> On Fri, Sep 21, 2018 at 11:07:55AM +, Stuart Henderson wrote:
> > 
> > Given the permissions you showed, the most likely reason would be if
> > /usr/local is mounted with the "nosuid" flag.
> > 
> > 
> 
> That was the issue, fixed that and locking works perfectly, thank you.
> 
> If I may a quick side question since this stems from my repartitioning of my
> /usr mount points.
> 
> I have /usr /usr/local and /usr/ports as separate mount points. local now does
> nto have nosuid, should /usr or /usr/ports have or not have that? Right now 
> /usr
> does not but /usr/ports does. To my mind that seems right, but well, as 
> already
> proven in this thread my mind was incorrect on that.
> 
> Ken

/, /usr, and /usr/X11R6 definitely contain programs that need setuid, and 
/usr/local
is likely to in many cases. Other partitions generally don't, so you can mount 
them
with "nosuid".

While on the subject of mount options, most things can be "nodev" (exceptions 
being
/ and maybe mounts holding chroot jails, for example the mount containing 
/var/www).

I used to like "noexec" for /tmp, but then I spent too long chasing ports 
regression
test failures due to having this restriction, so I got rid of it ..

[relayd] transparent don't work

[Thuban]

I found a partial solution to my problem.
With the following configuration, the source client IP is correctly printed by a
php script (getip.php), but not in httpd logs.

Does anyone has an example with "transparent forward" please ?

relayd.conf : 

http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}

http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass

}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}

relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"
forward with tls to destination
}

/etc/relayd.proxy.conf: 

return error
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
match query hash "sessid"

match request header remove "Proxy"
match response header set "Cache-Control" value "max-age=1814400"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Powered-By" value "Powered with 
electricity on OpenBSD"
match response header set "X-Permitted-Cross-Domain-Policies" value 
"none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"

~   


~ 
/etc/pf.conf: 

...
pass in quick on $ext_if proto tcp to port www divert-to 127.0.0.1 port 
8080 flags S/SA modulate state
pass in quick on $ext_if proto tcp to port https divert-to 127.0.0.1 
port 8443 flags S/SA modulate state

# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp ipv6-icmp } all modulate state 



/etc/httpd.conf: 

listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate 
"/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"
key 
"/etc/ssl/acme/private/yeuxdelibad.net-privkey.pem"
ticket lifetime default
}
...

getip.php:

Re : Voice Typing in Google Docs is OK

[Tuyosi T]

sorry , very sorry .
it is my mistake .
Voice Typing in Google Docs is not OK in snapshots at present  .

my PC is triple boot , so i mistake .
---
regards

Voice Typing in Google Docs is OK

[Tuyosi T]

hi all .

i try openbsd snapshots(6.4) .
Voice Typing in Google Documents in Japanese run well .

it  very nice because it is not impossible using manjaro linix (No1
at DistroWatch Page Hit Ranking) .
---
regards

Re: Adding An Authentication Provider

[My Info]

On Sep 21, 2018 11:02 AM, Toyam Cox  wrote:
>
> I am trying to hook up a different authentication provider to
> OpenBSD's auth. At present, I can not find out how to "fake" the
> passwd database for groups. I know that Linux and NetBSD use nss,
> with tools such as nslookup and functions such as nsdispatch, but I
> can't find such things for OpenBSD. Am I on a fool's errand?
>
> Thank you.
>

pkg_add nss ?

Re: relayd as transparent proxy

[Thuban]

* Stuart Henderson  le [21-09-2018 10:10:03 +]:
> On 2018-09-20, Thuban  wrote:
> > By the way, I'm confused about the "transparent forward" directive in
> > relayd.conf. It doesn't seems to work at all and setting a transparent 
> > proxy is
> > not using this keyword.
> 
> "transparent proxy" used to be common for web proxies meaning "you
> don't need to tell the client to use a proxy" but this is a confusing
> term. squid has got rid of this in favour of the more descriptive
> "interception proxy" now.
> 
> if you want to originate packets using the client's original source
> address you will need to figure out what's wrong with your setup using
> "transparent forward" as that is exactly what you need to use. I've had
> it working before but it *is* awkward.

That's exactly where I'm confused with the man page of relayd.

It is mentionned : 
forward to destination options ...
When redirecting connections with a divert-to 
rule in pf.conf(5)
to a relay listening on localhost, this 
directive will look up
the real destination address of the intended 
target host,
allowing the relay to be run as a **transparent 
proxy.**

That's what I did, but the orginal source address isn't keeped.

The "transparent" directive just don't work : 
[transparent] forward [with tls] to address [port port] options ...

I tried relayd listening on port 80 and set up httpd to listen on port 8080. In
relayd.conf : 

transparent forward to 127.0.0.1 port 8080

No success.

Either I misunderstand the manpage, either it miss some precisions.

Regards.

thuban

Adding An Authentication Provider

[Toyam Cox]

I am trying to hook up a different authentication provider to
OpenBSD's auth. At present, I can not find out how to "fake" the
passwd database for groups. I know that Linux and NetBSD use nss,
with tools such as nslookup and functions such as nsdispatch, but I
can't find such things for OpenBSD. Am I on a fool's errand?

Thank you.

Re: Certificate authority software

[obsd]

Op 21-9-2018 om 14:21 schreef Gregory Edigarov:

Hello, list.

I need to setup a CA for intranet. I have some (rather not very 
positive) experience with ejbca.
before I will set it up, I want to take a look at alternatives, and so 
i need an advice on the choice of software.


what would you guys use? something with less dependencies is preferred 
(but with web interface).



thank you.

--

With best regards,

  Gregory Edgarov



I was quite happy with xCA.

Kind regards,
Erik

Re: Certificate authority software

[Gregory Edigarov]

On 21.09.18 15:28, Tim Jones wrote:

‐‐‐ Original Message ‐‐‐
On Friday, September 21, 2018 1:21 PM, Gregory Edigarov  
wrote:


Hello, list.

I need to setup a CA for intranet. I have some (rather not very
positive) experience with ejbca.
before I will set it up, I want to take a look at alternatives, and so i
need an advice on the choice of software.

what would you guys use? something with less dependencies is preferred
(but with web interface).

thank you.




Depends what you want to do and the scale of your infrastructure ?

If its your home lab or a small(ish) business then buy some Yubikeys (for the 
"secure your keys in an HSM" element) and fire up a copy of OpenSSL, and Robert 
is your uncle.

If your talking thousands of users or tens of thousands of servers, then I'm 
sure you've got the budget for to pay for advice. ;-)

Thank you.

we're talking about hundreds of users,  almost all of them are 
roadwarriors with ipsec/openvpn (depending on their preference), and 
tens of servers.

and no, I do not have any budget ;-)

Re: Certificate authority software

[Tim Jones]

‐‐‐ Original Message ‐‐‐
On Friday, September 21, 2018 1:21 PM, Gregory Edigarov  
wrote:

> Hello, list.
>
> I need to setup a CA for intranet. I have some (rather not very
> positive) experience with ejbca.
> before I will set it up, I want to take a look at alternatives, and so i
> need an advice on the choice of software.
>
> what would you guys use? something with less dependencies is preferred
> (but with web interface).
>
> thank you.
>
>


Depends what you want to do and the scale of your infrastructure ?

If its your home lab or a small(ish) business then buy some Yubikeys (for the 
"secure your keys in an HSM" element) and fire up a copy of OpenSSL, and Robert 
is your uncle.

If your talking thousands of users or tens of thousands of servers, then I'm 
sure you've got the budget for to pay for advice. ;-)

Re: Certificate authority software

[Gregory Edigarov]

Forgot to say:

something with dual (command line/web) interface would be even more 
preferred.



On 21.09.18 15:21, Gregory Edigarov wrote:

Hello, list.

I need to setup a CA for intranet. I have some (rather not very 
positive) experience with ejbca.
before I will set it up, I want to take a look at alternatives, and so 
i need an advice on the choice of software.


what would you guys use? something with less dependencies is preferred 
(but with web interface).


thank you.

--

With best regards,

  Gregory Edgarov

Certificate authority software

[Gregory Edigarov]

Hello, list.

I need to setup a CA for intranet. I have some (rather not very 
positive) experience with ejbca.
before I will set it up, I want to take a look at alternatives, and so i 
need an advice on the choice of software.


what would you guys use? something with less dependencies is preferred 
(but with web interface).



thank you.

--

With best regards,

  Gregory Edgarov

Re: xscreensaver locking disabled

[Ken M]

On Fri, Sep 21, 2018 at 11:07:55AM +, Stuart Henderson wrote:
> 
> Given the permissions you showed, the most likely reason would be if
> /usr/local is mounted with the "nosuid" flag.
> 
> 

That was the issue, fixed that and locking works perfectly, thank you.

If I may a quick side question since this stems from my repartitioning of my
/usr mount points.

I have /usr /usr/local and /usr/ports as separate mount points. local now does
nto have nosuid, should /usr or /usr/ports have or not have that? Right now /usr
does not but /usr/ports does. To my mind that seems right, but well, as already
proven in this thread my mind was incorrect on that.

Ken

Re: xscreensaver locking disabled

[Stuart Henderson]

On 2018-09-21, Ken M  wrote:
> On Thu, Sep 20, 2018 at 08:20:18PM -0900, Philip Guenther wrote:
>> If xscreensaver decides it can't do locking, then when started it should
>> write to stderr why it thinks that.  Does openbox capture the stderr of the
>> processes that it starts to some file you can review?  If not, then stop
>> xscreensaver with
>>  xscreensaver-command -exit
>> and then start xscreensaver against manually in a shell and see what it
>> says.
>> 
>> Philip Guenther
>
> So below is what I did and that reveals a bit more.
>
> $ xscreensaver-command -exit
> xscreensaver-command: exiting.
>
> $ ps aux|grep xscreen
> me 73706  0.0  0.0   308  1348 p1  S+p6:48AM0:00.01 grep xscreen
> $ xscreensaver &&
>> xscreensaver-command -lock
> xscreensaver: 06:48:31: couldn't get password of "me"
> xscreensaver: 06:48:31: couldn't get password of "root"
> xscreensaver: 06:48:31: locking is disabled (error getting password).
> xscreensaver: 06:48:31: does xscreensaver need to be setuid?  consult the 
> manual.
>
>

Given the permissions you showed, the most likely reason would be if
/usr/local is mounted with the "nosuid" flag.

Re: xscreensaver locking disabled

[Ken M]

On Thu, Sep 20, 2018 at 08:20:18PM -0900, Philip Guenther wrote:
> If xscreensaver decides it can't do locking, then when started it should
> write to stderr why it thinks that.  Does openbox capture the stderr of the
> processes that it starts to some file you can review?  If not, then stop
> xscreensaver with
>  xscreensaver-command -exit
> and then start xscreensaver against manually in a shell and see what it
> says.
> 
> Philip Guenther

So below is what I did and that reveals a bit more.

$ xscreensaver-command -exit
xscreensaver-command: exiting.

$ ps aux|grep xscreen
me 73706  0.0  0.0   308  1348 p1  S+p6:48AM0:00.01 grep xscreen
$ xscreensaver &&
> xscreensaver-command -lock
xscreensaver: 06:48:31: couldn't get password of "me"
xscreensaver: 06:48:31: couldn't get password of "root"
xscreensaver: 06:48:31: locking is disabled (error getting password).
xscreensaver: 06:48:31: does xscreensaver need to be setuid?  consult the 
manual.

Re: relayd as transparent proxy

[Stuart Henderson]

On 2018-09-20, Thuban  wrote:
> By the way, I'm confused about the "transparent forward" directive in
> relayd.conf. It doesn't seems to work at all and setting a transparent proxy 
> is
> not using this keyword.

"transparent proxy" used to be common for web proxies meaning "you
don't need to tell the client to use a proxy" but this is a confusing
term. squid has got rid of this in favour of the more descriptive
"interception proxy" now.

if you want to originate packets using the client's original source
address you will need to figure out what's wrong with your setup using
"transparent forward" as that is exactly what you need to use. I've had
it working before but it *is* awkward.

Re: Minimum Holdtime for BGP OpenBGPd in Production

[Tom Smyth]

Hi Stuart, all
please find my responses below,
On Tue, 18 Sep 2018 at 11:14, Stuart Henderson  wrote:
>
> On 2018-09-18, Claudio Jeker  wrote:
> >
> > I recomend using the default especially against ebgp peers.
>
> MikroTik in particular are known to be bad at keeping up with BGP timers.
>
Yes we have had some pain with this we are migrating off them (slowly
but surely)

> >
> > bgpd should be able to handle the minimal hold time with 30 or 60
> > peers just fine but I'm not so sure about any other system. Also flaping
> > sessions because of too aggressive holdtime is counterproductive the
> > session flap dampening will kick in and will keep session longer down than
> > needed.
Thanks for this insight it really helpful
> >
> > In the end, like with most tuning, you need to check for yourself with what
> > you are comfortable with.
>
> This is mostly down to what your peers can handle (at a particular time),
> and other people's real world experience will mostly not reflect that.
>
yes, Im more concerned about the L3 Switches that would be running BGP and
the speed of their control plane...

> You might think to check "bgpctl sh nei" over time and monitor how "Last
> read" compares with "keepalive interval" to get a baseline, but if you do
> then beware, that will mostly just show things under a normal situation.
> If hold times expire because somebody's router is too busy on occasion,
> flapping the session is just going to make it *even more* busy, adding
> to the problem (which can be especially nasty at an IXP).
>
the read times vary between 1 and 3 seconds  from my tests,
> Are you seeing actual problems with peers that cause you to want to do
> this?
It was mainly an issue internally where we had alot of IGP sessions (full Table)
with multihop bgp sessions running (which depend on OSPF),
we had some problems with a  couple of routers were oSPF would loose adjacency
and I was trying to lower the impact of those on BGP. or improve
convergence times
if / when it happened.. I just need to migrate off those routers that
are causing me pain

>
> - If so and it's IXP-wide, maybe talk to the IXP? If it happens during
> maintenance and they aren't already following BCP214 (session culling),
> perhaps they could do that.
Thankfully it is not an IXP wide issue..
>
> - If so and it's individual peers, maybe consider dropping them if
> they're unreliable and not that important, or talking to them if they
> are important?
They are internal peers so they are important ...
I will stick to the defaults based on what Stuart and Claudio Recommended

Thanks I really appreciate your help,
>
>


-- 
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.