Re: xscreensaver locking disabled
On 2018/09/21 07:22, Ken M wrote: > On Fri, Sep 21, 2018 at 11:07:55AM +, Stuart Henderson wrote: > > > > Given the permissions you showed, the most likely reason would be if > > /usr/local is mounted with the "nosuid" flag. > > > > > > That was the issue, fixed that and locking works perfectly, thank you. > > If I may a quick side question since this stems from my repartitioning of my > /usr mount points. > > I have /usr /usr/local and /usr/ports as separate mount points. local now does > nto have nosuid, should /usr or /usr/ports have or not have that? Right now > /usr > does not but /usr/ports does. To my mind that seems right, but well, as > already > proven in this thread my mind was incorrect on that. > > Ken /, /usr, and /usr/X11R6 definitely contain programs that need setuid, and /usr/local is likely to in many cases. Other partitions generally don't, so you can mount them with "nosuid". While on the subject of mount options, most things can be "nodev" (exceptions being / and maybe mounts holding chroot jails, for example the mount containing /var/www). I used to like "noexec" for /tmp, but then I spent too long chasing ports regression test failures due to having this restriction, so I got rid of it ..
[relayd] transparent don't work
I found a partial solution to my problem. With the following configuration, the source client IP is correctly printed by a php script (getip.php), but not in httpd logs. Does anyone has an example with "transparent forward" please ? relayd.conf : http protocol "http" { tcp { nodelay, sack, socket buffer 65536, backlog 100 } include "/etc/relayd.proxy.conf" pass } http protocol "https" { tcp { nodelay, sack, socket buffer 65536, backlog 100 } include "/etc/relayd.proxy.conf" tls { \ cipher-server-preference,\ no tlsv1.0\ } pass } relay "www" { listen on 127.0.0.1 port 8080 protocol "http" forward to destination } relay "wwwtls" { listen on 127.0.0.1 port 8443 tls protocol "https" forward with tls to destination } /etc/relayd.proxy.conf: return error match header set "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" match query hash "sessid" match request header remove "Proxy" match response header set "Cache-Control" value "max-age=1814400" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Robots-Tag" value "index,nofollow" match response header set "X-Powered-By" value "Powered with electricity on OpenBSD" match response header set "X-Permitted-Cross-Domain-Policies" value "none" match response header set "X-Download-Options" value "noopen" match response header set "X-Content-Type-Options" value "nosniff" ~ ~ /etc/pf.conf: ... pass in quick on $ext_if proto tcp to port www divert-to 127.0.0.1 port 8080 flags S/SA modulate state pass in quick on $ext_if proto tcp to port https divert-to 127.0.0.1 port 8443 flags S/SA modulate state # tout ouvert en sortie pass out on $ext_if proto { tcp udp icmp ipv6-icmp } all modulate state /etc/httpd.conf: listen on * port 80 listen on * tls port 443 hsts preload tls { certificate "/etc/ssl/acme/yeuxdelibad.net-fullchain.pem" key "/etc/ssl/acme/private/yeuxdelibad.net-privkey.pem" ticket lifetime default } ... getip.php:
Re : Voice Typing in Google Docs is OK
sorry , very sorry . it is my mistake . Voice Typing in Google Docs is not OK in snapshots at present . my PC is triple boot , so i mistake . --- regards
Voice Typing in Google Docs is OK
hi all . i try openbsd snapshots(6.4) . Voice Typing in Google Documents in Japanese run well . it very nice because it is not impossible using manjaro linix (No1 at DistroWatch Page Hit Ranking) . --- regards
Re: Adding An Authentication Provider
On Sep 21, 2018 11:02 AM, Toyam Cox wrote: > > I am trying to hook up a different authentication provider to > OpenBSD's auth. At present, I can not find out how to "fake" the > passwd database for groups. I know that Linux and NetBSD use nss, > with tools such as nslookup and functions such as nsdispatch, but I > can't find such things for OpenBSD. Am I on a fool's errand? > > Thank you. > pkg_add nss ?
Re: relayd as transparent proxy
* Stuart Henderson le [21-09-2018 10:10:03 +]: > On 2018-09-20, Thuban wrote: > > By the way, I'm confused about the "transparent forward" directive in > > relayd.conf. It doesn't seems to work at all and setting a transparent > > proxy is > > not using this keyword. > > "transparent proxy" used to be common for web proxies meaning "you > don't need to tell the client to use a proxy" but this is a confusing > term. squid has got rid of this in favour of the more descriptive > "interception proxy" now. > > if you want to originate packets using the client's original source > address you will need to figure out what's wrong with your setup using > "transparent forward" as that is exactly what you need to use. I've had > it working before but it *is* awkward. That's exactly where I'm confused with the man page of relayd. It is mentionned : forward to destination options ... When redirecting connections with a divert-to rule in pf.conf(5) to a relay listening on localhost, this directive will look up the real destination address of the intended target host, allowing the relay to be run as a **transparent proxy.** That's what I did, but the orginal source address isn't keeped. The "transparent" directive just don't work : [transparent] forward [with tls] to address [port port] options ... I tried relayd listening on port 80 and set up httpd to listen on port 8080. In relayd.conf : transparent forward to 127.0.0.1 port 8080 No success. Either I misunderstand the manpage, either it miss some precisions. Regards. thuban
Adding An Authentication Provider
I am trying to hook up a different authentication provider to OpenBSD's auth. At present, I can not find out how to "fake" the passwd database for groups. I know that Linux and NetBSD use nss, with tools such as nslookup and functions such as nsdispatch, but I can't find such things for OpenBSD. Am I on a fool's errand? Thank you.
Re: Certificate authority software
Op 21-9-2018 om 14:21 schreef Gregory Edigarov: Hello, list. I need to setup a CA for intranet. I have some (rather not very positive) experience with ejbca. before I will set it up, I want to take a look at alternatives, and so i need an advice on the choice of software. what would you guys use? something with less dependencies is preferred (but with web interface). thank you. -- With best regards, Gregory Edgarov I was quite happy with xCA. Kind regards, Erik
Re: Certificate authority software
On 21.09.18 15:28, Tim Jones wrote: ‐‐‐ Original Message ‐‐‐ On Friday, September 21, 2018 1:21 PM, Gregory Edigarov wrote: Hello, list. I need to setup a CA for intranet. I have some (rather not very positive) experience with ejbca. before I will set it up, I want to take a look at alternatives, and so i need an advice on the choice of software. what would you guys use? something with less dependencies is preferred (but with web interface). thank you. Depends what you want to do and the scale of your infrastructure ? If its your home lab or a small(ish) business then buy some Yubikeys (for the "secure your keys in an HSM" element) and fire up a copy of OpenSSL, and Robert is your uncle. If your talking thousands of users or tens of thousands of servers, then I'm sure you've got the budget for to pay for advice. ;-) Thank you. we're talking about hundreds of users, almost all of them are roadwarriors with ipsec/openvpn (depending on their preference), and tens of servers. and no, I do not have any budget ;-)
Re: Certificate authority software
‐‐‐ Original Message ‐‐‐ On Friday, September 21, 2018 1:21 PM, Gregory Edigarov wrote: > Hello, list. > > I need to setup a CA for intranet. I have some (rather not very > positive) experience with ejbca. > before I will set it up, I want to take a look at alternatives, and so i > need an advice on the choice of software. > > what would you guys use? something with less dependencies is preferred > (but with web interface). > > thank you. > > Depends what you want to do and the scale of your infrastructure ? If its your home lab or a small(ish) business then buy some Yubikeys (for the "secure your keys in an HSM" element) and fire up a copy of OpenSSL, and Robert is your uncle. If your talking thousands of users or tens of thousands of servers, then I'm sure you've got the budget for to pay for advice. ;-)
Re: Certificate authority software
Forgot to say: something with dual (command line/web) interface would be even more preferred. On 21.09.18 15:21, Gregory Edigarov wrote: Hello, list. I need to setup a CA for intranet. I have some (rather not very positive) experience with ejbca. before I will set it up, I want to take a look at alternatives, and so i need an advice on the choice of software. what would you guys use? something with less dependencies is preferred (but with web interface). thank you. -- With best regards, Gregory Edgarov
Certificate authority software
Hello, list. I need to setup a CA for intranet. I have some (rather not very positive) experience with ejbca. before I will set it up, I want to take a look at alternatives, and so i need an advice on the choice of software. what would you guys use? something with less dependencies is preferred (but with web interface). thank you. -- With best regards, Gregory Edgarov
Re: xscreensaver locking disabled
On Fri, Sep 21, 2018 at 11:07:55AM +, Stuart Henderson wrote: > > Given the permissions you showed, the most likely reason would be if > /usr/local is mounted with the "nosuid" flag. > > That was the issue, fixed that and locking works perfectly, thank you. If I may a quick side question since this stems from my repartitioning of my /usr mount points. I have /usr /usr/local and /usr/ports as separate mount points. local now does nto have nosuid, should /usr or /usr/ports have or not have that? Right now /usr does not but /usr/ports does. To my mind that seems right, but well, as already proven in this thread my mind was incorrect on that. Ken
Re: xscreensaver locking disabled
On 2018-09-21, Ken M wrote: > On Thu, Sep 20, 2018 at 08:20:18PM -0900, Philip Guenther wrote: >> If xscreensaver decides it can't do locking, then when started it should >> write to stderr why it thinks that. Does openbox capture the stderr of the >> processes that it starts to some file you can review? If not, then stop >> xscreensaver with >> xscreensaver-command -exit >> and then start xscreensaver against manually in a shell and see what it >> says. >> >> Philip Guenther > > So below is what I did and that reveals a bit more. > > $ xscreensaver-command -exit > xscreensaver-command: exiting. > > $ ps aux|grep xscreen > me 73706 0.0 0.0 308 1348 p1 S+p6:48AM0:00.01 grep xscreen > $ xscreensaver && >> xscreensaver-command -lock > xscreensaver: 06:48:31: couldn't get password of "me" > xscreensaver: 06:48:31: couldn't get password of "root" > xscreensaver: 06:48:31: locking is disabled (error getting password). > xscreensaver: 06:48:31: does xscreensaver need to be setuid? consult the > manual. > > Given the permissions you showed, the most likely reason would be if /usr/local is mounted with the "nosuid" flag.
Re: xscreensaver locking disabled
On Thu, Sep 20, 2018 at 08:20:18PM -0900, Philip Guenther wrote: > If xscreensaver decides it can't do locking, then when started it should > write to stderr why it thinks that. Does openbox capture the stderr of the > processes that it starts to some file you can review? If not, then stop > xscreensaver with > xscreensaver-command -exit > and then start xscreensaver against manually in a shell and see what it > says. > > Philip Guenther So below is what I did and that reveals a bit more. $ xscreensaver-command -exit xscreensaver-command: exiting. $ ps aux|grep xscreen me 73706 0.0 0.0 308 1348 p1 S+p6:48AM0:00.01 grep xscreen $ xscreensaver && > xscreensaver-command -lock xscreensaver: 06:48:31: couldn't get password of "me" xscreensaver: 06:48:31: couldn't get password of "root" xscreensaver: 06:48:31: locking is disabled (error getting password). xscreensaver: 06:48:31: does xscreensaver need to be setuid? consult the manual.
Re: relayd as transparent proxy
On 2018-09-20, Thuban wrote: > By the way, I'm confused about the "transparent forward" directive in > relayd.conf. It doesn't seems to work at all and setting a transparent proxy > is > not using this keyword. "transparent proxy" used to be common for web proxies meaning "you don't need to tell the client to use a proxy" but this is a confusing term. squid has got rid of this in favour of the more descriptive "interception proxy" now. if you want to originate packets using the client's original source address you will need to figure out what's wrong with your setup using "transparent forward" as that is exactly what you need to use. I've had it working before but it *is* awkward.
Re: Minimum Holdtime for BGP OpenBGPd in Production
Hi Stuart, all please find my responses below, On Tue, 18 Sep 2018 at 11:14, Stuart Henderson wrote: > > On 2018-09-18, Claudio Jeker wrote: > > > > I recomend using the default especially against ebgp peers. > > MikroTik in particular are known to be bad at keeping up with BGP timers. > Yes we have had some pain with this we are migrating off them (slowly but surely) > > > > bgpd should be able to handle the minimal hold time with 30 or 60 > > peers just fine but I'm not so sure about any other system. Also flaping > > sessions because of too aggressive holdtime is counterproductive the > > session flap dampening will kick in and will keep session longer down than > > needed. Thanks for this insight it really helpful > > > > In the end, like with most tuning, you need to check for yourself with what > > you are comfortable with. > > This is mostly down to what your peers can handle (at a particular time), > and other people's real world experience will mostly not reflect that. > yes, Im more concerned about the L3 Switches that would be running BGP and the speed of their control plane... > You might think to check "bgpctl sh nei" over time and monitor how "Last > read" compares with "keepalive interval" to get a baseline, but if you do > then beware, that will mostly just show things under a normal situation. > If hold times expire because somebody's router is too busy on occasion, > flapping the session is just going to make it *even more* busy, adding > to the problem (which can be especially nasty at an IXP). > the read times vary between 1 and 3 seconds from my tests, > Are you seeing actual problems with peers that cause you to want to do > this? It was mainly an issue internally where we had alot of IGP sessions (full Table) with multihop bgp sessions running (which depend on OSPF), we had some problems with a couple of routers were oSPF would loose adjacency and I was trying to lower the impact of those on BGP. or improve convergence times if / when it happened.. I just need to migrate off those routers that are causing me pain > > - If so and it's IXP-wide, maybe talk to the IXP? If it happens during > maintenance and they aren't already following BCP214 (session culling), > perhaps they could do that. Thankfully it is not an IXP wide issue.. > > - If so and it's individual peers, maybe consider dropping them if > they're unreliable and not that important, or talking to them if they > are important? They are internal peers so they are important ... I will stick to the defaults based on what Stuart and Claudio Recommended Thanks I really appreciate your help, > > -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 The information contained in this E-mail is intended only for the confidential use of the named recipient. If the reader of this message is not the intended recipient or the person responsible for delivering it to the recipient, you are hereby notified that you have received this communication in error and that any review, dissemination or copying of this communication is strictly prohibited. If you have received this in error, please notify the sender immediately by telephone at the number above and erase the message You are requested to carry out your own virus check before opening any attachment.