Re: Client-authenicated TLS handshake with relayd
In relayd.conf(5) it is explained that using the 'forward' statement with the 'with tls' directive enables client-side TLS mode. Refer to the aforementioned manual page for the exact syntax. Remember that you can check the syntax by running 'relayd -n'. Regards, Jean-Pierre On 21/02/19 12:15pm, Paul Pace wrote: > Hello! > > I am putting a small server behind Cloudflare that currently is configured > to serve everything through relayd. > > I want to use their option of client-authenticated TLS handshakes, but I > can't see a way to do it with relayd - is this possible? > > It does look like I could use httpd tls client ca option (assuming I'm > understanding the man page), which I can use if relayd doesn't support this. > > Thank you! > > Paul >
No advertisements from CARP master
Hello, collegues! In vlan2 I have 4 routers: rt1 (master) and rt2 (slave) grouped into VHID 50 in terms of CARP; rt3 (master) and rt4 (slave) grouped into VHID 2. Why don't I see carp advertisements from rt1? Instead, I see carp announcements only from rt3 (vhid2). Where am I wrong? rt1: -> % ifconfig carp2 | grep -v inet carp2: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:32 description: Interlink index 5 priority 15 llprio 3 carp: MASTER carpdev vlan2 vhid 50 advbase 1 advskew 0 groups: carp status: master ks1@rt1 [05:44:47] [~] -> % sudo tcpdump -c 10 -ni carp2 proto carp tcpdump: listening on carp2, link-type EN10MB 05:44:54.003157 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:44:55.003217 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:44:56.003236 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:44:57.003276 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:44:58.003313 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:44:59.003354 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:45:00.003398 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:45:01.003431 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:45:02.003475 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 05:45:03.003512 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] ks1@rt1 [05:45:03] [~] -> % sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=2 ks1@rt1 [05:46:40] [~] -> % uname -r 6.8 ks1@rt1 [05:57:11] [~] -> % sudo sysctl net.inet.carp.log=7 net.inet.carp.log: 2 -> 7 ks1@rt1 [05:57:25] [~] -> % tail -f /var/log/messages Feb 20 05:57:57 border1 /bsd: carp2: ip_output failed: 13 Feb 20 05:57:58 border1 /bsd: carp2: ip_output failed: 13 Feb 20 05:57:59 border1 /bsd: carp2: ip_output failed: 13 Feb 20 05:58:00 border1 /bsd: carp2: ip_output failed: 13 Feb 20 05:58:01 border1 /bsd: carp2: ip_output failed: 13 ... I don't know what it means. Do I understand correctly that there can be only one master in the multicast domain that can send carp advertisements? Thanks. Regards, Den
iSCSI LUN mount on boot
I'm curious as to what other folks are doing for mounting iSCSI volumes at boot time. I've successfully configured iscsid, and mounting the volume manually works as expected. I found this article [1] which suggests that hotplugd should be used. I also found this old presentation [2] which suggests it should "just work" with an entry in /etc/fstab. Maybe I did not get this correct, as: .a /mnt/test ffs rw,noatime,nodev,nosuid,nofail 1 2 causes the machine to go into single-user mode on boot (presumably because the iSCSI daemon hasn't yet started). Am I missing something here? Is hotplugd the preferred way to accomplish this? Thanks. [1]: https://www.bsdhowto.ch/automount.html [2]: https://www.slideshare.net/eurobsdcon/claudio-iscsid
Re: Doas
i noticed the newbie-q earlier and am not sure the full-thread,
but the comment below is the "correct" answer for most cases:
ie - look in /etc/examples if the config-file-you-need isnt there yet...
the reason i am chiming in is because i wrote a "crude" script
that i will enclose below - because i found myself often having
the problem that i would make-a-change to /etc/doas.conf and
the lock-myself-out because of user-error... so...
enclosed is a videos.sh script - like you would use for vipw...
hth, h.
> You'll find plenty of examples in the directory "/etc/examples". It
> also helps that many (all?) programs written for the OpenBSD project are
> able to check the syntax of their own configuration files while printing
> any errors to standard output, including doas.
#!/bin/sh
#
# hjf latest mod: 2020-04-04 @ 09:30 PDT
#
## vidoas.sh
#
## this is a basic copy/update from eradman at
## http://eradman.com/posts/ut-shell-scripts.html
## PATTERN singleton try/assert()
##
## GOAL try to create a vidoas pgm like visudo...
## ASSUMPTIONS interactive edits, allowing re-edits post-run, ...
export DOASFILE="/etc/doas.conf"
export TTY=`tty`
export USR=`whoami`
export VIDOAS=`basename $0`
export END_STRING="$VIDOAS: succeeded."
export TEST01=" doas-pw for initial copy..."
export TEST02=" edit of doas-file..."
export TEST03=" permissions of valid doas-file..."
export TEST04=" doas-pw for final replacement... "
export DEBUG_STRING=" \
1. incorrect $TEST01 \n \
2. incorrect $TEST02 \n \
3. incorrect $TEST03 \n \
4. incorrect $TEST04 \n"
export TESTING_STRING="Currently 4 possible tests: \n$DEBUG_STRING "
export DODEBUG=1
export DONORMAL=1
export DOHELPFUL=
export START_STRING="$VIDOAS: MUST supply password before AND after edits...
"
export XPLAINING_STRING="Password is normally required twice... \n \
due to checks at Steps 1. and 4. from \n$DEBUG_STRING"
function setup {
export LAUNCH_CMDS=`mktemp`
export PERMIT_FILE=`mktemp`
echo "permit $USR" > $PERMIT_FILE
export VI_FILE=`mktemp`
} ; setup ; # call self-setup...`
function teardown {
rm -f $LAUNCH_CMDS
rm -f $VI_FILE
}
# SINGLETON-setup
typeset -i test_runs=0
function try { this="$1"; }
trap 'printf "$0: exit code $? on line $LINENO\nFAIL: $this\n"; exit 1' ERR
function assert {
let tests_run+=1
[ "$1" = "$2" ] && { echo -n "."; return; }
printf "\nFAIL: $this\n'$1' != '$2'\n"; teardown; exit 1
}
# MAIN-STARTS-HERE (assuming setup;)
#
try "0. TESTING..."
[ "$DODEBUG" ] && { echo $TESTING_STRING; }
[ "$DOHELPFUL" ] && { echo $XPLAINING_STRING; }
[ "$DONORMAL" ] && { echo $START_STRING; }
let tests_run-=20
[ "$DODEBUG" ] && { echo "permit file"; }
assert "`doas -C $PERMIT_FILE echo`" "permit"
[ "$DODEBUG" ] && { echo "vi file"; }
assert "`doas -C $VI_FILE echo`" "deny"
typeset -i test_runs=0
# let tests_run=0
[ "$DODEBUG" ] && { echo "vi file"; }
assert "`doas -C $VI_FILE echo`" "deny"
#TEST00m1=`doas -C $PERMIT_FILE echo`
#TEST00m2=`doas -L`
# I need some way to check ownership of tty a/o make a nwe one
# in case i have su'ed into this program somehow... sigh...
#if [ $? ]; then
#if [ "$TEST00m2" != "permit" ]; then
# echo "cannot do ANY doas-stuff, maybe login as hfeltonadmin ?"
#fi
[ "$DODEBUG" ] && { echo "crossing zero"; }
assert "`echo 't'`" "t"
#assert "`doas -C $PERMIT_FILE echo`" "permit"
#try "1. create an edit-able copy..."
try "1. $TEST01"
cat > $LAUNCH_CMDS <<-'LAUNCHER'
doas -L
doas cp $DOASFILE $VI_FILE
doas -L
LAUNCHER
# fd/syserr catches bad passwords here...
assert "`. $LAUNCH_CMDS 2>&1`" ""
#try "2. go ahead and vi-edit ..."
try "2. $TEST02"
cat > $LAUNCH_CMDS <<-'LAUNCHER'
# dont let kshrc-stuff run...
export ENV=''
( sh -i -c "vi $VI_FILE <$TTY >$TTY" )
doas -C $VI_FILE
LAUNCHER
# check for syntax errors from editting...
assert "`. $LAUNCH_CMDS 2>&1`" ""
#try "3. post-edit-check for replacement permissions..."
try "3. $TEST03"
assert "`doas -C $VI_FILE -u $USR cp | cut -c 1-6 `" "permit"
#try "4. install the latest-greatest back..."
try "4. $TEST04"
assert "`doas cp $VI_FILE $DOASFILE 2>&1`" ""
# MAIN-ENDS-HERE
#
#try "999. Testing ENDS..."
[ "$DODEBUG" ] && { echo; echo "PASS: $tests_run tests run"; }
[ "$DOHELPFUL" ] && { echo; echo "All $tests_run steps ok, so..."; echo
$END_STRING; }
[ "$DONORMAL" ] && { echo $END_STRING; }
#assert "`echo 't'`" "t"
##echo "vidoas.sh succeeded."
teardown; exit 0
Client-authenicated TLS handshake with relayd
Hello! I am putting a small server behind Cloudflare that currently is configured to serve everything through relayd. I want to use their option of client-authenticated TLS handshakes, but I can't see a way to do it with relayd - is this possible? It does look like I could use httpd tls client ca option (assuming I'm understanding the man page), which I can use if relayd doesn't support this. Thank you! Paul
Re: OpenBSD VPN with Debian Buster Strongswan roadwarrior client
>> On Fri 19. Feb 2021 at 5.28, marfabastewart >> wrote: >> If anyone else is configuring a VPN between an OpenBSD responder and >> a Debian Buster initiator with Strongswan ... snip snip ... >> On the OpenBSD responder, your /etc/iked.conf should be something like: ... snip snip ... >> ikev2 'responder_x509' passive esp \ >> from 0.0.0.0/0 to $vpn_net \ ... snip snip ... >> The examples on strongswan.org >> I saw had "remote_ts = 0.0.0.0" instead of "remote_ts = >> 0.0.0.0/0" -- nothing worked for me until I added the "/0" >> to the end. > On Friday, February 19, 2021 2:24 AM, Ville Valkonen > wrote: ... snip snip ... > That's because it must match what you've configured on the Openbsd side > (0.0.0.0/0). Thank you very much! I also found out how to get rid of the DNS errors, just sudo apt install resolvconf (I found a post that said one needs resolvconf because of Debian AppArmor.)
Possible omission in cflags from pkg-config freeglut
I'm wondering whether pkg-config might not be outputing correct flags
for freeglut.
For example this programme:
#include
int main(void)
{
return 0;
}
- fails to build with:
cc `pkg-config --cflags --libs freeglut` foo.c
because:
In file included from foo.c:1:
In file included from /usr/local/include/GL/glut.h:17:
/usr/local/include/GL/freeglut_std.h:143:13: fatal error: 'GL/gl.h' file
not found
# include
^
1 error generated.
But it builds ok if we add /usr/X11R6/include to the include path:
cc `pkg-config --cflags --libs freeglut` -I/usr/X11R6/include foo.c
For me, "pkg-config --cflags --libs freeglut" outputs:
-I/usr/local/include -L/usr/local/lib -lglut
So should pkg-config also output "-I/usr/X11R6/include" in this case?
I'm running OpenBSD 6.8 GENERIC.MP#98 amd64
Thanks for any clarification,
- Jules
--
http://op59.net
Re: using kevent to catch signals
On Fri, Feb 19, 2021 at 06:49:45AM +0100, Sebastien Marie wrote:
> On Thu, Feb 18, 2021 at 10:23:05PM -0600, Edgar Pettijohn wrote:
> > I'm having trouble using kevent(2) to catch signals. Below is a sample
> > program. It should catch SIGHUP and SIGUSR1 and just print it out.
> > Instead when i send the process sighup with `kill -SIGHUP $PID` it
> > exits and the word Hangup is writtin to the terminal. If I use
> > `kill -SIGUSR1 $PID` the process exits and the words User defined signal 1
> > are written to the terminal. What am I doing wrong?
>
> to quote kqueue(2) man page about signals:
>
>[EVFILT_SIGNAL] coexists with the signal(3) and sigaction(2)
>facilities, and has a lower precedence. The filter will record all
>attempts to deliver a signal to a process, even if the signal has
>been marked as SIG_IGN. Event notification happens after normal
>signal delivery processing.
I read this and it just didn't click.
>
> and to quote signal(3) man page about default action:
>
> Name Default Action Description
>SIGHUP terminate processterminal line hangup
>SIGUSR1 terminate processuser-defined signal 1
>
> Your program needs to first ignore SIGHUP and SIGUSR1 (so the process
> will not terminate). This way, the kqueue(2) subsystem should be able
> to process them correctly.
>
> Thanks.
> --
> Sebastien Marie
With the proper signal({SIGHUP,SIGUSR1}, SIG_IGN) calls it works as expected.
Thanks,
Edgar
acpitz and aorus X570 elite
Hello, When acpitz attaches on a machine with a X570 aorus elite motherboard, the CPU fan stops and makes weird noises while seemingly trying to start. I can see the fan move a bit but not enough to start rotating correctly. The first chassis fan also completely stops. The second chassis fan seems to be un-impacted. When I put some load on the machine both the CPU and the first chassis fan start correctly, but as soon as the machine is idle the CPU fans stops and make those weird "starting noises". When acpitz is disabled in kernel, everything just works normally. The ACPI zone temperature reported from acpitz also seems bogus: hw.sensors.acpitz0.temp0=16.80 degC (zone temperature) hw.sensors.acpitz1.temp0=16.80 degC (zone temperature) hw.sensors.ksmn0.temp0=34.25 degC hw.sensors.sdtemp0.temp0=31.25 degC hw.sensors.sdtemp1.temp0=30.50 degC hw.sensors.softraid0.drive0=online (sd1), OK Is there something to do here without disabling acpitz? Best, Mickael OpenBSD 6.9-beta (GENERIC.MP) #338: Tue Feb 16 10:01:46 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 68645494784 (65465MB) avail mem = 66549714944 (63466MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0xbda23000 (49 entries) bios0: vendor American Megatrends International, LLC. version "F33a" date 01/22/2021 bios0: Gigabyte Technology Co., Ltd. X570 AORUS ELITE acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT SSDT SSDT FIDT MCFG HPET SSDT IVRS VFCT PCCT SSDT CRAT CDIT SSDT SSDT SSDT SSDT WSMT APIC SSDT FPDT acpi0: wakeup devices GPP0(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) GPPE(S4) GPPF(S4) GP10(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 9 5900X 12-Core Processor, 3700.49 MHz, 19-21-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: AMD Ryzen 9 5900X 12-Core Processor, 3700.01 MHz, 19-21-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: AMD Ryzen 9 5900X 12-Core Processor, 3700.01 MHz, 19-21-00 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: AMD Ryzen 9 5900X 12-Core Processor, 3700.01 MHz, 19-21-00 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
DHCP client always no lease message but got IP
Hello, Most recent snaphots. amd64, DHCP client for interface is always displaying no lease . sleeping. It actually gets the IP address, but this message is always there. I tried with more routers, same thing. Thanks
Re: Doas
You'll find plenty of examples in the directory "/etc/examples". It also helps that many (all?) programs written for the OpenBSD project are able to check the syntax of their own configuration files while printing any errors to standard output, including doas. Regards, Jean-Pierre de Villiers
Re: Doas
On Fri, Feb 19, 2021 at 03:53:38PM +0530, Sivan ! wrote: > Didn't realize that it was a reply to you. Man pages are thorough and > good for > those who grew up in the unix/linux environment, but I am sorry, I > have trouble deciphering the instructions for syntax. There aren't > enough > examples in man pages that illustrate the use of the commands for > someone with copy and paste level of system admin skills. If your regular user on the box is the one you created during install, it's in the wheel group. My doas.conf is for some reason more cluttered but I think a simple permit :wheel (one line!) would work to have any user in the wheel group perform privileged commands subject to entering their password correctly. Then again, if you break things really badly, you can always reinstall ;P - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Doas
I am sorry, usually replyall is the default in my mail settings. Didn't realize that it was a reply to you. Man pages are thorough and good for those who grew up in the unix/linux environment, but I am sorry, I have trouble deciphering the instructions for syntax. There aren't enough examples in man pages that illustrate the use of the commands for someone with copy and paste level of system admin skills. I sent another message a moment ago, that must also have been sent to you as a "reply" instead of as a "replyall" to the list. Copying that message below: doas is supposed to have been installed by default in openbsd 6.8, but > I get the error doas is not enabled, /etc/doas.conf: No such file or > directory, the posts related to doas online assume that /etc/doas.conf > already exists in the user's computer, it is not > there. I tried locating doas in ports, I tried pkg_add doas, it does not > work. > > -bash-5.0$ sudo pkg_add doas > quirks-3.441 signed on 2021-02-17T11:25:54Z > Can't find doas > I tried this also: >=5.73:devel/kf5/kcoreaddons STEM->=5.73:devel/kf5/ki18n >STEM->=5.73:devel/kf5/kpty STEM->=5.73:devel/kf5/kservice x11/qt5/qtbase,-main B-deps: STEM->=1.5.1:devel/ninja STEM->=5.73:devel/kf5/extra-cmake-modules archivers/xz devel/cmake devel/gettext,-tools lang/python/3.8 x11/qt5/qttools,-main R-deps: Archs: aarch64 amd64 arm i386 mips64 powerpc powerpc64 aarch64 alpha amd64 arm hppa i386 mips64 mips64el powerpc sparc64 -bash-5.0$ cd /usr/ports/devel/kf5/kdesu -bash-5.0$ ls CVS Makefile distinfo patches pkg -bash-5.0$ cd /usr/ports/devel/kf5/kdesu/pkg -bash-5.0$ ls CVS DESCR PLIST -bash-5.0$ cd /usr/ports/devel/kf5/kdesu -bash-5.0$ cd /usr/ports/devel/kf5/kdesu/distinfo -bash: cd: /usr/ports/devel/kf5/kdesu/distinfo: Not a directory -bash-5.0$ cd /usr/ports/devel/kf5/kdesu/CVS -bash-5.0$ ls EntriesRepository Root Tag -bash-5.0$ cd /usr/ports/devel/kf5/kdesu/CVS/Entries -bash: cd: /usr/ports/devel/kf5/kdesu/CVS/Entries: Not a directory -bash-5.0$ cat Entries D/patches D/pkg /Makefile/1.13/Mon Sep 7 14:48:46 2020//TOPENBSD_6_8 /distinfo/1.12/Mon Sep 7 14:48:46 2020//TOPENBSD_6_8 -bash-5.0$ cat Repository ports/devel/kf5/kdesu -bash-5.0$ make make: no target to make. -bash-5.0$ make doas make: don't know how to make doas Stop in /usr/ports/devel/kf5/kdesu/CVS -bash-5.0$ make install doas make: don't know how to make install Stop in /usr/ports/devel/kf5/kdesu/CVS -bash-5.0$ make-install doas -bash: make-install: command not found -bash-5.0$ Don't know how to move forward. Please help Thank you. ReplyForward Compose: Doas Peter N. M. Hansteen, misc@openbsd.org I am sorry, usually replyall is the default in my mail settings. Didn't realize that it was a reply to you. Man pages are thorough and good for those who grew up in the unix/linux environment, but I am sorry, I have trouble deciphering the instructions for syntax. There aren't enough examples in man pages that illustrate the use of the commands for someone with copy and paste level of system admin skills. I sent another message a moment ago, that must also have been sent to you as a "reply" instead of as a "replyall" to the list. Copying that message below: > > Thank you for confirming that this is not unusual. I checked the > > output of sudo disklabel sd0, it shows 16 partitions, looks alright. > > doas is supposed to have been installed by default in openbsd 6.8, but > > I get the error doas is not enabled, /etc/doas.conf: No such file or > > directory, the posts related to doas online assume that /etc/doas.conf > > already exists in the user's computer, it is not > > there. I tried locating doas in ports, I tried pkg_add doas, it does not > > work. > > doas is part of the base install. You need to create the config file to > enable it. > Check man doas.conf for guidance and a suggested config. > > Also, please keep the discussion on the list (to or cc). > > Cheers, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds Sivan
Re: GPT autopartion during install
On Fri, Feb 19, 2021 at 01:14:07PM +0530, Sivan ! wrote: > In new desktop computer with a new ssd, the 6.8 amd installer during > auto partition without any user choices, created the numerous device > (partition)s, which is strange: > > For eg rsd0a-rsd0p ... rsd9a-rsd9p, ie 16x10=160 device partitions ? > starting with rsd* ; Similarly numerous entries seen for every other > type of 'dev'. Attaching a text file of ls/dev output. Your second mail here seems to contain the output of 'ls /dev'. Sure, the device nodes exist. That does not mean that the partitions are created. Check the output of something like $ doas disklabel sd0 (replace sd0 with whatever your actual storage device is recognized as) and you'll see what partitions you have and their sizes. The install guide part of the FAQ (and actually all of the FAQ) is well worth your time reading. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD VPN with Debian Buster Strongswan roadwarrior client
Hi,
On Fri 19. Feb 2021 at 5.28, marfabastewart
wrote:
> If anyone else is configuring a VPN between an OpenBSD
> responder and a Debian Buster initiator with Strongswan
> on the Debian box, the following notes may spare you
> some pain.
>
> First, configure the OpenBSD responder using the FAQ and the
> X.509 Certificate Authentication section. A hearty thanks to
> the writers!!
>
> For Debian, we don't need the pfx files. Copy the
> client1.domain.tgz (created per the FAQ in the same X.509
> section above) to the Debian box.
>
> Inside client1.domain.tgz is local.pub. Copy that to
> /etc/iked/pubkeys/fqdn/client1.domain on the OpenBSD
> responder. Of course use the real name (which doesn't really
> have to resolve on the wider Internet) instead of
> "client1.domain."
>
> On the OpenBSD responder, your /etc/iked.conf should be
> something like:
>
> responder_ip="INSERT_ RESPONDER_IP_HERE"
> vpn_net="INSERT_SUBNET_HERE"
> mysrcid="INSERT_SRCID_HERE"
> mydns="INSERT_DNS_SERVER_IP_HERE"
> set fragmentation
> ikev2 'responder_x509' passive esp \
> from 0.0.0.0/0 to $vpn_net \
> local $responder_ip peer any \
> srcid $mysrcid \
> config address $vpn_net \
> config name-server $mydns \
> tag "ROADW"
>
> I believe you do need the set fragmentation line above.
> You can make up something for vpn_net, like 172.16.5.0/24.
>
> For DNS, I set up unbound to listen on vether0 and set
> "mydns" to be the IP of vether0. Make sure vpn_net is
> allowed in an access-control line in unbound.conf.
>
> Then start iked. That's it for the OpenBSD side.
>
> The Debian side took me longer.
>
> I initially saw this error on the OpenBSD responder side:
> "pool configured, but IKEV@_CP_REQUEST missing" and
> "ikev2_dispatch_cert: failed to send ike auth."
>
> The error on the responder happens if you don't configure vips on
> the Debian initiator. A search for "CP_REQUEST" led me to RFC5996
> and the source code in /usr/src, which makes it clear
> that not assigning a local address through vips on the Debian
> box was the source of much of my anguish.
>
> The rest of this is about configuring the Debian initiator.
>
> On the Debian box:
> sudo apt install strongswan
> sudo apt install strongswan-swanctl
>
> Go to the directory you copied client1.domain.tgz to.
> mkdir vpn
> cd vpn
> tar -xvzf ../client1.domain.tgz
> sudo cp certs/client1.domain.crt /etc/swanctl/x509
> sudo cp ca/ca.crt /etc/swanctl/x509ca
> sudo cp private/client1.domain.key /etc/swanctl/private
>
> Here is the /etc/swanctl/swanctl.conf:
>
> # ---
> connections {
>joeschmoe {
> local_addrs = YOUR_LOCAL_IP_HERE
> remote_addrs = OPENBSD_RESPONDER_IP_HERE
> vips = 0.0.0.0
> encap = yes
>
> local {
> auth = pubkey
> certs = client1.domain.crt # CHANGE
> # "client1.domain"
> id = client1.domain# CHANGE
> }
> remote {
> auth = pubkey
> id = SRCID_HERE # same as $mysrcid on the
> # OpenBSD responser
> }
> children {
> joeschmoe {
> remote_ts = 0.0.0.0/0
> }
> }
> version = 2
>}
> }
> authorities {
> joeschmoe {
> cacert = ca.crt
> }
> }
> # ---
>
> A couple of notes about swanctl.conf: I thought I needed
> fragmentation = force, but I think that's only for IKEv1 and
> everything seems to work without it. Just lower the mtu on
> the interface (use nm-connection-manager or nmcli ).
>
> The examples on strongswan.org
> I saw had "remote_ts = 0.0.0.0" instead of "remote_ts =
> 0.0.0.0/0" -- nothing worked for me until I added the "/0"
> to the end.
That's because it must match what you've configured on the Openbsd side (
0.0.0.0/0).
>
--
Kind regards,
Ville
