Re: Flatbed scanner stopped wording - permissions problem?

[Stuart Henderson]

On 2021-03-08, Duncan Patton a Campbell  wrote:
>
>
> this is what I use
>
> doas -u root scanimage --mode gray  -x215 -y297 --resolution 300dpi -B > 
> fdsa.pnm
>
> which works with the perms asis.  xsane only worked as root for me 
> (across multple platforms/revs) so it's always been something that 
> needed a lot of setup/takedown to use.

So you could open up access in a targetted way to the relevant device,
which could just be done for a short period while scanning if you want
(just write a little wrapper script to make it easier), but instead you
prefer to avoid touching permissions and run code from sane-backends
plus these libraries as root:

WANTLIB += ${COMPILER_LIBCXX} c execinfo iconv jpeg lzma m png
WANTLIB += tiff usb-1.0 v4l1 v4l2 v4lconvert xml2 z zstd
 

(or a bunch more, for xsane).

I'm not really surprised (I thought this was exactly what would happen
when the default permissions on usb devices were tightened) but it
doesn't seem the best way..

Re: 6.8 with gnome boots to xterm after upgrade

[Stuart Henderson]

On 2021-03-08, Sivan !  wrote:
> Thank you.  One unresolved issue. While running fetch, there was an
> error pop up that said /usr directory is out of space, though an
> entire 250 GB nvme is for OpenBSD, almost with no user files, except
> for the ports tree that was being downloaded b the fetch command.
> When installing OpenBSD in a 250 GB nvme, I chose GPT and let the
> installer decide on partitions. But something went wrong.

The disk is split into partitions. Run df -h to see what's free.

To convert "marketing capacity" for a drive (given in "decimal GB") into
usable capacity in binary GB (some people call this GiB), use this
calculation:

(97696368+(1953504*(capacity-50)))/2048

(The formula is from IDEMA LBA1-03 plus a conversion from 512-byte LBA
blocks to GB)

So for 250GB

(97696368+(1953504*(250-50)))/2048 = 238475.1796875

Then there's a little extra used for filesystem structures.


> It started with the warning:  Not all of the space available to
> /dev/nvme0n1 appears to be used, you can fix the GPT to use all the
> space (an extra 30 blocks) or
> continue with the current setting?

30 blocks is nothing. Leave this alone.

> Does this imply that the 232.89 GiB is OpenBSD area, but somehow with
> "no active partition" which is perhaps the reason why there was an
> error message during fetch that said /usr directory is low on disk
> space ?

You filled the partition holding /usr when you ran "make" in
/usr/ports/x11/gnome. Remove the build files with "rm -r /usr/ports/pobj"
(or remove /usr/ports completely if you don't need it).

The default auto-partitioning sizes do not give enough space to place
ports under /usr and build anything other than the smallest ports.

Re: npppd(8) and PROXY_AUTHEN_CHALLENGE bad length with Juniper

[YASUOKA Masahiko]

Hi,

I looked into the ICCN packets you sent me separately.  Its "Proxy Authen
Challenge" length is 31 and "Proxy Authen Type" is PPP CHAP.  The
message seems to comply RFC 2661.

Also what I said
>> It's for CHAP or MSCHAPv1.  If MD5 is selected for PPP CHAP, the
>> challenge length for CHAP is 16 octet.  The challenge for MSCHAPv1 is
>> also 8 octet, but npppd doesn't support MSCHAv1 anyway.  So 24 must be
>> enough for RFC 2661.

is false.  Length of callenge is "independent of the hash algorithm".

In RFC 1994 (PPP CHAP):
|  The Challenge Value is a variable stream of octets.  The
|  importance of the uniqueness of the Challenge Value and its
|  relationship to the secret is described above.  The Challenge
|  Value MUST be changed each time a Challenge is sent.  The length
|  of the Challenge Value depends upon the method used to generate
|  the octets, and is independent of the hash algorithm used.

it doesn't state the limit clearly.

I suppose 24 had been long enough for many implementations, but
actually new Junipor is using 31-63

>> > Feb  8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 Received 
>> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 40 > 24
>> > Feb  8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 SendCDN 
>> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
>> > Feb  8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 Received 
>> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 62 > 24
>> > Feb  8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 SendCDN 
>> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
>> > Feb  8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 Received 
>> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 46 > 24
>> > Feb  8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 SendCDN 
>> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
>> > Feb  8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 Received bad 
>> > ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 63 > 24
>> > Feb  8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 SendCDN 
>> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none

So I suppose changing the following limit will solve the problem.

  #define MAX_CHALLENGE_LENGTH24

Also I found a Junipor's document,

  
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/challenge-length-edit-dynamic-profiles-chap.html

the max challenge length can be configured 63 at the maximum.

I'm thinking change the limit in npppd to 96.


On Mon, 8 Mar 2021 20:33:21 +
Ryan Freeman  wrote:
> Thank you for the reply!  I have been given permission to show a bit
> more about our setup.  I snipped out some of the original message, and
> I'll post the additions at the bottom.
> 
> On Sat, Mar 06, 2021 at 07:45:03PM +0900, YASUOKA Masahiko wrote:
>> Hi,
>> 
>> On Fri, 5 Mar 2021 19:07:45 +
>> Ryan Freeman  wrote:
>> > Full disclosure: this took place over the course of about a month, and
>> > I've done my best to include the relevant info..
>> > 
>> > Unsure if this is really a bug, and I don't have a real diff for a fix, 
>> > just a
>> > work-around, so misc it is.
>> > 
>> > This is done with OpenBSD 6.8-stable, syspatch 001 through 012 installed.
>> > We considered trying -current, but noticed no activity in the npppd tree
>> > that might make a difference.
>> > 
>> > 'old' and 'new' equipment types from upstream are both Juniper, though
>> > unsure of exact models.  Old  should be Juniper ERX of some type, new
>> > I only know this from packet capture: Juniper Networks/Unisphere(4874).
>> > 
>> > I work for a small ISP and we are exploring the use of npppd(8) for
>> > termination of L2TP with incumbent for xDSL connections. 
>> > 
>> > Working with the provider, their 'old' equipment works fine[1], however,
>> > the 'new' network would always cause these errors upon receipt of Proxy 
>> > AVP:
>> > 
>> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 Received bad 
>> > ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 33 > 24
>> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 SendCDN 
>> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
>> > 
>> > Looking at RFC 2661, I can't actually figure where a limit of 24 is 
>> > imposed,
>> >
> ...snip...
>> 
>> Yes.  The limit is come from MAX_CHALLENGE_LENGTH in ppp.h.
>> 
>>  85 #define MAX_CHALLENGE_LENGTH24
> 
> Thank you!
> 
>> 
>> In RFC 2661,
>> 
>>   This AVP MUST be present for Proxy Authen Types 2 and 5. The
>>   Challenge field contains the CHAP challenge presented to the
>>   client by the LAC.
>> 
>> Proxy Authen Challenge AVP is for "Proxy Authen Types 2 and 5".
>> 
>>Proxy Authen Type (ICCN)
>>(snip)
>>   Defined Authen Type values are:
>>  0 - Reserved
>>  1 - Textual username/password exchange
>>  2 

Re: How to set ThinkPad battery charge thresholds?

[Subhaditya Nath]

On 3/8/21, Subhaditya Nath  wrote:
> I have a Thinkpad E495 that has Battery Charge threshold support. i.e.
> it can be set such that the battery starts charging at a specified
> amount of charge (say, 70%) and automatically stops charging at a
> specified charge (say, 80%). This feature is also available on Linux by
> using TLP (made by linrunner, his website is linrunner.de)

I just investigated a little more about it, and what do I see? Surprise!
It's just a shell script! Yeah! And how does it do the threshold thing?
Simple! It just writes the required values to -
/sys/class/power_supply/BAT0/charge_start_threshold
/sys/class/power_supply/BAT0/charge_stop_threshold
Done!


And the actual work is done by something called the 'natacpi framework',
which is implemented by the linux kernel itself. I don't know :shrug:
(I just gathered the above sentence after a few minutes of googling. I
know very little about the kernel and all)


For those who are curious, below is the output of `tlp-stat -b`.

Note this line -
natacpi= active (data, thresholds)


--- TLP 1.3.1 

+++ Battery Features: Charge Thresholds and Recalibrate
natacpi= active (data, thresholds)
tpacpi-bat = active (recalibrate)
tp-smapi   = inactive (ThinkPad not supported)

+++ ThinkPad Battery Status: BAT0 (Main / Internal)
/sys/class/power_supply/BAT0/manufacturer   = SMP
/sys/class/power_supply/BAT0/model_name = 01AV446
/sys/class/power_supply/BAT0/cycle_count=205
/sys/class/power_supply/BAT0/energy_full_design =  45280 [mWh]
/sys/class/power_supply/BAT0/energy_full=  42750 [mWh]
/sys/class/power_supply/BAT0/energy_now =  26430 [mWh]
/sys/class/power_supply/BAT0/power_now  =   6810 [mW]
/sys/class/power_supply/BAT0/status = Discharging

/sys/class/power_supply/BAT0/charge_start_threshold = 75 [%]
/sys/class/power_supply/BAT0/charge_stop_threshold  = 80 [%]
tpacpi-bat.BAT0.forceDischarge  =  0

Charge  =   61.8 [%]
Capacity=   94.4 [%]

Re: How to set ThinkPad battery charge thresholds?

[Subhaditya Nath]

On 3/8/21, Jean-Pierre de Villiers  wrote:
> Refer to sensorsd(8) and acpibat(4).  Given those and related manual
> pages I'm relatively certain you should be able to achieve this.
>
I did. acpibat(4) contains no information about how to use it. If I
understood correctly, it is simply a ACPI driver for batteries.

sensord(8) contains information about how to check the current battery
percentage, but I can't see how to _stop_ the battery from charging.
I also couldn't find an option in sysctl for this.

It might be worth mentioning that this feature is implemented in
hardware, not software. The software is needed to set the correct
thresholds in the Charging Controller hardware (firmware, maybe?).

> OpenBSD is well-known for its clear and extensive documentation so use
> this to your advantage.  The apropos(1) utility is your best friend :)
> Your second and third best friends are the FAQ and the mailing list
> archives.
>
Yep, I searched marc.info for half and hour. Couldn't find it. Maybe I
am doing something wrong? This is my first interaction with a mailing
list :P

I also searched the man pages using `apropos` and `man -k`, still
nothing. In fact, I had done all of these before posting here. :)

(If dera...@openbsd.org is listening... The first mail is very very
helpful! Thanks)

> I am working under the assumption that no proprietary blobs are
> necessary to accomplish your goal.  Otherwise, I am afraid you are out
> of luck as OpenBSD does not and never will contain any such blobs.
> They are "black boxes" and thus cannot be trusted.
>
I know that OpenBSD is against blobs. In fact, that's the main reason I
want to switch from linux to OBSD. I want to support Doctor Puffystein
rather than Blobby ;-)

(https://www.openbsd.org/lyrics.html#39 - for those who are wondering)

Re: How to set ThinkPad battery charge thresholds?

[Subhaditya Nath]

On 3/9/21, Jan Stary  wrote:
> Why would you want to stop charging before being 100% charged?
>
This email wasn't CC'd to the mailing list, right?

Say you keep the battery plugged in overnight for charging. It charges
to 100%, and then stays so for 5 hours till you wake up in the morning.

It might not sound that horrifying right now, but wait till you hear the
next part.



According to a research, it has been found that, at the extremes of the
battery's charge capacity, it stays at _high tension_, causing it to
degrade quicker. The nearer the battery's charge is to an extreme, the
more tension it is under, and the faster shall it degrade.

Imagine it like food. If somebody makes you eat so much that your
stomach is 100% full, and then ensures that it remains 100% full for 5
hours, how would you feel? (For a comparison, we mostly feel comfortable
when our stomach is ~50% full, and we feel well-fed when it's ~80% full)

The same goes for 0%. This is obvious. Would you like to stay hungry?
Like, really REALLY hungry? No, absolutely not!



So, the researchers suggest that you should always keep your battery
charged between 40-80%. Don't let it drop below 40%, and don't let it go
above 80%. Charge as frequently as you can ('Deep Charge a battery' is a
myth. It decreases battery lifespan rather than increasing it). Simply
doing this can increase your battery life span by about. about.
umm.dang it, I forgot! It was something between 1.5x to 2.5x ...



P.S. I forgot to mention that the above-mentioned facts are true only
for the Li-ion batteries found in modern Smartphones and Laptops (IIRC)

---
meh, I'm gonna CC it to the mailing list anyway. This is something
everybody should know.

Re: IPv6 NDP Confusion with PF enabled

[Antonino Sidoti]

Hi,

There is no blocking showing up when I examine the pflog0, hence the confusion 
is what is blocking traffic when the firewall is enabled. I find it strange 
that the “ndp” output has two LLA for the same Mac address. The MAC address of 
the remote device 82:63:9c:36:23:a2 is listed twice. Is that actually correct. 
Only one of those LLA is reachable with “ping”. 

The WAN link is a 4G link and the ISP only hands out a /64 address and it does 
not do Prefix Delegation. So I am not ruling out that my ISP is doing some 
strange things. When the firewall is disabled I can ping remote Ipv6 sites, I 
get an Ipv6 public address. When the firewall is enabled I cannot ping other 
sites and my Public IP address is Ipv4.

Ndp output with firewall disabled.
Neighbor Linklayer Address   Netif ExpireS Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82  em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em082:63:9c:36:23:a2 em0 37s   R R
fe80::e98a:6028:3c19:5fc%em0 82:63:9c:36:23:a2 em0 32s   R R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em138:f9:d3:e0:fa:db em1 20h53m3s  S

Antonino Sidoti




> On 8 Mar 2021, at 8:11 pm, Stuart Henderson  > wrote:
> 
> On 2021-03-08, Antonino Sidoti mailto:n...@sidoti.id.au>> 
> wrote:
>> I am confused about how Neighbor Discovery is not working when the firewall 
>> is on.
> 
> Check your blocked packets. You already have "log" on mpst block rules,
> so look at either /var/log/pflog or live with tcpdump -e on the pflog0
> interface.
> 

Re: How to set ThinkPad battery charge thresholds?

[Ottavio Caruso]

On 08/03/2021 17:35, Jean-Pierre de Villiers wrote:

Refer to sensorsd(8) and acpibat(4).  Given those and related manual
pages I'm relatively certain you should be able to achieve this.

OpenBSD is well-known for its clear and extensive documentation so use
this to your advantage.  The apropos(1) utility is your best friend :).
Your second and third best friends are the FAQ and the mailing list
archives.

I am working under the assumption that no proprietary blobs are
necessary to accomplish your goal.  Otherwise, I am afraid you are out
of luck as OpenBSD does not and never will contain any such blobs.
They are "black boxes" and thus cannot be trusted.

Regards,
JP


On 21/03/08 07:05pm, Subhaditya Nath wrote:

I have a Thinkpad E495 that has Battery Charge threshold support. i.e.
it can be set such that the battery starts charging at a specified
amount of charge (say, 70%) and automatically stops charging at a
specified charge (say, 80%). This feature is also available on Linux by
using TLP (made by linrunner, his website is linrunner.de)

The problem is, I searched for this option in OpenBSD, but I couldn't
find it.

It is a very crucial functionality for me. So, if somebody can please
tell me where I can set it, I would be very very thankful.

(Pardon my bad english, it's not my first language)






acpibat, as it stands, doesn't and cannot set/manipulate battery charge 
threshold levels.



--
Ottavio Caruso

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: How to set ThinkPad battery charge thresholds?

[Ottavio Caruso]

On 08/03/2021 13:35, Subhaditya Nath wrote:

I have a Thinkpad E495 that has Battery Charge threshold support. i.e.
it can be set such that the battery starts charging at a specified
amount of charge (say, 70%) and automatically stops charging at a
specified charge (say, 80%). This feature is also available on Linux by
using TLP (made by linrunner, his website is linrunner.de)

The problem is, I searched for this option in OpenBSD, but I couldn't
find it.

It is a very crucial functionality for me. So, if somebody can please
tell me where I can set it, I would be very very thankful.

(Pardon my bad english, it's not my first language)




As far as I know, you can't achieve that in the BSD ecosystem. TLP uses 
a Linux kernel model (acpi-call-dkms).


https://github.com/mkottman/acpi_call


--
Ottavio Caruso

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: 6.8 with gnome boots to xterm after upgrade

[Ed Gray]

Hi Sivan,

If you have a separate issue it's best to write a new email to the list
with an appropriate subject, then it will make more sense to those reading
or following.

It does sound like you have a few different issues here and I'm not sure I
understand your configuration.

I also think you might benefit from reading the documentation particularly
the INSTALL file, the FAQs and afterboot man page.

It seems like you don't understand some of the fundamental differences
between Openbsd and other systems. Particularly the disk layout.

Regards
Ed Gray

On Mon, 8 Mar 2021, 7:27 pm Sivan !,  wrote:

> Thank you.  One unresolved issue. While running fetch, there was an
> error pop up that said /usr directory is out of space, though an
> entire 250 GB nvme is for OpenBSD, almost with no user files, except
> for the ports tree that was being downloaded b the fetch command.
> When installing OpenBSD in a 250 GB nvme, I chose GPT and let the
> installer decide on partitions. But something went wrong.
>
> My bios shows this in the hard disk list:
>
> line No 1:  UEFI OS (samsung SSD EVO 970 Plus 250 GB)
> line No 2:  Samsung SSD 970 EVO Plus 250 GB (238476 MB)
> (line No 3 : SATA ...  # this is Ubunu
> line No 4:  SATA  # this is CentOS)
>
> In BIOS if I choose item 1, it boots to OpenBSD
> If I choose item 2, it shows a blank boot screen shows a one line
> error message that says "no active partition" that is it.
>
> I ran gparted after booting the UEFI OS
>
> It started with the warning:  Not all of the space available to
> /dev/nvme0n1 appears to be used, you can fix the GPT to use all the
> space (an extra 30 blocks) or
> continue with the current setting?
>
> I chose "ignore", because I suspected that gparted probably saw the
> UEFI boot content of (250 GB - 238476 MB) as 30 blocks of "unused"
> space.
>
> Gparted shows:
>
> EFI System Area fat 16
> /dev/nvme0n1p2  480 KiB
> Efi Sstem Aea Used 292 KiB
> /dev/ nvme0n1p4 OpenBSD Area 232.89 GiB
>
> Does this imply that the 232.89 GiB is OpenBSD area, but somehow with
> "no active partition" which is perhaps the reason why there was an
> error message during fetch that said /usr directory is low on disk
> space ?
>
> Thank you.
>
>
> On Sun, 7 Mar 2021 at 15:54, Ed Gray  wrote:
> >
> > Glad you solved it.
> >
> > I would recommend running sysupgrade with the -n switch if you are using
> the system.
> >
> > E.g. sysupgrade -s -n
> >
> > This delays the reboot but still prepares the upgrade.
> >
> > Upgrades are now completely automated but you still have to update
> packages and your ports tree as well as the base system to keep everything
> working properly.
> >
> > Regards
> > Ed Gray
> >
> > On Sat, 6 Mar 2021, 6:19 pm Sivan !,  wrote:
> >>
> >> Solved.
> >> sysupgrade -s
> >> (after reboot, gnome loaded)
> >> bash-5.0# uname -r
> >> 6.9
> >>
> >> On Sat, 6 Mar 2021 at 22:53, Sivan !  wrote:
> >> >
> >> > /use/x11/ports/gnome make install didn't work. Images attached.
> >> >
> >> > On Sat, Mar 6, 2021, 22:12 Sivan !  wrote:
> >> >>
> >> >>
> >> >> dear Ed,
> >> >>
> >> >> It wasn't complicated at all in till the unintended upgrade, and I
> wish to try and resolve this, even though I a person with copy skills
> in command line. OpenBSD 6.8 was booting fine with gnome, but now stuck in
> xterm.
> >> >>
> >> >> Now in xsession cd/use/pets/gnome,  typed make,  it is making, will
> report what happens.
> >> >>
> >> >> Thank you.
> >> >>
> >> >>
> >> >> On Fri, 5 Mar 2021 at 23:23, Ed Gray  wrote:
> >> >> >
> >> >> > Hi Sivan,
> >> >> >
> >> >> > Sorry I've not had chance to look at everything you sent.
> >> >> >
> >> >> > Firstly the message about SSH keys sounds normal as this is part
> of a normal X session startup. I suspect you have a key that has changed or
> needs a passphrase entered and it's just picking it up when you try to
> start X.
> >> >> >
> >> >> > The command history looks strange, you're running shutdown and
> reboot and then other commands, unless these are from another session?
> >> >> >
> >> >> > Openbsd needs the -h option to both shutdown and power off the
> machine or -r for reboot.
> >> >> >
> >> >> > Where is your startx program and is it a custom program?
> >> >> >
> >> >> > If you have done unintended upgrades and your /usr is also full
> it's going to cause all sorts of problems. I would recommend reinstalling a
> release from scratch if you can.
> >> >> >
> >> >> > Alternatively when the boot program runs you can choose bad.rd to
> get the installer ramdisk and manually repair from there but it's a rather
> complex process.
> >> >> >
> >> >> > On my system I had to boot bad.rd, type s for shell, run the
> MAKEDEV script in /dev to create device nodes and then run disklabel
> manually to rearrange volumes to make space.
> >> >> >
> >> >> > You would also need to grow or shrink the volumes.
> >> >> >
> >> >> > Regarding further troubleshooting of X sessions I would recommend
> moving .xsession to .xsession.bak and starting with a 

Re: npppd(8) and PROXY_AUTHEN_CHALLENGE bad length with Juniper

[Ryan Freeman]

Thank you for the reply!  I have been given permission to show a bit
more about our setup.  I snipped out some of the original message, and
I'll post the additions at the bottom.

On Sat, Mar 06, 2021 at 07:45:03PM +0900, YASUOKA Masahiko wrote:
> Hi,
> 
> On Fri, 5 Mar 2021 19:07:45 +
> Ryan Freeman  wrote:
> > Full disclosure: this took place over the course of about a month, and
> > I've done my best to include the relevant info..
> > 
> > Unsure if this is really a bug, and I don't have a real diff for a fix, 
> > just a
> > work-around, so misc it is.
> > 
> > This is done with OpenBSD 6.8-stable, syspatch 001 through 012 installed.
> > We considered trying -current, but noticed no activity in the npppd tree
> > that might make a difference.
> > 
> > 'old' and 'new' equipment types from upstream are both Juniper, though
> > unsure of exact models.  Old  should be Juniper ERX of some type, new
> > I only know this from packet capture: Juniper Networks/Unisphere(4874).
> > 
> > I work for a small ISP and we are exploring the use of npppd(8) for
> > termination of L2TP with incumbent for xDSL connections. 
> > 
> > Working with the provider, their 'old' equipment works fine[1], however,
> > the 'new' network would always cause these errors upon receipt of Proxy AVP:
> > 
> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 Received bad 
> > ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 33 > 24
> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 SendCDN 
> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> > 
> > Looking at RFC 2661, I can't actually figure where a limit of 24 is imposed,
> >
...snip...
> 
> Yes.  The limit is come from MAX_CHALLENGE_LENGTH in ppp.h.
> 
>  85 #define MAX_CHALLENGE_LENGTH24

Thank you!

> 
> In RFC 2661,
> 
>   This AVP MUST be present for Proxy Authen Types 2 and 5. The
>   Challenge field contains the CHAP challenge presented to the
>   client by the LAC.
> 
> Proxy Authen Challenge AVP is for "Proxy Authen Types 2 and 5".
> 
>Proxy Authen Type (ICCN)
>(snip)
>   Defined Authen Type values are:
>  0 - Reserved
>  1 - Textual username/password exchange
>  2 - PPP CHAP
>  3 - PPP PAP
>  4 - No Authentication
>  5 - Microsoft CHAP Version 1 (MSCHAPv1)
> 
> It's for CHAP or MSCHAPv1.  If MD5 is selected for PPP CHAP, the
> challenge length for CHAP is 16 octet.  The challenge for MSCHAPv1 is
> also 8 octet, but npppd doesn't support MSCHAv1 anyway.  So 24 must be
> enough for RFC 2661.
> 
> I'd like to see the packet capture of ICCN from Juniper to see what is
> happening.  (what authen type is used.)

I will contact you off-list about packet captures.

> >
...snip...
> > Ultimately we managed to get this working by simply omitting the size check
> > as such:
> > 
> > Index: l2tp/l2tp_call.c
> > ===
> > RCS file: /cvs/src/usr.sbin/npppd/l2tp/l2tp_call.c,v
> > retrieving revision 1.19
> > diff -u -p -r1.19 l2tp_call.c
> > --- l2tp/l2tp_call.c5 Dec 2015 16:10:31 -   1.19
> > +++ l2tp/l2tp_call.c5 Mar 2021 17:46:12 -
> > @@ -546,7 +546,8 @@ l2tp_call_recv_ICCN(l2tp_call *_this, u_
> > dpi->last_recv_lcp.ldata = avp_attr_length(avp);
> > break;
> > case L2TP_AVP_TYPE_PROXY_AUTHEN_CHALLENGE:
> > -   AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall));
> > +   /* XXX: disable to try and skirt 'too long' errors */
> > +   /* AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall)); */
> > memcpy(dpi->auth_chall, avp->attr_value,
> > avp_attr_length(avp));
> > dpi->lauth_chall = avp_attr_length(avp);
> > 
> > We've been running this modified npppd for a week now, our upstream is happy
> > that they can continue phasing out their 'old' gear, and our endusers are
> 
> Do you mean that the endusers can connect with the above diff?

Absolutely.  Prior to disabling that particular size check, endusers do not
get past the RecvICCN stage due to "PROXY_AUTHEN_CHALLENGE too long" error.

> diff --git a/usr.sbin/npppd/npppd/ppp.h b/usr.sbin/npppd/npppd/ppp.h
> index 1bb8bfc6cf3..219b47c6172 100644
> --- a/usr.sbin/npppd/npppd/ppp.h
> +++ b/usr.sbin/npppd/npppd/ppp.h
> @@ -82,7 +82,7 @@
>  
>  #defineMAX_USERNAME_LENGTH 256
>  #defineMAX_PASSWORD_LENGTH 256
> -#define MAX_CHALLENGE_LENGTH24
> +#define MAX_CHALLENGE_LENGTH256
>  
>  #define INADDR_IPCP_OBEY_REMOTE_REQ0xL
>  
> is better if it works.

Thank you! I will report back with results.


> > I am thinking that we would want a maximum length set there still, but 
> > perhaps
> > it can be pushed up?  I've seen many of those error types, all seem to stay
> > below 100:
> > 
> > Feb  8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 

Re: 6.8 with gnome boots to xterm after upgrade

[Sivan !]

Thank you.  One unresolved issue. While running fetch, there was an
error pop up that said /usr directory is out of space, though an
entire 250 GB nvme is for OpenBSD, almost with no user files, except
for the ports tree that was being downloaded b the fetch command.
When installing OpenBSD in a 250 GB nvme, I chose GPT and let the
installer decide on partitions. But something went wrong.

My bios shows this in the hard disk list:

line No 1:  UEFI OS (samsung SSD EVO 970 Plus 250 GB)
line No 2:  Samsung SSD 970 EVO Plus 250 GB (238476 MB)
(line No 3 : SATA ...  # this is Ubunu
line No 4:  SATA  # this is CentOS)

In BIOS if I choose item 1, it boots to OpenBSD
If I choose item 2, it shows a blank boot screen shows a one line
error message that says "no active partition" that is it.

I ran gparted after booting the UEFI OS

It started with the warning:  Not all of the space available to
/dev/nvme0n1 appears to be used, you can fix the GPT to use all the
space (an extra 30 blocks) or
continue with the current setting?

I chose "ignore", because I suspected that gparted probably saw the
UEFI boot content of (250 GB - 238476 MB) as 30 blocks of "unused"
space.

Gparted shows:

EFI System Area fat 16
/dev/nvme0n1p2  480 KiB
Efi Sstem Aea Used 292 KiB
/dev/ nvme0n1p4 OpenBSD Area 232.89 GiB

Does this imply that the 232.89 GiB is OpenBSD area, but somehow with
"no active partition" which is perhaps the reason why there was an
error message during fetch that said /usr directory is low on disk
space ?

Thank you.


On Sun, 7 Mar 2021 at 15:54, Ed Gray  wrote:
>
> Glad you solved it.
>
> I would recommend running sysupgrade with the -n switch if you are using the 
> system.
>
> E.g. sysupgrade -s -n
>
> This delays the reboot but still prepares the upgrade.
>
> Upgrades are now completely automated but you still have to update packages 
> and your ports tree as well as the base system to keep everything working 
> properly.
>
> Regards
> Ed Gray
>
> On Sat, 6 Mar 2021, 6:19 pm Sivan !,  wrote:
>>
>> Solved.
>> sysupgrade -s
>> (after reboot, gnome loaded)
>> bash-5.0# uname -r
>> 6.9
>>
>> On Sat, 6 Mar 2021 at 22:53, Sivan !  wrote:
>> >
>> > /use/x11/ports/gnome make install didn't work. Images attached.
>> >
>> > On Sat, Mar 6, 2021, 22:12 Sivan !  wrote:
>> >>
>> >>
>> >> dear Ed,
>> >>
>> >> It wasn't complicated at all in till the unintended upgrade, and I wish 
>> >> to try and resolve this, even though I a person with copy skills in 
>> >> command line. OpenBSD 6.8 was booting fine with gnome, but now stuck in 
>> >> xterm.
>> >>
>> >> Now in xsession cd/use/pets/gnome,  typed make,  it is making, will 
>> >> report what happens.
>> >>
>> >> Thank you.
>> >>
>> >>
>> >> On Fri, 5 Mar 2021 at 23:23, Ed Gray  wrote:
>> >> >
>> >> > Hi Sivan,
>> >> >
>> >> > Sorry I've not had chance to look at everything you sent.
>> >> >
>> >> > Firstly the message about SSH keys sounds normal as this is part of a 
>> >> > normal X session startup. I suspect you have a key that has changed or 
>> >> > needs a passphrase entered and it's just picking it up when you try to 
>> >> > start X.
>> >> >
>> >> > The command history looks strange, you're running shutdown and reboot 
>> >> > and then other commands, unless these are from another session?
>> >> >
>> >> > Openbsd needs the -h option to both shutdown and power off the machine 
>> >> > or -r for reboot.
>> >> >
>> >> > Where is your startx program and is it a custom program?
>> >> >
>> >> > If you have done unintended upgrades and your /usr is also full it's 
>> >> > going to cause all sorts of problems. I would recommend reinstalling a 
>> >> > release from scratch if you can.
>> >> >
>> >> > Alternatively when the boot program runs you can choose bad.rd to get 
>> >> > the installer ramdisk and manually repair from there but it's a rather 
>> >> > complex process.
>> >> >
>> >> > On my system I had to boot bad.rd, type s for shell, run the MAKEDEV 
>> >> > script in /dev to create device nodes and then run disklabel manually 
>> >> > to rearrange volumes to make space.
>> >> >
>> >> > You would also need to grow or shrink the volumes.
>> >> >
>> >> > Regarding further troubleshooting of X sessions I would recommend 
>> >> > moving .xsession to .xsession.bak and starting with a fresh 
>> >> > configuration.
>> >> >
>> >> > I would need to understand more about how you are starting gnome like 
>> >> > more details of any changes you made to the standard installation.
>> >>
>> >> I see gnome-sessiin-bi.core.core under /
>> >> and .xauthority under /root, as in the attached image
>> >> > Regards
>> >> > Ed Gray
>> >> >
>> >> > On Fri, 5 Mar 2021, 12:03 am Sivan !,  wrote:
>> >> >>
>> >> >> Dear Stuart Henderson.
>> >> >>
>> >> >> I ran sysmerge.
>> >> >>
>> >> >> I posted, earlier in this thread,  11 images in response to Ed Gray's
>> >> >> comment that I had not shared sufficient details.  In addition there
>> >> >> are four more images attached here that I think are 

Re: Flatbed scanner stopped wording - permissions problem?

[Duncan Patton a Campbell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


this is what I use

doas -u root scanimage --mode gray  -x215 -y297 --resolution 300dpi -B > 
fdsa.pnm

which works with the perms asis.  xsane only worked as root for me 
(across multple platforms/revs) so it's always been something that 
needed a lot of setup/takedown to use.

Dhu

On Mon, 8 Mar 2021 16:13:25 +
Anthony Campbell  wrote:

> On 07 Mar 2021, Stuart Henderson wrote:
> > On 2021-03-07, Anthony Campbell  wrote:
> > >
> > > Hello misc@:
> > >
> > >
> > > My Epson Perfection 1650 has worked on -current for many months but in
> > > the last 3 days attempts to scan with xsane say: "Failed to start
> > > scanner: operation not supported".
> > >
> > > Scanimage -L shows the scanner is detected corectly.
> > >
> > > I have already made the permissions changes for usb as instructed in the
> > > sane-backend pkg-readme.
> > >
> > > I have added my user to the operator group without effect.
> > >
> > > This problem isn't only in -current. In two laptops running the i386
> > > -release version of OpenBSD things are even worse - scanimage will only
> > > detect the scanner as root in this case.
> > >
> > >
> > > I think this may be a permissions problem but I can't run xsane as root
> > > because this gives "cannot open display: 0:"
> > >
> > >
> > > Not having a working scanner is a major problem for me. Any suggestgions
> > > gratefully received.
> > 
> > As things stand it will need to access /dev/ugen* and possibly /dev/usb*
> > (chown/chmod); running MAKEDEV will reset permissions so you might want
> > to add that to rc.local/. Alternatively someone will need to write a
> > kernel driver for it and modify scanning software to work with that.
> > 
> > 
> 
> Thanks for your reply. I've now got the scanner working on my laptops
> (running -release). It still won't scan on my desktop, running -current;
> I think this happened after the last upgrade, so something must have
> changed somewhere. But that's a minor inconvenience; at least I can scan
> again.
> 
> 
> 
> -- 
> Anthony Campbell  https://www.acampbell.uk
> 
> 


- -- 
Je suis Canadien. Ce n'est pas Francais ou Anglaise.  
 C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) 
-BEGIN PGP SIGNATURE-

iQIcBAEBAgAGBQJgRlfSAAoJEI6Vun3D6YUPBEkP/RnjLzhFIVkj2ChPtX5r53KF
K4U1sDXcBJHRB4ETezdf0007zsm5tqHqxIvur1m901NOqzs1naYtTu+Wvq4dNI5O
vqvNQX57ly1nKxql7nSAlJ0fcEptuQC5GWi5xHYdB6dqmdBgW8amTRqVrsZZlLl+
CXks7bwg1Yln/oOjbmfaSuD6D7Vi1YlcSuFc6NbZyLqhu53DIV50jZdZ+fca681t
Fw68NXLHEtlusPAACV0TtACNbjMUJM/iqY7/hb9U+skTnoG0UsUNvVUe8Om6pHJy
mk7LJPY4emOHqT/eZc0CEzPTjmPkccgy56KlREHFI3CG6MiPkUaghsOEzhipXJ4K
Yv6ce5jktH0MMxVL7dFTfK8W/otHQrrXTk2MhhusrJa4RViEffPCmZgDwSXmREg9
yzF8FMuSztx1krUlk4cf6d1KHBxHiDtQ6t4R7pD4QSuAASiUn91KwnT1g0LqQJrK
jEZRNa3gTV6coT7nBc78bWpXkUf0J1AAONtqFsaLlG6YdayKDn9fihDzrg3Hzkyt
QJQuP1TgXJvpKzFWrTpgad0Zo9BtEvtHHQ/V1T5R5lXvtiglr0BTCcyT6/3sOhqs
ULOKAGTfXGGtKtXleiNPiJLl6UARLuxCXbMY0a95sYM/aP7R8HLTmDMOvUNjcmb/
xb/FR5S/UgYNgmv2uIl+
=++nG
-END PGP SIGNATURE-

Re: How to set ThinkPad battery charge thresholds?

[Jean-Pierre de Villiers]

Refer to sensorsd(8) and acpibat(4).  Given those and related manual
pages I'm relatively certain you should be able to achieve this.

OpenBSD is well-known for its clear and extensive documentation so use
this to your advantage.  The apropos(1) utility is your best friend :).
Your second and third best friends are the FAQ and the mailing list
archives.

I am working under the assumption that no proprietary blobs are
necessary to accomplish your goal.  Otherwise, I am afraid you are out
of luck as OpenBSD does not and never will contain any such blobs.
They are "black boxes" and thus cannot be trusted.

Regards,
JP


On 21/03/08 07:05pm, Subhaditya Nath wrote:
> I have a Thinkpad E495 that has Battery Charge threshold support. i.e.
> it can be set such that the battery starts charging at a specified
> amount of charge (say, 70%) and automatically stops charging at a
> specified charge (say, 80%). This feature is also available on Linux by
> using TLP (made by linrunner, his website is linrunner.de)
>
> The problem is, I searched for this option in OpenBSD, but I couldn't
> find it.
>
> It is a very crucial functionality for me. So, if somebody can please
> tell me where I can set it, I would be very very thankful.
>
> (Pardon my bad english, it's not my first language)
>

How to set ThinkPad battery charge thresholds?

[Subhaditya Nath]

I have a Thinkpad E495 that has Battery Charge threshold support. i.e.
it can be set such that the battery starts charging at a specified
amount of charge (say, 70%) and automatically stops charging at a
specified charge (say, 80%). This feature is also available on Linux by
using TLP (made by linrunner, his website is linrunner.de)

The problem is, I searched for this option in OpenBSD, but I couldn't
find it.

It is a very crucial functionality for me. So, if somebody can please
tell me where I can set it, I would be very very thankful.

(Pardon my bad english, it's not my first language)

Re: ikectl ca and subjectAltName for IKEv2 VPNs

[Stuart Henderson]

On 2021-03-04, David Newman  wrote:
> On 3/4/21 12:29 AM, Stuart Henderson wrote:
>
>> On 2021-03-04, David Newman  wrote:
>>> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName
>>> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The
>>> subjectAltName can be the same as the CN; it just has to be present.
>> 
>> Most IKE software has always needed this. (Web browsers also recently-ish
>> started needing it too).
>> 
>>> Questions about this:
>>>
>>> 1. Does the 'ikectl ca  certificate  create' command
>>> support creation of X.509 certs with a subjectAltName defined in
>>> addition to the CN?
>>>
>>> If so, what's the syntax?
>> 
>> It does this by default.
>
> Thanks, I hadn't realized that, and should have grep'd the cert for
> 'DNS:' before asking.
>
> And yet, an iOS client initiator still fails with an authentication
> error on the iOS side. 'ipsecctl -sa' on the OpenBSD responder looks
> fine, with a tunnel established.
>
> The server and client certs generated by 'ikectl sa' have alt names but
> the CA cert does not.
>
> Does it need one? I suspect an error in iOS VPN configuration, but just
> checking.

The CA cert doesn't need a subjectAlternativeName, only server certs
(and client certs, if used).

> One other thing about the client cert: The CN is for something like
> 'iphone.networktest.com', which is an FQDN for which I have not created
> a DNS record.
>
> Again, does it need one? This is for a road-warrior configuration that
> will come in from different IP addresses, so I'm unclear what
> name/address pair I'd use in the DNS.

It's just an identifier and doesn't need an actual DNS record.

It might be simpler to start with EAP-MSCHAPv2 then you can at least verify
that the server/CA certs are working as expected, and proceed to client
certs afterwards..

Re: route -iface doesn't work

[Paul de Weerd]

Florian helped me off-list:

# route add 10.1.1.13 -iface -cloning 10.2.2.13

does the trick (if you do the same on the other end, of course).

I'm not really sure how this works, or what RTF_CLONING means other
than this comment from the manpage:

 -cloning  RTF_CLONING  generates a new route on use

So .. uhm .. magic! :-)

Anyway, thanks to Florian!

Paul

On Mon, Mar 08, 2021 at 05:10:16PM +0100, Paul de Weerd wrote:
| Hi all,
| 
| I'm probably missing something rather obvious, but I can't get route
| -iface to work.  According to the manpage:
| 
|  If the destination is directly reachable via an
|  interface requiring no intermediary system to act
|  as a gateway, the -iface modifier should be
|  specified; the gateway given is the address of this
|  host on the common network, indicating the
|  interface to be used for transmission.
| 
| I'm trying to get this to work on some 'real' system, but reproduced
| on a couple of VMs to rule out other factors.  I have two VMs on the
| same host, connected by the same veb(4).  Connectivity works if I use
| IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to
| 10.0.0.2/24 if that's what I configure).
| 
| On one side I have:
| 
| test1# ifconfig vio0 10.1.1.13/24
| test1# route add -iface 10.2.2.13 10.1.1.13
| add host 10.2.2.13: gateway 10.1.1.13
| 
| On the other side, I have:
| 
| test2# ifconfig vio0 10.2.2.13/24
| test2# route add -iface 10.1.1.13 10.2.2.13
| add host 10.1.1.13: gateway 10.2.2.13
| 
| However, pinging from test1 to test2 gives:
| 
| test1# ping -c 1 10.2.2.13
| PING 10.2.2.13 (10.2.2.13): 56 data bytes
| ping: sendmsg: Invalid argument
| ping: wrote 10.2.2.13 64 chars, ret=-1
| 
| --- 10.2.2.13 ping statistics ---
| 1 packets transmitted, 0 packets received, 100.0% packet loss
| 
| 
| Yet the route is there:
| 
| test1# route get 10.2.2.13
|route to: 10.2.2.13
| destination: 10.2.2.13
|mask: 255.255.255.255
|   interface: vio0
|  if address: 10.1.1.13
|priority: 8 (static)
|   flags: 
|  use   mtuexpire
|5 0 0 
| 
| 
| What am I doing wrong here?  The destination *is* directly reachable
| via an interface and the gateway given is the IP address of "this
| host" on the common network, just as required by the manpage.  At
| least, my read of it .. since it doesn't work, I'm probably
| misunderstanding something here.
| 
| I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to
| test if they were causing grief, but neither helped.  Anyone have a
| cluebat for me?
| 
| Thanks,
| 
| Paul 'WEiRD' de Weerd
| 
| -- 
| >[<++>-]<+++.>+++[<-->-]<.>+++[<+
| +++>-]<.>++[<>-]<+.--.[-]
|  http://www.weirdnet.nl/ 
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: Flatbed scanner stopped wording - permissions problem?

[Anthony Campbell]

On 07 Mar 2021, Stuart Henderson wrote:
> On 2021-03-07, Anthony Campbell  wrote:
> >
> > Hello misc@:
> >
> >
> > My Epson Perfection 1650 has worked on -current for many months but in
> > the last 3 days attempts to scan with xsane say: "Failed to start
> > scanner: operation not supported".
> >
> > Scanimage -L shows the scanner is detected corectly.
> >
> > I have already made the permissions changes for usb as instructed in the
> > sane-backend pkg-readme.
> >
> > I have added my user to the operator group without effect.
> >
> > This problem isn't only in -current. In two laptops running the i386
> > -release version of OpenBSD things are even worse - scanimage will only
> > detect the scanner as root in this case.
> >
> >
> > I think this may be a permissions problem but I can't run xsane as root
> > because this gives "cannot open display: 0:"
> >
> >
> > Not having a working scanner is a major problem for me. Any suggestgions
> > gratefully received.
> 
> As things stand it will need to access /dev/ugen* and possibly /dev/usb*
> (chown/chmod); running MAKEDEV will reset permissions so you might want
> to add that to rc.local/. Alternatively someone will need to write a
> kernel driver for it and modify scanning software to work with that.
> 
> 

Thanks for your reply. I've now got the scanner working on my laptops
(running -release). It still won't scan on my desktop, running -current;
I think this happened after the last upgrade, so something must have
changed somewhere. But that's a minor inconvenience; at least I can scan
again.



-- 
Anthony Campbellhttps://www.acampbell.uk

route -iface doesn't work

[Paul de Weerd]

Hi all,

I'm probably missing something rather obvious, but I can't get route
-iface to work.  According to the manpage:

 If the destination is directly reachable via an
 interface requiring no intermediary system to act
 as a gateway, the -iface modifier should be
 specified; the gateway given is the address of this
 host on the common network, indicating the
 interface to be used for transmission.

I'm trying to get this to work on some 'real' system, but reproduced
on a couple of VMs to rule out other factors.  I have two VMs on the
same host, connected by the same veb(4).  Connectivity works if I use
IP addresses in the same subnet (i.e. I can ping from 10.0.0.1/24 to
10.0.0.2/24 if that's what I configure).

On one side I have:

test1# ifconfig vio0 10.1.1.13/24
test1# route add -iface 10.2.2.13 10.1.1.13
add host 10.2.2.13: gateway 10.1.1.13

On the other side, I have:

test2# ifconfig vio0 10.2.2.13/24
test2# route add -iface 10.1.1.13 10.2.2.13
add host 10.1.1.13: gateway 10.2.2.13

However, pinging from test1 to test2 gives:

test1# ping -c 1 10.2.2.13
PING 10.2.2.13 (10.2.2.13): 56 data bytes
ping: sendmsg: Invalid argument
ping: wrote 10.2.2.13 64 chars, ret=-1

--- 10.2.2.13 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss


Yet the route is there:

test1# route get 10.2.2.13
   route to: 10.2.2.13
destination: 10.2.2.13
   mask: 255.255.255.255
  interface: vio0
 if address: 10.1.1.13
   priority: 8 (static)
  flags: 
 use   mtuexpire
   5 0 0 


What am I doing wrong here?  The destination *is* directly reachable
via an interface and the gateway given is the IP address of "this
host" on the common network, just as required by the manpage.  At
least, my read of it .. since it doesn't work, I'm probably
misunderstanding something here.

I've enabled forwarding (net.inet.ip.forwarding=1) and disabled pf to
test if they were causing grief, but neither helped.  Anyone have a
cluebat for me?

Thanks,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: Managed to mess up the system encrypted disk. I can no longer boot.

[Samarul Meu]

lun., 8 mar. 2021, 15:06 Marcus MERIGHI  a scris:

> Hello Samarul,
>
>
> > Today I stumbled again on the same error, but in a different situation,
> > let's say.
> [...]
> > 1. attach an encrypted disk (partition) with an OpenBSD installation on
> > it,  let's say sd1a --- "bioctl -c C -l sd1a softraid0" --- you will get
> > the new sd2
> > 2. detach the sd2 "bioctl -d sd2"
> > 3. The OpenBSD will no longer boot.
>
> No mount(8) and umount(8) between step 1 and 2?
>
> Marcus
>

I don't think that mount is important in this case. The culprit is bioctl.

Eduard

>

Re: Managed to mess up the system encrypted disk. I can no longer boot.

[Marcus MERIGHI]

Hello Samarul, 

samarul@gmail.com (Samarul Meu), 2021.03.08 (Mon) 10:46 (CET):
> On Thu, Jan 28, 2021 at 10:27 AM Samarul Meu  wrote:
> > Thank you so much! You made my day!
> > So I used FuguIta (6.8 - stable) attached the encrypted partition
> > (accessible as sd1 now) and 'installboot sd1', reboot and surprise -
> > everything is working. I still have no idea why detaching the softraid
> > determined this kind of behavior.
> 
> Today I stumbled again on the same error, but in a different situation,
> let's say.
[...] 
> 1. attach an encrypted disk (partition) with an OpenBSD installation on
> it,  let's say sd1a --- "bioctl -c C -l sd1a softraid0" --- you will get
> the new sd2
> 2. detach the sd2 "bioctl -d sd2"
> 3. The OpenBSD will no longer boot.

No mount(8) and umount(8) between step 1 and 2?

Marcus

Re: Managed to mess up the system encrypted disk. I can no longer boot.

[Samarul Meu]

On Thu, Jan 28, 2021 at 10:27 AM Samarul Meu  wrote:

>
> Thank you so much! You made my day!
> So I used FuguIta (6.8 - stable) attached the encrypted partition
> (accessible as sd1 now) and 'installboot sd1', reboot and surprise -
> everything is working. I still have no idea why detaching the softraid
> determined this kind of behavior.
>

Today I stumbled again on the same error, but in a different situation,
let's say.

I have installed OpenBSD 6.8 on a USB disk as a portable solution (full
disk encryption). At work I also have the same 6.8 installed on a computer
(on an encrypted partition). I booted the new USB install, I mounted the
partition from the computer to copy some settings and then detached the
device. At home I mounted the encrypted USB disk on my laptop and copied
something from it. Detached the device and all seemed OK.

But today, boy, I was for a surprise. The USB disk and the computer OpenBSD
installations were not booting. The same error as before

open(hd0a:/etc/boot.conf): Invalid argument
boot>
cannot open hd0a:/etc/random.seed: Invalid argument
booting hd0a:/bsd: open hd0a:/bsd: Invalid argument
  failed(22). will try /bsd

For the moment I did not understand what was happening. I tried again boot>
boot sr0a:/bsd, but after a false start the system hanged. So the solution
'installboot sd2' (where sd2 is the attached encrypted partition) and now
both installed boot normally.

As I am a newbie in the OpenBSD environment I do not know if I should
report this as a bug of bioctl or not. The error I encounter is easy to
reproduce:

1. attach an encrypted disk (partition) with an OpenBSD installation on
it,  let's say sd1a --- "bioctl -c C -l sd1a softraid0" --- you will get
the new sd2
2. detach the sd2 "bioctl -d sd2"
3. The OpenBSD will no longer boot.

Thank you very much for your time!

Re: IPv6 NDP Confusion with PF enabled

[Stuart Henderson]

On 2021-03-08, Antonino Sidoti  wrote:
> I am confused about how Neighbor Discovery is not working when the firewall 
> is on.

Check your blocked packets. You already have "log" on mpst block rules,
so look at either /var/log/pflog or live with tcpdump -e on the pflog0
interface.