Re: sftp server empty password login

[Darren Tucker]

On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua  wrote:
[...]
> /bin/true is not in the /etc/shells file on my system.
> Did you suggest I should add it ?

I did suggest that as a possible resolution to your problem.  Since
your problem is now resolved, I wouldn't change it.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sftp server empty password login

[Darren Tucker]

You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...

On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua  wrote:
[...]
> # useradd -g media -s /sbin/nologin -u 2000 -v media

Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login.  I'd suggest /bin/true for
both the user and in /etc/shells.

> `# passwd media') does not work either. What am I doing wrong ?

What do you mean by "does not work"?  When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie

someuser::1001:1001: [etc ...]

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Booting OpenBSD 7.3's i386 bsd.rd

[Darren Tucker]

On Mon, 1 May 2023 at 12:38, Damian McGuckin  wrote:
[...]
> it appears to loads bsd.rd, but then drops straight back into the BIOS
> and starts the BIOS boot.
>
> Any suggestions.

Try switching the console to serial instead of relying on the BIOS:

boot> stty com0 19200
boot> set tty com0

(Replace 19200 with whatever the console speed is).  If that works,
put it in /etc/boot.conf

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: LAN slow speed transfer

[Darren Tucker]

On Fri, 3 Feb 2023 at 22:40, Crystal Kolipe  wrote:
> On Fri, Feb 03, 2023 at 10:33:16PM +1100, Darren Tucker wrote:
> > Fast ethernet (100base-T) uses pins 1, 2, 3 & 6
[...]
> But the output from ifconfig does suggest that the link was running with
> 1000baseT modulation:
>
> > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)

Good point!  Dunno then.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: LAN slow speed transfer

[Darren Tucker]

On Fri, 3 Feb 2023 at 13:49, vitmau...@gmail.com  wrote:
> thank you Stu for the feedback. Turns out the problem was one of the
> cables. It is advertised as 5E, but maybe there is something fishy
> with it. Fact is, I bought another, changed it, and now I got
> something around 95 MBytes/s of LAN transfer rate.

Fast ethernet (100base-T) uses pins 1, 2, 3 & 6 while gigabit needs
all eight.  If you get a cable where one of 4, 5, 7 or 8 is broken (or
someone cheaped out on the cable and it only has two pairs to begin
with) you'll have a cable that can only do 100 mbit, which is about
the speed that you saw.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

On Fri, 13 May 2022 at 11:07, Darren Tucker  wrote:
> I've had two people ask me about this device in the last few days
> so I thought I'd post a followup describing what I did and found.
> As a reminder, this is an gl.inet GL-MV1000[0] (aka Brume) device.

Current status:

> Using the .dtb file that ships with OpenWRT will cause OpenBSD to report
> "sdhc0: base clock frequency unknown" errors and not find the sdcard.

This was fixed in -current by kettenis:
https://cvsweb.openbsd.org/src/sys/dev/fdt/mvclock.c?rev=1.12&content-type=text/x-cvsweb-markup

>  - as previously mentioned the internal ethernet switch isn't supported

This is not well stated.  The internal switch is supported as an
unmanaged switch by mvsw(4)

>  - USB interface doesn't seem to work

This was fixed in -current by dlg:
https://cvsweb.openbsd.org/src/sys/dev/fdt/ehci_fdt.c?rev=1.9&content-type=text/x-cvsweb-markup

I've put up a summary here, which I'll update with any further information.
https://www.dtucker.net/brume/

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

I've had two people ask me about this device in the last few days
so I thought I'd post a followup describing what I did and found.
As a reminder, this is an gl.inet GL-MV1000[0] (aka Brume) device.

I had previously installed OpenWRT 21.02.something onto this device's
internal eMMC card, but I suspect the process will work with other OpenWRT
versions or the stock firmware (which is itself an OpenWRT derivative).

1) Grab a an OpenBSD miniroot71.img for 7.1 or -current and write it to
an sdcard ("dd if=miniroot71.img of=/dev/sdXc bs=1k").

2) Grab the OEM firmware[1], extract armada-gl-mv1000-emmc.dtb from it
(or grab it from [2]) and copy it to the root of the first partition of
the sdcard ("mount /dev/sdXi /mnt; cp armada-gl-mv1000-emmc.dtb /mnt;
umount /mnt").

Using the .dtb file that ships with OpenWRT will cause OpenBSD to report
"sdhc0: base clock frequency unknown" errors and not find the sdcard.

If your device still has the stock firmware you can probably skip this
step and change the first "load mmc 1:1" in the bootcmd below to "load
mmc 0:1" to load the vendor-supplied .dtb from the internal eMMC device.

3) Connect a serial console and ethernet to the Brume.  Power it on
and type "gl" into the console to interrupt the boot sequence.  At the
"Marvel>>" prompt, change the bootcmd env variable and save it:

Marvel>> setenv bootcmd "load mmc 1:1 ${fdt_addr} armada-gl-mv1000-emmc.dtb; 
load mmc 1:1 ${kernel_addr} efi/boot/bootaa64.efi; bootefi ${kernel_addr} 
${fdt_addr}"
Marvel>> saveenv

This wil cause the Brume to always boot the OpenBSD bootloader from
the sdcard.

4) Boot from the sdcard by typing "boot".  At this point the OpenBSD
bsd.rd should boot from the sdcard and you can perform a normal network
installation back to the sdcard (which should be sd0 in the installer,
but will be sd1 when the system reboots). Leave the "i" partition on the
sdcard and all of the internal eMMC unchanged.  If you make a mistake
after you start writing to the sdcard you'll need to to start again at
step 1.

The good:
 - seems stable and survived a kernel build just fine
 - network (mvneta0) and sdcard seem to work

The bad:
 - as previously mentioned the internal ethernet switch isn't supported
 - USB interface doesn't seem to work
 - it won't reboot cleanly (shuts down OK but doesn't reset).

[0] https://www.gl-inet.com/products/gl-mv1000/
[1] https://docs.gl-inet.com/en/3/release_notes/gl-mv1000/
[2] https://www.dtucker.net/brume/armada-gl-mv1000-emmc.dtb

OpenBSD 7.1-current (GENERIC.MP) #0: Thu May 12 23:48:16 AEST 2022
dtuc...@obsd-brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem  = 1046306816 (997MB)
avail mem = 981606400 (936MB)
random: good seed from bootblocks
mainbus0 at root: GL.inet GL-MV1000
psci0 at mainbus0: PSCI 1.0
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu0: 256KB 64b/line 16-way L2 cache
cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16
cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu1: 256KB 64b/line 16-way L2 cache
cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16
efi0 at mainbus0: UEFI 2.0.5
efi0: Das U-boot rev 0x0
apm0 at mainbus0
agtimer0 at mainbus0: 12500 kHz
"pmu" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
simplebus1 at simplebus0: "internal-regs"
mvclock0 at simplebus1
mvclock1 at simplebus1
mvclock2 at simplebus1
mvpinctrl0 at simplebus1
syscon0 at simplebus1: "syscon"
mvpinctrl1 at simplebus1
agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: 
"interrupt-controller"
mvspi0 at simplebus1
mvuart0 at simplebus1
mvneta0 at simplebus1
mvneta0: Ethernet address fe:e1:ba:d0:19:1a
mvmdio0 at simplebus1: "mdio"
mvsw0 at mvmdio0 phy 1: 88E6141 rev 0
xhci0 at simplebus1, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 
addr 1
"usb" at simplebus1 not configured
"u3d" at simplebus1 not configured
"udc" at simplebus1 not configured
"xor" at simplebus1 not configured
sdhc0 at simplebus1
sdhc0: SDHC 3.0, 400 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 400 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"regulator" at mainbus0 not configured
gpioleds0 at mainbus0: "gl-mv1000:green:vpn", "gl-mv1000:green:wifi", 
"gl-mv1000:green:power"
scsibus0 at sdmmc1: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable
sd0: 7456MB, 512 bytes/sector, 15269888 sectors
scsibus1 at sdmmc0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  remova

Re: ssh authlog: Failed none for invalid user

[Darren Tucker]

On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan  wrote:

> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I
> have a number of entries in my /var/log/authlog file that look like this:
>
> Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?


It's the attempted authentication method, and it's normal behaviour.

The SSH protocol has a number of authentication methods, for example
"password" and "publickey".The client sends a message that says "I'd
like to authenticate via password using the password 'hunter2'" and the
server replies with either "yes that worked", or "nope" and a list of
authentication methods that it might accept.  Publickey authentication has
a couple of extra steps but works in a similar way.

The protocol also specifies a "none" [0] authentication method, which will
succeed if the server requires no further authentication (eg in OpenSSH, if
PermitEmptyPassword is set and the account does not have a password).  Many
SSH clients including OpenSSH's start by asking for "none" authentication
then, if that doesn't work, use the list of possible authentication methods
to decide what to do next.  This is what you're seeing.

When I last looked, the bulk of the password guessing bots just sent a
single "password" auth method and if it doesn't work, disconnect.
Apparently the bots you're seeing behave a bit more like other clients.

[0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: poor ethernet network performance

[Darren Tucker]

On Mon, 17 May 2021 at 08:23, Keegan Saunders 
wrote:

> I'm noticing that my OpenBSD desktop with a Realtek 8168 ethernet
> controller
> (re(4) driver) is experiencing slow network speeds on OpenBSD 6.9 (not
> recent, has been an issue before)
>

I've had something similar in the past and it was a duplex mismatch.

If you have a managed switch, check that it and ifconfig agree on the
duplex setting that was auto-negotiated.  Failing that, try forcing either
full-duplex or half-duplex with ifconfig and/or hostname.re0.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

On Mon, 5 Apr 2021 at 07:32, Mark Kettenis  wrote:

> [...]
> > # man 4 mvsw
>
> > man: No entry for mvsw in section 4 of the manual.
>
> You must be doing that on an OpenBSD 6.8 system.  Man page is there on
> -current.
>

That's true!  I ran it on the Brume itself, which is still running 6.8
stable due to the aforementioned problem finding the sdcard.

Any thanks to you and Patrick for the analysis and fix.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

On Sun, 4 Apr 2021 at 01:32, Patrick Wildt  wrote:

> [...]
> Maybe you both can try my revert and make sure it doesn't introduce any
> other regressions?
>

That also seems to work on the Brume in question:

>> OpenBSD/arm64 BOOTAA64 1.2
boot> boot /bsd.test
booting sd0a:/bsd.test: 8808452+1793560+567784+830080
[634134+109+1073400+630260]=0xf904a0
type 0x2 pa 0x0 va 0x0 pages 0x4000 attr 0x8
[lots snipped]
type 0x2 pa 0x3ffa6000 va 0x3e715000 pages 0x5a attr 0x8
[ using 2338872 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2021 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.9-beta (GENERIC.MP) #1: Thu Apr  1 19:48:05 AEDT 2021
dtuc...@brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem  = 1032523776 (984MB)
avail mem = 968355840 (923MB)
random: good seed from bootblocks
mainbus0 at root: GL.inet GL-MV1000 (Marvell)
psci0 at mainbus0: PSCI 1.0
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu0: 256KB 64b/line 16-way L2 cache
cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16
cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache
cpu1: 256KB 64b/line 16-way L2 cache
cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16
efi0 at mainbus0: UEFI 2.0.5
efi0: Das U-boot rev 0x0
apm0 at mainbus0
agtimer0 at mainbus0: 12500 kHz
"pmu" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
simplebus1 at simplebus0: "internal-regs"
mvclock0 at simplebus1
mvclock1 at simplebus1
mvclock2 at simplebus1
mvpinctrl0 at simplebus1
syscon0 at simplebus1: "syscon"
mvpinctrl1 at simplebus1
agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1:
"interrupt-controller"
mvspi0 at simplebus1
mvuart0 at simplebus1
mvneta0 at simplebus1
mvneta0: Ethernet address 94:83:c4:03:b0:d9
mvmdio0 at simplebus1: "mdio"
mvsw0 at mvmdio0 phy 1: 88E6141 rev 0
xhci0 at simplebus1, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev
3.00/1.00 addr 1
"usb" at simplebus1 not configured
"u3d" at simplebus1 not configured
"udc" at simplebus1 not configured
"xor" at simplebus1 not configured
sdhc0 at simplebus1
sdhc0: SDHC 3.0, 400 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 400 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"sata" at simplebus1 not configured
mvkpcie0 at simplebus0
mvkpcie0: timeout
"regulator" at mainbus0 not configured
scsibus0 at sdmmc1: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable
sd0: 7456MB, 512 bytes/sector, 15269888 sectors
scsibus1 at sdmmc0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  removable
sd1: 30436MB, 512 bytes/sector, 62333952 sectors
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b
WARNING: CHECK AND RESET THE DATE!
Automatic boot in progress: starting file system checks.
/dev/sd1a (9e51f250b602291d.a): file system is clean; not checking
9e51f250b602291d.i: 6 files, 16034 free (8017 clusters)
pf enabled
starting network
starting early daemons: syslogd pflogd ntpd.
starting RPC daemons:.
savecore: can't find device 255/16777088
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd smtpd sndiod.
starting local daemons: cron.
Thu Apr  1 19:50:48 AEDT 2021

OpenBSD/arm64 (brume.dtucker.net) (console)

> > That BRUME thingy looks cute, but has a bit of an issue.  It doesn't
> > > really have three Ethernet ports.  Instead those ports are part of a
> > > switch that also connects to an Ethernet interface on the SoC.
> >
> > Yeah I noticed that.  Single ethernet plus programmable switch seems to
> > be pretty common in this class of device.
>
> And if someone wants to program it, feel free to, mvsw(4) exists for a
> reason, might just need some code. :)
>

and maybe docs :-)

# man 4 mvsw
man: No entry for mvsw in section 4 of the manual.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: The simplest full cray data core with 3 cpu's and a physics hack that makes it work

[Darren Tucker]

On Sat, 3 Apr 2021 at 10:09, Balder Oddson  wrote:
[...]

> Many old and cool antique architectures, Cray is the premiere
> architecture, he promised 10x performance and did so, not likely to get
> one on ebay to boot BSD on, not sure if you can get the OS or blueprints
> either.
>

To drag this a tiny bit toward the approximate direction of being on-topic:
if you do find one and want to run OpenSSH on it, you'll need to use 7.6p1
or earlier since I removed UNICOS support in 7.7p1 (
https://github.com/openssh/openssh-portable/commit/ddc0f3814881ea279a6b6d4d98e03afc60ae1ed7
).

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

1f5c
name: 'regulator'
compatible: 'regulator-gpio'
regulator-name: 'vcc_sd1'
regulator-min-microvolt: 001b7740
regulator-max-microvolt: 00325aa0
regulator-boot-on: 
gpios: 000d.0004.
gpios-states: 
states: 001b7740.0001.00325aa0.
enable-active-high: 
linux,phandle: 000e
phandle: 000e

OpenBSD 6.9-beta (GENERIC.MP) #0: Thu Apr  1 19:30:31 AEDT 2021
dtuc...@brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem  = 1032523776 (984MB)
avail mem = 968355840 (923MB)
random: good seed from bootblocks
mainbus0 at root: GL.inet GL-MV1000 (Marvell)
psci0 at mainbus0: PSCI 1.0
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1
D-cache
cpu0: 256KB 64b/line 16-way L2 cache
cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16
cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1
D-cache
cpu1: 256KB 64b/line 16-way L2 cache
cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16
efi0 at mainbus0: UEFI 2.0.5
efi0: Das U-boot rev 0x0
apm0 at mainbus0
agtimer0 at mainbus0: 12500 kHz
"pmu" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
simplebus1 at simplebus0: "internal-regs"
mvclock0 at simplebus1
mvclock1 at simplebus1
mvclock2 at simplebus1
mvpinctrl0 at simplebus1
syscon0 at simplebus1: "syscon"
mvpinctrl1 at simplebus1
agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1:
"interrupt-controller"
mvspi0 at simplebus1
mvuart0 at simplebus1
mvneta0 at simplebus1
mvneta0: Ethernet address 94:83:c4:03:b0:d9
mvmdio0 at simplebus1: "mdio"
mvsw0 at mvmdio0 phy 1: 88E6141 rev 0
xhci0 at simplebus1, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev
3.00/1.00 addr 1
"usb" at simplebus1 not configured
"u3d" at simplebus1 not configured
"udc" at simplebus1 not configured
"xor" at simplebus1 not configured
sdhc0 at simplebus1
sdhc0: SDHC 3.0, 400 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 400 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"sata" at simplebus1 not configured
mvkpcie0 at simplebus0
mvkpcie0: timeout
"regulator" at mainbus0 not configured
scsibus0 at sdmmc1: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable
sd0: 7456MB, 512 bytes/sector, 15269888 sectors
scsibus1 at sdmmc0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  removable
sd1: 30436MB, 512 bytes/sector, 62333952 sectors
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b
WARNING: CHECK AND RESET THE DATE!


-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current

[Darren Tucker]

; at simplebus1 not configured
mvuart0 at simplebus1
mvneta0 at simplebus1
mvneta0: Ethernet address 94:83:c4:03:b0:d9
mvmdio0 at simplebus1
xhci0 at simplebus1, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 
addr 1
"usb" at simplebus1 not configured
"u3d" at simplebus1 not configured
"udc" at simplebus1 not configured
"xor" at simplebus1 not configured
sdhc0 at simplebus1
sdhc0: SDHC 3.0, 400 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, ddr52, dma
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 400 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"sata" at simplebus1 not configured
mvkpcie0 at simplebus0
mvkpcie0: timeout
"regulator" at mainbus0 not configured
scsibus0 at sdmmc1: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable
sd0: 7456MB, 512 bytes/sector, 15269888 sectors
scsibus1 at sdmmc0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  removable
sd1: 30436MB, 512 bytes/sector, 62333952 sectors
softraid0 at root
scsibus2 at softraid0: 256 targets
bootfile: sd0a:/bsd
boot device: sd0
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
erase ^?, werase ^W, kill ^U, intr ^C, status ^T

Welcome to the OpenBSD/arm64 6.8 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

and 6.8-stable:
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights
reserved.
Copyright (c) 1995-2020 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.8 (GENERIC.MP) #2: Sat Dec  5 05:53:36 MST 2020
r...@syspatch-68-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.P
real mem  = 1032802304 (984MB)
avail mem = 968712192 (923MB)
random: good seed from bootblocks
mainbus0 at root: GL.inet GL-MV1000 (Marvell)
psci0 at mainbus0: PSCI 1.0
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1
D-cache
cpu0: 256KB 64b/line 16-way L2 cache
cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4
cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1
D-cache
cpu1: 256KB 64b/line 16-way L2 cache
efi0 at mainbus0: UEFI 2.0.5
efi0: Das U-boot rev 0x0
apm0 at mainbus0
agtimer0 at mainbus0: tick rate 12500 KHz
"pmu" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
simplebus1 at simplebus0: "internal-regs"
mvclock0 at simplebus1
mvclock1 at simplebus1
mvclock2 at simplebus1
mvpinctrl0 at simplebus1
syscon0 at simplebus1: "syscon"
mvpinctrl1 at simplebus1
agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1:
"interrupt-contro"
mvspi0 at simplebus1
mvuart0 at simplebus1
mvneta0 at simplebus1
mvneta0: Ethernet address 94:83:c4:03:b0:d9
mvmdio0 at simplebus1
xhci0 at simplebus1, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev
3.00/1.001
"usb" at simplebus1 not configured
"u3d" at simplebus1 not configured
"udc" at simplebus1 not configured
"xor" at simplebus1 not configured
sdhc0 at simplebus1
sdhc0: SDHC 3.0, 400 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, ddr52, dma
sdhc1 at simplebus1
sdhc1: SDHC 3.0, 400 MHz base clock
sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
"sata" at simplebus1 not configured
mvkpcie0 at simplebus0
mvkpcie0: timeout
"regulator" at mainbus0 not configured
scsibus0 at sdmmc1: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable
sd0: 7456MB, 512 bytes/sector, 15269888 sectors
scsibus1 at sdmmc0: 2 targets, initiator 0
sd1 at scsibus1 targ 1 lun 0:  removable
sd1: 30436MB, 512 bytes/sector, 62333952 sectors
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
bootfile: sd0a:/bsd
boot device: sd0
root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b
WARNING: CHECK AND RESET THE DATE!
Automatic boot in progress: starting file system checks.
/dev/sd1a (9e51f250b602291d.a): file system is clean; not checking
9e51f250b602291d.i: 6 files, 16034 free (8017 clusters)
pf enabled
starting network
reordering libraries: done.
starting early daemons: syslogd pflogd ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd smtpd sndiod.
starting local daemons: cron.
Mon Jan 11 15:54:21 AEDT 2021

OpenBSD/arm64 (brume.dtucker.net) (console)

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshd: no IP address in error msg?

[Darren Tucker]

On Sun, 14 Mar 2021 at 07:43, Claus Assmann  wrote:
>
> My authlog file contains entries like this:
> sshd[89023]: error: kex_exchange_identification: banner line contains invalid 
> characters
> but I can't find the IP address of the host which triggered this
> by looking for more log entries of sshd with the same pid.

What version are you using?  at least -current has some additional
standardized logging that should include the source address and port:

kex_exchange_identification: banner line contains invalid characters
banner exchange: Connection from 127.0.0.1 port 21285: invalid format

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding

[Darren Tucker]

On Thu, 11 Jul 2019 at 20:55, morgan.loner  wrote:
[...]
> What was missing? Please advice.

Suggestions:
 - run "ssh -vvv" to crank up the ssh client's verbosity, you should
see the port forward requests (or not, if ssh is not seeing them for
some reason).
 - test with nc -x as the socks client to an IP address as well as
domain name.  The test to an IP address will remove the DNS variable.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: RS-232 serial to ethernet

[Darren Tucker]

On Tue, 9 Apr 2019 at 02:14, LÉVAI Dániel  wrote:

> [...]
> It basically should be able convert the serial port to TCP/IP
> networking. Is this something anyone else has used before -- or if you
> know something similar, I'm really interested!
>

I use a gl.inet GL-AR150 (US$24 on dx.com) running openwrt with a USB RS232
adapter.  Pro: it supports ssh (including key auth), can use wifi to avoid
cabling, can add a USB hub you can support multiple serial ports (I don't)
and it's small and low powered enough to velcro to the back of the machine
and power from its USB port.  Con: a bit more involved setup (I use it with
conserver).  Happy to share setup details if you want to go this route (off
list since it's veering off-topic).

If you wanted to stick with a similar but pure OpenBSD solution you could
look at something like an Orange Pi Lite (US$20) but you'd have to add
parts (microsd card, case)  so it'd probably cost more (and the onboard
wifi isn't supported so if you wanted wifi you'd have to add a USB one).

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Broken links on https://www.openssh.com/goals.html

[Darren Tucker]

On Thu, 4 Apr 2019 at 20:18, Alex Naumov  wrote:
> it seems some links on the goals page [1] are broken.
> Please check links to:
> * RSA
> * DSA
> * HD

Looks like the man pages have been restructured since those links were
created.  I've pointed them at the existing man pages for the existing
functions pending a better solution.  The change should be live
shortly.

Thanks.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ssh -Y behaviour change

[Darren Tucker]

On 12 September 2018 at 16:13, Solene Rapenne  wrote:
[...]
> I think you are supposed to use ssh -XY when using a remote X11 app.

Nope, both -X and -Y enable ForwardX11, but -Y also enables
ForwardX11Trusted.  Unfortunately I don't see anything in the OpenSSH
7.7->7.8 changelog (https://www.openssh.com/txt/release-7.8) that
would explain the observed change in behaviour.

$ egrep -C2 "'(X|Y)'" ssh.c
options.forward_x11 = 0;
break;
case 'X':
options.forward_x11 = 1;
break;
--
config_test = 1;
break;
case 'Y':
options.forward_x11 = 1;
        options.forward_x11_trusted = 1;

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Two Factor Authentication Prompt

[Darren Tucker]

On 10 August 2018 at 07:24, Gav  wrote:
[about login_ldap+login_oauth]
> I can successfully have a user authenticate with either (switching the
> login class). However, is it possible to use both as consecutive login
> prompts?

I'm not sure about how to configure it on the login.conf side, but
sshd's ChallengeResponseAuthentication/keyboard-interactive does
support that.  You can ensure you are using that on the client side by
adding "-o PreferredAuthentication=keyboard-interactive" on the client
side or disabling PasswordAuthentication in sshd_config.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: IPQoS values in sshd

[Darren Tucker]

On 8 August 2018 at 05:29, Mik J  wrote:
> Does anyone knows what means lowdelay and thoughput for IPQoS parameter ?
> To what DSCP correspond these words

>From https://www.openssh.com/specs.html, which documents the most
recent release: they're the values specified in RFC1349, the first of
the dozen or so attempts to specify the meaning of those few bits
(RFCs 2474, 2597, 2598, 3168, 3246, 3260, 3662, 4301, 4594, 5865 and
8325).

> I did a capture when writing ls in my terminal and I see DSCP=cs0.
> I would have expected something else.

The default values have been changed in -current but that change has
not yet made it to a release.  From
https://man.openbsd.org/ssh_config.5: "The default is af21
(Low-Latency Data) for interactive sessions and cs1 (Lower Effort) for
non-interactive sessions."

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: SSH segfault when SendEnv is used in .ssh/config

[Darren Tucker]

On 10 June 2018 at 17:43, Tom Murphy  wrote:
>   I upgraded to the June 9th snapshot and noticed ssh segfaults
> when I make connections. After a bit of checking in my .ssh/config,
> I discovered the SendEnv directive is making is segfault. Not sure
> if it has to do with the changes made 2 days ago?

This may have been fixed:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c?rev=1.291&content-type=text/x-cvsweb-markup

If not, could you please share the fragment of your config that triggers it?

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Best testcases for SSHD when fuzzing with afl?

[Darren Tucker]

On 5 May 2018 at 21:50, Hess THR  wrote:
[...]
> But the question: does anybody have more? Or better? Any idea how to have 
> more and better quality testcases?

https://anongit.mindrot.org/openssh-fuzz-cases.git/

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Disabling message CRCs in SSHD

[Darren Tucker]

On 28 April 2018 at 03:20, Hess THR  wrote:
> Based on the:
>
> http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html
>
> I tried to search for these code pieces (I know he was using openbsd-compat 
> and not the original OpenSSH code) but didn't found it, didn't even find 
> similar for disabling message CRCs:

Short answer: It's gone, you can ignore that part.

Long answer: CRC32 was the message integrity method for SSH Protocol
v1 and the last of the SSH1 code was removed[0] in the 7.6 release[1]
(in part because CRC32 a weak integrity guarantee compared to a proper
MAC).

[0] https://github.com/openssh/openssh-portable/commit/3d6d09f2
[1] https://www.openssh.com/releasenotes.html#7.6

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: kernel relink segfaults on ALIX

[Darren Tucker]

On 19 April 2018 at 16:52, Jan Stary  wrote:
> This is a fresh upgrade of current/i386 on an ALIX 2D3.
> Upon start, kernel relinking fails, with relink.log saying:

Do you have any swap configured?  Relinking takes a reasonable amount
of ram and the ALIX doesn't have a lot.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: What's the inc. SSH conn. launch seq., rel. to login.conf rlimit enforcement?

[Darren Tucker]

On 20 March 2018 at 14:11, Tinker  wrote:
> Hi,
>
> When connecting to SSHD and authenticating as a user, in what sequence
> are various processes launched (shell / shell with "-l" argument / sshd
> child / login(1)), and in particular, at what stage are login.conf
> settings enforced into the process context by login(1)?

The general rule of thumb is that whatever must be run as root is,
everything else is done after privileges have been dropped.

sshd didn't use login(1) unless UseLogin was set, and that was removed
in the 7.4 release.

> I would guess this is what's described by the "LOGIN PROCESS" section
> in the sshd(8) man page:
>
>  * A child SSHD process is spawned already at connect time, meaning
>prior to step 1,

right.

>  * Steps 1 up to 4 are run as root by the sshd child,
>
>  * login(1) is execve:ed at step "4. Changes to run with normal user
>privileges.", and it will

login isn't used at all.  On OpenBSD, sshd calls the equivalent
functions in session.c:do_setusercontext().  On other platforms
exactly what happens varies depending on platform and configuration
but it's roughly the same.

[...]
> * execve /bin/sh (or sshd??) to perform the remaining steps (5-9)

Steps 5-9 are done by sshd.

>
>  * The user's shell (without "-l") is execve:ed in step 9.
>
> http://man.openbsd.org/sshd.8#LOGIN_PROCESS
> http://man.openbsd.org/login.conf.5
>
> Also I'd guess it should be a similar process for SFTP

sftp works approximately the same as a shell except sftp-server is
exec'ed instead of the shell.

>, telnet

telnetd is no longer supported but I think it always exec'ed login(1).

> other authenticated services.

Can't speak to those.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ssh from cisco to OpenBSD 6.2 error status 0

[Darren Tucker]

On 28 December 2017 at 21:45, Marko Cupać  wrote:
[...]

> I saw this in auth.log:
> Protocol major versions differ for 192.168.223.1 port 45187:
> SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25
>

That's a bug in the Cisco implementation.  RFC4253 section 4.2 says the
protocol version MUST be 2.0.  "5.1 defines "1.99" as a backward
compatibility alias for servers that speak both 1.5 and 2.0 protocols, but
it is not specified for a client.  sshd used to accept it but it probably
shouldn't have (see https://bugzilla.mindrot.org/show_bug.cgi?id=2810).

I started passing different cipher options to ssh client on cisco, and
> finally managed to connect to OpenBSD 6.2 with:
>
> ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS
>

On Unix systems you can put the equivalent Ciphers and MACs directives into
~/.ssh/config under a Host for that device to save you having to remember
it.  I don't know if your Cisco has any equivalent.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: NTP issue on Lanner FW-7526B

[Darren Tucker]

On 9 December 2017 at 09:40, Christian Weisgerber 
wrote:

> On 2017-12-08, Darren Tucker  wrote:
>
> > If your hardware doesn't have a clock (or the clock is bad) then it can
> > take ntpd a long time to adjust it back to the correct time (it uses
> > adjtime(), which I think adjusts at +/- 10%).
>
> Actually, 5000 parts per million, so 0.5%.
>

ntp_update_second(int64_t *adjust)
[...]
if (adjtimedelta > 0)
adj = MIN(5000, adjtimedelta);
else
adj = MAX(-5000, adjtimedelta);

I sit corrected :-).

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: NTP issue on Lanner FW-7526B

[Darren Tucker]

On 9 December 2017 at 01:58, mabi  wrote:
>
> I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say
> it's a nice small firewall but unfortunately the ntp daemon does not seem
> to manage to set the time correctly with this hardware. The time is off by
> approximately 1:20h and every 2-3 minutes I see the following log entries:
>

If your hardware doesn't have a clock (or the clock is bad) then it can
take ntpd a long time to adjust it back to the correct time (it uses
adjtime(), which I think adjusts at +/- 10%).  You can avoid this long
convergence by telling ntpd to step to the correct time on startup
(although this won't step after startup, so it requires that your NTP
servers be reachable at boot time).

$ grep ntp /etc/rc.conf.local
ntpd_flags="-s"

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: relayd TLS load balancer for multiple websites

[Darren Tucker]

On 28 September 2017 at 06:32, mabi  wrote:
> Thanks for the pointer regarding SNI not being supported in relayd. I will go 
> on and find another solution, probably HAproxy.

For a small number of domains it would probably be feasible to get a
single certificate with multiple SANs.  Letsencrypt at least supports
this as long as all of the domains map (or can be made to map) to the
place requesting the certificate.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails

[Darren Tucker]

On 7 September 2017 at 16:35, Heiko  wrote:
> Hello,
>
> ./config for Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails on Debian
> Linux:

As per https://www.openssh.com/report.html this query would be better
directed to the portable list openssh-unix-...@mindrot.org.  Please
send any followups there.

> checking OpenSSL header version... not found
> configure: error: OpenSSL version header not found.

This means the little test program in configure either failed to build
and run or did not produce the expected output.  The exact reason will
be in config.log (although you may have to scroll back a way to find
it).  A common cause of this is not having added the new lib directory
to the runtime linker config via ldconfig(8).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: OpenSSH logging and MaxAuthTries

[Darren Tucker]

On Sun, Mar 19, 2017 at 11:47 PM, Lars Noodén  wrote:
> Looking at a recent snapshot, see dmesg at the bottom, I have two
> questions about OpenSSH logging.
>
> 1) The entry in sshd_config(5) for MaxAuthTries states the following
> about log entries:
>
>  ...  Once the number of failures reaches half this
>  value, additional failures are logged.  The default is 6.
>
> Yet the logging of failures seems to occur these days from the very first
try.
> Has this behavior changed?

No, but it's always logged password attempts regardless of whether or
not you've got to MaxAuthTries/2:

$ cvs annotate auth.c | grep -C2 max_auth
Annotations for auth.c
***
1.13 (markus   18-Jan-01):  if (authenticated == 1 ||
1.13 (markus   18-Jan-01):  !authctxt->valid ||
1.54 (dtucker  23-May-04):  authctxt->failures >=
options.max_authtries / 2 ||
1.13 (markus   18-Jan-01):  strcmp(method, "password") == 0)
1.47 (itojun   08-Apr-03):  authlog = logit;


> 2) The client gets disconnected before MaxAuthTries is reached.  If I
> have it set to 6, I get 5 only tries:

Your log level isn't high enough to see it, but I suspect you have a
failed pubkey attempt before the password attempts.  You should be
able to see it if you add "-vvv" to the command line.

[...]
> Is there any way to get the full number of MaxAuthTries log in attempts?

Assuming my guess above is correct, PreferredAuthentications=password

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

panic: rw_enter: netlock locking against myself (NFS related?)

[Darren Tucker]

   0x80  mfsidlmount_mfs
 95554  163307  0  0  3 0x14200  pgzerozerothread
 32466  276221  0  0  3 0x14200  aiodoned  aiodoned
  2040  346712  0  0  3 0x14200  syncerupdate
 68632  214983  0  0  3 0x14200  cleaner   cleaner
 32975  192724  0  0  3 0x14200  reaperreaper
 80353  431894  0  0  3 0x14200  pgdaemon  pagedaemon
 19644  238730  0  0  3 0x14200  bored bfd
  8400  177792  0  0  3 0x14200  bored crynlk
 88703  341462  0  0  3 0x14200  bored crypto
 82731  207716  0  0  3 0x14200  pftm  pfpurge
 54415  346439  0  0  3 0x14200  bored viomb
 39436  37  0  0  3  0x40014200  acpi0 acpi0
 69614   24706  0  0  3 0x14200  bored softnet
 65266  358625  0  0  3 0x14200  bored systqmp
 78420   65487  0  0  3 0x14200  bored systq
 25519  499550  0  0  3  0x40014200  bored     softclock
 67706  213188  0  0  3  0x40014200idle0
 1  179173  0  0  30x82  wait  init
 0   0 -1  0  3 0x10200  scheduler swapper
ddb>
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: pledging a portable program

[Darren Tucker]

On Tue, Jan 17, 2017 at 6:05 AM, Jordon  wrote:
> What is the “official" way to pledge(2) a portable program?

OpenSSH Portable checks for the presence of pledge in configure
(https://anongit.mindrot.org/openssh.git/tree/configure.ac#n1715) and
if not found defines a no-op pledge function
(https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-misc.c#n282)

The advantage of doing it this way is that the mainline code is
unchanged and so does not add additional maintenance burden (ie merge
conflicts).  It also provides a hook for alternative implementation
mechanisms although there are no drop-in replacements at the moment.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Hardware recommendations for compact 1U firewall

[Darren Tucker]

On Sat, Dec 17, 2016 at 1:08 PM, Damian McGuckin  wrote:
[...]
> What is the max throughput people have seen on these?
> Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501
> board sustain 100Mbps?

I doubt it.

I did some work[1] on the vr driver on a pcengines ALIX, which has
very similar hardware (500MHz Geode CPUs and VT6105M ethernet chips).
The most I got though it for a TCP stream was 85MBit/s routing only.
It had CPU to spare, so I suspect the limitation was either the chip
or the driver.

The VT6105M doesn't have any receive-side interrupt mitigation (and
OpenBSD doesn't have a polling mode) so I suspect it'd be easy to DoS
it with tiny packets.  As long as that's not happening, there's
probably enough CPU to run PF.

Depending on your use case and environment this may or may not be good
enough.   If you do try it I'd be interested in hearing the result.

[1] http://undeadly.org/cgi?action=article&sid=20130201054156

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: unknown hostname on ssh tunnel end causes 'administratively prohibited: open failed'

[Darren Tucker]

els.h
===
RCS file: /cvs/src/usr.bin/ssh/channels.h,v
retrieving revision 1.120
diff -u -p -r1.120 channels.h
--- channels.h  18 Oct 2016 17:32:54 -  1.120
+++ channels.h  24 Nov 2016 04:36:58 -
@@ -272,7 +272,8 @@ void channel_update_permitted_opens(int
 voidchannel_clear_permitted_opens(void);
 voidchannel_clear_adm_permitted_opens(void);
 voidchannel_print_adm_permitted_opens(void);
-Channel*channel_connect_to_port(const char *, u_short, char *, char *);
+Channel*channel_connect_to_port(const char *, u_short, char *, char *, 
int *,
+char **);
 Channel *channel_connect_to_path(const char *, char *, char *);
 Channel*channel_connect_stdio_fwd(const char*, u_short, int, int);
 Channel*channel_connect_by_listen_address(const char *, u_short,
Index: serverloop.c
===
RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
retrieving revision 1.187
diff -u -p -r1.187 serverloop.c
--- serverloop.c23 Oct 2016 22:04:05 -  1.187
+++ serverloop.c24 Nov 2016 04:36:58 -
@@ -423,7 +423,7 @@ server_input_keep_alive(int type, u_int3
 }
 
 static Channel *
-server_request_direct_tcpip(void)
+server_request_direct_tcpip(int *reason, char **errmsg)
 {
Channel *c = NULL;
char *target, *originator;
@@ -442,11 +442,12 @@ server_request_direct_tcpip(void)
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag) {
c = channel_connect_to_port(target, target_port,
-   "direct-tcpip", "direct-tcpip");
+   "direct-tcpip", "direct-tcpip", reason, errmsg);
} else {
logit("refused local port forward: "
"originator %s port %d, target %s port %d",
originator, originator_port, target, target_port);
+   *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
}
 
free(originator);
@@ -563,8 +564,8 @@ static int
 server_input_channel_open(int type, u_int32_t seq, void *ctxt)
 {
Channel *c = NULL;
-   char *ctype;
-   int rchan;
+   char *ctype, *errmsg = NULL;
+   int rchan, reason = SSH2_OPEN_CONNECT_FAILED;
u_int rmaxpack, rwindow, len;
 
ctype = packet_get_string(&len);
@@ -578,7 +579,7 @@ server_input_channel_open(int type, u_in
if (strcmp(ctype, "session") == 0) {
c = server_request_session();
} else if (strcmp(ctype, "direct-tcpip") == 0) {
-   c = server_request_direct_tcpip();
+   c = server_request_direct_tcpip(&reason, &errmsg);
} else if (strcmp(ctype, "direct-streamlo...@openssh.com") == 0) {
c = server_request_direct_streamlocal();
} else if (strcmp(ctype, "t...@openssh.com") == 0) {
@@ -601,9 +602,9 @@ server_input_channel_open(int type, u_in
debug("server_input_channel_open: failure %s", ctype);
packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(rchan);
-   packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+   packet_put_int(reason);
    if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-   packet_put_cstring("open failed");
+   packet_put_cstring(errmsg ? errmsg : "open failed");
packet_put_cstring("");
}
packet_send();

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Serverkeybits, protocol 2

[Darren Tucker]

On Thu, Nov 3, 2016 at 8:14 AM, Jonathan Paquet 
wrote:

> Ok, so for protocol 2, what is used by default?


There is no exact equivalent of ServerKeyBits in ssh Protocol 2.

In Protocol 1 the server generates an ephemeral RSA key that is
ServerKeyBits in size when it starts up, and regenerates it every ~1h if it
has been used.  That key is used to encrypt the SSH session key sent to the
client.

In Protocol 2 the session key is derived from a Diffie-Hellman[1] exchange
at the beginning of each connection, which produces a shared secret that
both sides contribute to but neither controls.

> > The minimum key encryption that we want to allow is 1024, and the
> version
> > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.
>

Short answer: OpenSSH's Protocol 2 doesn't support anything weaker than
1024 bits.

Long answer:

The absolute minimum strength key exchange in the SSHv2 spec is
diffie-hellman-group1-sha1, which is specified as 1024 bits.  It is
considered weak and has been disabled by default since OpenSSH 7.0.  There
is another set of Diffie-Hellman algorithms where the server picks the
group (diffie-hellman-group-exchange-sha{1,256}) and in OpenSSH those are
picked from the moduli file.  OpenSSH hasn't ever shipped a moduli file
with groups <1k bits, 1k bit groups were removed around 7.0 as well, then
1.5kbit groups some time later.

[1] Actually there are several supported key exchange algorithms (see
KexAlgorithms in sshd_config(8)), and exactly which one gets used will
depend on what the client and server support and/or have enabled.  They all
have the same security properties, though.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: serial input line not working

[Darren Tucker]

On Thu, Sep 22, 2016 at 12:29 PM, Peer Janssen  wrote:
> # cu -d -l cua00 -s 9600
> cu: open("/dev/cua00"): Device not configured
> # cu
> cu: open("/dev/cua00"): Device not configured

I have an ALIX 2d[something] and on it, the serial ports show up as com devices:

$ dmesg | egrep '^com'
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

I notice that the com devices are missing from your dmesg output,
though.  Maybe it's not enabled in the BIOS?  I see
http://pcengines.ch/alix3d3.htm has "fix serial port" against the most
recent firmware version...

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: usb disk dirty after every reboot

[Darren Tucker]

On Tue, Sep 20, 2016 at 1:43 AM, Jan Stary  wrote:
>
> This is current/i386 on an ALIX.1E (demsg below).
> I have an USB disk connected for /backup.
>
> Upon every reboot, the filesystem on that disk is dirty:
> WARNING: R/W mount of /backup denied.  Filesystem is not clean - run fsck


I saw something similar on an APU where the root disk was on
(USB-attached) sdcard:
http://marc.info/?l=openbsd-misc&m=144237305322074&w=2

It seems to be a race.  There used to be a 4sec pause in the kernel
that was removed:

"""
Remove 4 second delay on reboot/shutdown that was added 8 years
ago to "workaround MP timeout/splhigh/scsi race at reboot time".
"""

> It seems that it does not get properly umounted when shutting down.
> I added 'umount /backup' to my rc.shutdown and that works around it.
>
> However, what could be causing this?

I suspect your addition to the shutdown script makes the unmount early
enough that it has time to complete whatever operation it's trying to
complete.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: PC Engines APU NIC (RTL8111E) performance

[Darren Tucker]

phy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), 
msi, address 00:0d:b9:31:30:76
rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 
1.2
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.
sd0: 30029MB, 512 bytes/sector, 6150 sectors, thin
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, 
version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, 
version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling
iic0 at piixpm0
pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40
ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40
pci4 at ppb3 bus 4
ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18, 
version 1.0, legacy support
ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00
pci5 at ppb4 bus 5
ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, 
version 1.0, legacy support
ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb2 at ehci2: USB revision 2.0
uhub2 at usb2 "ATI EHCI root hub" rev 2.00/1.00 addr 1
pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43
pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00
pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00
pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00
pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
usb5 at ohci2: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci3: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card 
Reader/Writer" rev 2.01/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0:  SCSI2 0/direct 
removable serial.058f6366058F63666485
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (2b4cdf5e1e14b9e7.a) swap on sd0b dump on sd0b
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: PC Engines APU NIC (RTL8111E) performance

[Darren Tucker]

On Fri, Aug 05, 2016 at 11:56:15AM +1000, Darren Tucker wrote:
> On Thu, Aug 04, 2016 at 02:46:44PM +0200, Momtchil Momtchev wrote:
> [...]
> > What is the problem with software interrupt moderation? That it has a
> > fixed timer while the hardware one scales with the RX rate?
> 
> The hardware moderation can do per-N-packets in addition to a timer.
> 
> > This shouldn't
> > halve the performance? It should be more like 10% to 15% and some latency
> > benefit? I have also noticed that the TX rate is higher than the RX rate
> > (about 320 Mbit/s vs 260 Mbit/s). Could it be that the FreeBSD driver uses
> > MSI interrupts and the OpenBSD one does not?
> 
> Dunno.  If I knew what the cause was I'd have fixed it :-(

Hey, I might have found it.  From my other diff:

> +  * According to the Linux driver, supposedly:
> +  * (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets

however in the header the RXTIME/TXTIME macros didn't match that:

>  #define RL_IM_RXTIME(t)  ((t) & 0xf)
> +#define RL_IM_RXPKTS(t)  (((t) & 0xf) << 4)
>  #define RL_IM_TXTIME(t)  (((t) & 0xf) << 8)
> +#define RL_IM_TXPKTS(t)  (((t) & 0xf) << 12)

so assuming the comment was correct, I wasn't actually setting the holdoff
timers :-(

A quick test with this diff (just routing through it, no PF, no pool
debug) gives me:

$ iperf -c host -i 10 -t 60

Client connecting to nfs, TCP port 5001
TCP window size: 43.8 KByte (default)

[  3] local 192.168.32.1 port 43092 connected with 192.168.33.44 port
5001
[ ID] Interval   Transfer Bandwidth
[  3]  0.0-10.0 sec   803 MBytes   674 Mbits/sec
[  3] 10.0-20.0 sec   844 MBytes   708 Mbits/sec
[  3] 20.0-30.0 sec   876 MBytes   735 Mbits/sec
[  3] 30.0-40.0 sec   915 MBytes   768 Mbits/sec
[  3] 40.0-50.0 sec   929 MBytes   779 Mbits/sec
[  3] 50.0-60.0 sec   917 MBytes   769 Mbits/sec
[  3]  0.0-60.0 sec  5.16 GBytes   739 Mbits/sec

Index: dev/ic/re.c
===
RCS file: /cvs/src/sys/dev/ic/re.c,v
retrieving revision 1.192
diff -u -p -r1.192 re.c
--- dev/ic/re.c 20 Apr 2016 12:15:24 -  1.192
+++ dev/ic/re.c 9 Aug 2016 00:52:45 -
@@ -747,7 +747,7 @@ re_attach(struct rl_softc *sc, const cha
sc->rl_flags |= RL_FLAG_PHYWAKE | RL_FLAG_PHYWAKE_PM |
RL_FLAG_PAR | RL_FLAG_DESCV2 | RL_FLAG_MACSTAT |
RL_FLAG_CMDSTOP | RL_FLAG_AUTOPAD | RL_FLAG_JUMBOV2 |
-   RL_FLAG_WOL_MANLINK;
+   RL_FLAG_WOL_MANLINK | RL_FLAG_HWIM;
sc->rl_max_mtu = RL_JUMBO_MTU_9K;
break;
case RL_HWREV_8168E_VL:
@@ -821,13 +821,19 @@ re_attach(struct rl_softc *sc, const cha
/* Reset the adapter. */
re_reset(sc);
 
-   sc->rl_tx_time = 5; /* 125us */
-   sc->rl_rx_time = 2; /* 50us */
-   if (sc->rl_flags & RL_FLAG_PCIE)
-   sc->rl_sim_time = 75;   /* 75us */
-   else
-   sc->rl_sim_time = 125;  /* 125us */
-   sc->rl_imtype = RL_IMTYPE_SIM;  /* simulated interrupt moderation */
+   if (sc->rl_flags & RL_FLAG_HWIM) {
+   /* hardware interrupt moderation */
+   sc->rl_imtype = RL_IMTYPE_HW;
+   sc->rl_tx_time = 5; /* 125us */
+   sc->rl_rx_time = 2; /* 50us */
+   } else {
+   /* simulated interrupt moderation */
+   sc->rl_imtype = RL_IMTYPE_SIM;
+   if (sc->rl_flags & RL_FLAG_PCIE)
+   sc->rl_sim_time = 75;   /* 75us */
+   else
+   sc->rl_sim_time = 125;  /* 125us */
+   }
 
if (sc->sc_hwrev == RL_HWREV_8139CPLUS)
sc->rl_bus_speed = 33; /* XXX */
@@ -2233,6 +2239,8 @@ re_stop(struct ifnet *ifp)
 void
 re_setup_hw_im(struct rl_softc *sc)
 {
+   u_int16_t im;
+
KASSERT(sc->rl_flags & RL_FLAG_HWIM);
 
/*
@@ -2258,11 +2266,15 @@ re_setup_hw_im(struct rl_softc *sc)
 * Currently we only know how to set 'timer', but not
 * 'number of packets', which should be ~30, as far as I
 * tested (sink ~900Kpps, interrupt rate is 30KHz)
-*/
-   CSR_WRITE_2(sc, RL_IM,
-   RL_IM_RXTIME(sc->rl_rx_time) |
-   RL_IM_TXTIME(sc->rl_tx_time) |
-   RL_IM_MAGIC);
+*
+* According to the Linux driver, supposedly:
+* (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets
+* Linux uses hard coded 0x5151.

Re: PC Engines APU NIC (RTL8111E) performance

[Darren Tucker]

On Thu, Aug 04, 2016 at 02:46:44PM +0200, Momtchil Momtchev wrote:
[...]
> What is the problem with software interrupt moderation? That it has a
> fixed timer while the hardware one scales with the RX rate?

The hardware moderation can do per-N-packets in addition to a timer.

> This shouldn't
> halve the performance? It should be more like 10% to 15% and some latency
> benefit? I have also noticed that the TX rate is higher than the RX rate
> (about 320 Mbit/s vs 260 Mbit/s). Could it be that the FreeBSD driver uses
> MSI interrupts and the OpenBSD one does not?

Dunno.  If I knew what the cause was I'd have fixed it :-(

> PS. On the APU my interrupt rate is about 6000 IRQ/s when doing 320
> MBit/s, this is one IRQ every 165us or one IRQ for about 3 or 4 packets. I
> will make rl_sim_time tunable and I will test if it affects performance.

I dug up my patch.  If you're experimenting, making the value used to
set the RL_IM register tunable then seeing what impact various values
have on throughput would be interesting.

Index: dev/ic/re.c
===
RCS file: /cvs/src/sys/dev/ic/re.c,v
retrieving revision 1.192
diff -u -p -r1.192 re.c
--- dev/ic/re.c 20 Apr 2016 12:15:24 -  1.192
+++ dev/ic/re.c 5 Aug 2016 00:31:04 -
@@ -747,7 +747,7 @@ re_attach(struct rl_softc *sc, const cha
sc->rl_flags |= RL_FLAG_PHYWAKE | RL_FLAG_PHYWAKE_PM |
RL_FLAG_PAR | RL_FLAG_DESCV2 | RL_FLAG_MACSTAT |
RL_FLAG_CMDSTOP | RL_FLAG_AUTOPAD | RL_FLAG_JUMBOV2 |
-   RL_FLAG_WOL_MANLINK;
+   RL_FLAG_WOL_MANLINK | RL_FLAG_HWIM;
sc->rl_max_mtu = RL_JUMBO_MTU_9K;
break;
case RL_HWREV_8168E_VL:
@@ -821,13 +821,19 @@ re_attach(struct rl_softc *sc, const cha
/* Reset the adapter. */
re_reset(sc);
 
-   sc->rl_tx_time = 5; /* 125us */
-   sc->rl_rx_time = 2; /* 50us */
-   if (sc->rl_flags & RL_FLAG_PCIE)
-   sc->rl_sim_time = 75;   /* 75us */
-   else
-   sc->rl_sim_time = 125;  /* 125us */
-   sc->rl_imtype = RL_IMTYPE_SIM;  /* simulated interrupt moderation */
+   if (sc->rl_flags & RL_FLAG_HWIM) {
+   /* hardware interrupt moderation */
+   sc->rl_imtype = RL_IMTYPE_HW;
+   sc->rl_tx_time = 5; /* 125us */
+   sc->rl_rx_time = 2; /* 50us */
+   } else {
+   /* simulated interrupt moderation */
+   sc->rl_imtype = RL_IMTYPE_SIM;
+   if (sc->rl_flags & RL_FLAG_PCIE)
+   sc->rl_sim_time = 75;   /* 75us */
+   else
+   sc->rl_sim_time = 125;  /* 125us */
+   }
 
if (sc->sc_hwrev == RL_HWREV_8139CPLUS)
sc->rl_bus_speed = 33; /* XXX */
@@ -2233,6 +2239,8 @@ re_stop(struct ifnet *ifp)
 void
 re_setup_hw_im(struct rl_softc *sc)
 {
+   u_int16_t im;
+
KASSERT(sc->rl_flags & RL_FLAG_HWIM);
 
/*
@@ -2258,11 +2266,15 @@ re_setup_hw_im(struct rl_softc *sc)
 * Currently we only know how to set 'timer', but not
 * 'number of packets', which should be ~30, as far as I
 * tested (sink ~900Kpps, interrupt rate is 30KHz)
-*/
-   CSR_WRITE_2(sc, RL_IM,
-   RL_IM_RXTIME(sc->rl_rx_time) |
-   RL_IM_TXTIME(sc->rl_tx_time) |
-   RL_IM_MAGIC);
+*
+* According to the Linux driver, supposedly:
+* (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets
+* Linux uses hard coded 0x5151.
+*/
+   im = RL_IM_TXTIME(sc->rl_tx_time) | RL_IM_TXPKTS(4) |
+   RL_IM_RXTIME(sc->rl_rx_time)  | RL_IM_RXPKTS(4);
+   printf("setting interrupt moderation %hx\n", im);   /* XXX */
+   CSR_WRITE_2(sc, RL_IM, im);
 }
 
 void
Index: dev/ic/rtl81x9reg.h
===
RCS file: /cvs/src/sys/dev/ic/rtl81x9reg.h,v
retrieving revision 1.98
diff -u -p -r1.98 rtl81x9reg.h
--- dev/ic/rtl81x9reg.h 20 Apr 2016 12:15:24 -  1.98
+++ dev/ic/rtl81x9reg.h 5 Aug 2016 00:31:04 -
@@ -570,7 +570,9 @@
 
 #define RL_IM_MAGIC0x5050
 #define RL_IM_RXTIME(t)((t) & 0xf)
+#define RL_IM_RXPKTS(t)(((t) & 0xf) << 4)
 #define RL_IM_TXTIME(t)(((t) & 0xf) << 8)
+#define RL_IM_TXPKTS(t)(((t) & 0xf) << 12)
 
 struct rl_chain_data {
u_int16_t   cur_rx;

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: PC Engines APU NIC (RTL8111E) performance

[Darren Tucker]

On Wed, Aug 3, 2016 at 8:07 PM, Momtchil Momtchev  wrote:
> Does anyone with a working knowledge of re(4) have any idea why the PC
> Engines APU NICs perform so poorly in OpenBSD?

Most likely lack of hardware interrupt moderation in the driver.
There's code in re_setup_hw_im() that looks like might do something
plausible with the interrupt moderation register but AFAICT it'll
never be called because rl_imtype is always set to "RL_IMTYPE_SIM".

I tried to get hardware interrupt moderation working a while back but
it didn't seem to make a difference (which is probably an indication
that I did something wrong).  I could dig up the patch if you'd like
to try it.

The other thing to be aware of is that if you're following current,
POOL_DEBUG is usually set in your config, which will be quite
expensive when pushing packets.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshfs key exchange fails

[Darren Tucker]

On Sat, Jun 18, 2016 at 6:11 PM, Dennis Matthiesen
 wrote:
> Hi Darren,
>
> Thanks for the right syntax, sshd is now coming up but the initial problem
> persists. Same picture in the packet capture.

The packet capture didn't make it to the list, the attachment got stripped.

> Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group
> Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is
> sending a FIN ACK instead.

Try running the server in debug mode (eg "/usr/sbin/sshd -ddde -p 222"
to run it on port 222) and if the reason isn't obvious from the log
please post it to the list.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshfs key exchange fails

[Darren Tucker]

On Sat, Jun 18, 2016 at 6:08 AM, Dennis Matthiesen
 wrote:
> Thanks Todd, Did a fresh install. Added the following line to sshd_config
> but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1,
> +diffie-hellman-group-exchange-sha1

The first "+" means "append this to the list of accepted algorithms".
The second "+" doesn't mean anything so sshd is trying to parse that
as an algorithm name and failing (this should be obvious from the log
message).  Try:

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1


-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshd Connection Failures - 2 June Snapshot (amd64)

[Darren Tucker]

On Sun, Jun 5, 2016 at 7:40 AM, Alex Greif  wrote:
[...]
> hash mismatch
> debug1: ssh_rsa_verify: signature incorrect
> key_verify failed for server_host_key

Thanks for the report.  We believe we've identified the problem and
backed out the offending commit in usr.bin/ssh/kexgexs.c rev 1.29.

The original change was this one to kexgexs.c:

revision 1.28
date: 2016/06/01 04:19:49;  author: dtucker;  state: Exp;  lines: +9
-9;  commitid: H7nQMlahTocwHINf;
Check min and max sizes sent by the client against what we support before
passing them to the monitor.  ok djm@

It caused the problem because it modified the value that had already
been sent to the client so it computed the exchange hash it didn't
match what the server computed.

It didn't cause more problems (or fail the regression tests, which I
ran, honest!) because any client that send a min group size >-
DH_GRP_MIN (2048 since OpenBSD 5.9) thus didn't cause the min value to
be modified, and any client that preferred another key exchange method
(most recent versions of OpenSSH) never triggered the problem.

Sorry for the inconvenience.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: document the actual meaning of ssh's "command" argument

[Darren Tucker]

On Thu, Jun 2, 2016 at 2:06 PM,  wrote:

> On Thu, Jun 02, 2016 at 08:53:49AM +1000, Darren Tucker wrote:
> > > i'm inclined to disagree with this diff, for the following reasons:
> >
> >  - other than the concatenation with spaces, it's not a behaviour of
> ssh(1)
> > but of the server at the other end of the connection, which might use sh
> -c
> > or might do something completely different depending on the server.
>
> The ssh(1) man page is already documenting quite exhaustively the behaviour
> of the server at the other end; it is assumed that you're connecting to
> a real ssh server. If that's not the case, there are a lot of things
> from that man page that do not work (just try ssh -R 0:host:port with a
> dropbear server).
>

That would be dropbear's fault; using zero for the bind port
in tcpip-forward requests is specified in RFC4254 section 7.1.  The
behaviour of "exec" channel requests isn't specified other than the command
being a single string.

A better example of what you're referring to would be the inclusion of
~/.ssh/authorized_keys in the ssh(1) man page.  That's definitely server
side (and dependent) behaviour.  IMO that shouldn't be there either and I
don't think we should be adding more like it.

And please notice that's it's not sh -c as in system(3) or popen(3); if
> you have /foo/bar as your login shell in /etc/passwd, it's /foo/bar -c.
>

Well for sshd(8), if you have a shell specified, sure.  If you don't it'll
use /bin/sh. If you have some other server it might do something
different.  It depends on the server.  I didn't cover every case in my one
sentence reply.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: document the actual meaning of ssh's "command" argument

[Darren Tucker]

On Thu, Jun 2, 2016 at 3:53 AM, Jason McIntyre  wrote:
>
> [...]
> i'm inclined to disagree with this diff, for the following reasons:
>

 - other than the concatenation with spaces, it's not a behaviour of ssh(1)
but of the server at the other end of the connection, which might use sh -c
or might do something completely different depending on the server.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: how to submit bug report regarding pf queueing?

[Darren Tucker]

On Thu, Mar 10, 2016 at 1:38 AM, Marko Cupać  wrote:
[...]
> queue download on $if_int bandwidth 10M max 10M

What's $if_int set to?

I played with queueing recently and initially used interface group
names instead of interface names ("queue foo on egress ...") since
that's how the rest of my rules are written but while the ruleset
loads fine it doesn't actually do anything because queues must be
assigned to real interface names (quoth pf.conf(5): "The root queue
must specifically reference an interface")

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: APU.1D RealtekRTL8111E

[Darren Tucker]

On Mon, Nov 2, 2015 at 12:56 PM, Darren Tucker  wrote:
> Not that I have seen, but I don't know what the limiting factor is.
> iperf will push ~500Mbit/s from userspace (mtu 1500)
[...]
> I also notice dlg just made the following change to sys/dev/ic/re.c
> which will probably make a difference (this change is not on the
> device I tested):

I reran the test with dlg's change and the iperf output rate went up
to ~535Mbit/s with a couple of percent of idle cpu.  I should update
my interrupt mitigation diff and see if that helps further.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: APU.1D RealtekRTL8111E

[Darren Tucker]

v 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
(0x2c00), msi, address 00:0d:b9:31:30:74
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
(0x2c00), msi, address 00:0d:b9:31:30:75
rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
(0x2c00), msi, address 00:0d:b9:31:30:76
rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int
19, AHCI 1.2
scsibus1 at ahci0: 32 targets
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int
18, version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int
18, version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling
iic0 at piixpm0
pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40
ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40
pci4 at ppb3 bus 4
ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int
18, version 1.0, legacy support
ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00
pci5 at ppb4 bus 5
ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int
18, version 1.0, legacy support
ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb2 at ehci2: USB revision 2.0
uhub2 at usb2 "ATI EHCI root hub" rev 2.00/1.00 addr 1
pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43
pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00
pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00
pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00
pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
usb5 at ohci2: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci3: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card
Reader/Writer" rev 2.01/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0:  SCSI2
0/direct removable serial.058f6366058F63666485
sd0: 3886MB, 512 bytes/sector, 7959552 sectors
udav0 at uhub3 port 5 configuration 1 interface 0 "Unknown Vendor
RD9700" rev 1.10/1.01 addr 2
udav0: address 00:e0:4c:53:44:58
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (0b606ebc9774a32b.a) swap on sd0b dump on sd0b
WARNING: /mnt was not properly unmounted


-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Sep 13 snapshot doesn't cleanly unmount / on reboot?

[Darren Tucker]

On Thu, Sep 17, 2015 at 1:48 AM, Chris Cappuccio  wrote:
>
> Sometime before 5.8 release, a 4 second pause was removed from the shutdown
> path. This must have been giving your USB disk time to finish before the
> reset.
>

Interesting, was that in the rc scripts or the kernel?


> Have you tried stuff like sync;sync;reboot or sync;sync;sleep 2;reboot ?
>

For a sample size of 1 trial each, neither helps.

Also, shouldn't the last-mounted location have been updated to "/" when the
root filesystem got remounted read-write?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Sep 13 snapshot doesn't cleanly unmount / on reboot?

[Darren Tucker]

 AMD64 14h Reserved" rev 0x00
pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
usb5 at ohci2: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci3: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card 
Reader/Writer" rev 2.01/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0:  SCSI2 0/direct 
removable serial.058f6366058F63666485
sd0: 3886MB, 512 bytes/sector, 7959552 sectors
udav0 at uhub3 port 5 configuration 1 interface 0 "Unknown Vendor RD9700" rev 
1.10/1.01 addr 2
udav0: address 00:e0:4c:53:44:58
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (0b606ebc9774a32b.a) swap on sd0b dump on sd0b
WARNING: /mnt was not properly unmounted
Automatic boot in progress: starting file system checks.
/dev/sd0a (0b606ebc9774a32b.a): FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGED)
/dev/sd0a (0b606ebc9774a32b.a): 148615 files, 1630100 used, 308347 free (47619 
frags, 32591 blocks, 2.5% fragmentation)
/dev/sd0a (0b606ebc9774a32b.a): MARKING FILE SYSTEM CLEAN
setting tty flags
kern.bufcachepercent: 20 -> 70
kern.pool_debug: 1 -> 0
net.inet.ip.forwarding: 0 -> 1
hw.perfpolicy: manual -> auto
starting network
starting early daemons: syslogd(failed) ntpd(failed).
starting RPC daemons:.
savecore: /dev/sd0b: Device not configured
checking quotas: done.
clearing /tmp
starting pre-securelevel daemons:.
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd smtpd(failed) sndiod.
starting local daemons: cron.
Tue Sep 15 20:21:38 MDT 2015

OpenBSD/amd64 (apu.dtucker.net) (tty00)

login: 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

sparc64 panic: IOMMU overwrite with vr(4) under load

[Darren Tucker]

trap+0x19c
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 16365  25652  16365500  30x83  thrsleep  iperf
* 1785  25652  16365500  7   0x403iperf
 23364  25652  16365500  2   0x403iperf
 25652  14049  25652500  30x8b  pause ksh
 14049  27404  27404500  30x90  selectsshd
 27404  24028  27404  0  30x92  poll  sshd
 26196  1  26196 77  30x90  poll  dhclient
 27374  1  27374  0  30x80  poll  dhclient
 10066  13625  10066500  30x83  ttyin ksh
 13625  15818  15818500  30x90  selectsshd
 15818  24028  15818  0  30x92  poll  sshd
  3825  1   3825  0  30x83  ttyin getty
  7668  1   7668  0  30x80  poll  cron
 24028  1  24028  0  30x80  selectsshd
   412  1412  0  30x80  poll  ntpd
 14694   6288  14694 83  30x90  poll  ntpd
  6288  1   6288 83  30x90  poll  ntpd
 24714  12631  12631 74  30x90  bpf   pflogd
 12631  1  12631  0  30x80  netio pflogd
76  32265  32265 73  20x90syslogd
 32265  1  32265  0  30x80  netio syslogd
 31185  0  0  0  2 0x14200zerothread
   814  0  0  0  3 0x14200  aiodoned  aiodoned
 31718  0  0  0  3 0x14200  syncerupdate
  7143  0  0  0  3 0x14200  cleaner   cleaner
 10923  0  0  0  3 0x14200  reaperreaper
  2288  0  0  0  3 0x14200  pgdaemon  pagedaemon
  7775  0  0  0  3 0x14200  bored crypto
  3555  0  0  0  3 0x14200  pftm  pfpurge
  6871  0  0  0  3 0x14200  usbtskusbtask
 13170  0  0  0  3 0x14200  usbatsk   usbatsk
 15447  0  0  0  3 0x14200  bored sensors
  1989  0  0  0  2 0x14200softnet
  9001  0  0  0  3 0x14200  bored systqmp
 17203  0  0  0  3 0x14200  bored systq
 28833  0  0  0  3  0x40014200idle0
 26016  0  0  0  3 0x14200  kmalloc   kmthread
 1  0  1  0  30x82  wait  init
 0 -1  0  0  3 0x10200  scheduler swapper
ddb> boot reboot
extent `psycho0 dvma' (0xc000 - 0xe000), flags=2
 0xc000 - 0xc0005fff
 0xc0006000 - 0xc0007fff
 0xc0008000 - 0xc000dfff
 0xc000e000 - 0xc000
 0xc001 - 0xc0011fff
 0xc0012000 - 0xc0013fff
 0xc0014000 - 0xc0015fff
 0xc0016000 - 0xc0017fff
 0xc0018000 - 0xc0019fff
 0xc001a000 - 0xc001bfff
 0xc001c000 - 0xc001dfff
 0xc001e000 - 0xc001
 0xc002 - 0xc0021fff
 0xc0022000 - 0xc0023fff
 0xc0024000 - 0xc0025fff
 0xc0026000 - 0xc0027fff
 0xc0028000 - 0xc0029fff
 0xc002a000 - 0xc002bfff
 0xc002c000 - 0xc002dfff
 0xc002e000 - 0xc002
 0xc003 - 0xc0031fff
 0xc0032000 - 0xc0033fff
 0xc0034000 - 0xc0035fff
 0xc0036000 - 0xc0037fff
 0xc0038000 - 0xc0039fff
 0xc003a000 - 0xc003bfff
 0xc003c000 - 0xc003dfff
 0xc003e000 - 0xc003
 0xc004 - 0xc0041fff
 0xc0042000 - 0xc0043fff
 0xc0044000 - 0xc0045fff
 0xc0046000 - 0xc0047fff
 0xc0048000 - 0xc0049fff
 0xc004a000 - 0xc004bfff
 0xc0062000 - 0xc0065fff
 0xc006a000 - 0xc006dfff
 0xc006e000 - 0xc0073fff
 0xc0074000 - 0xc0077fff
 0xc0078000 - 0xc007bfff
 0xc008 - 0xc0085fff
 0xc0086000 - 0xc008bfff
 0xc008c000 - 0xc008
 0xc009 - 0xc0093fff
 0xc0094000 - 0xc0099fff
 0xc009a000 - 0xc009dfff
 0xc009e000 - 0xc00a1fff
 0xc00a2000 - 0xc00a7fff
 0xc0108000 - 0xc010bfff
 0xc010c000 - 0xc0111fff
 0xc0112000 - 0xc0117fff
 0xc0118000 - 0xc011bfff
 0xc011c000 - 0xc0121fff
 0xc0122000 - 0xc0125fff
 0xc0126000 - 0xc0129fff
 0xc012a000 - 0xc012dfff
 0xc012e000 - 0xc0131fff
 0xc0132000 - 0xc0137fff
 0xc0138000 - 0xc013dfff
 0xc013e000 - 0xc0141fff
 0xc0142000 - 0xc0145fff
 0xc0146000 - 0xc014bfff
extent_free: start 0xc00b4000, end 0xc00b9fff
panic: extent_free: region not found
kdb breakpoint at 155ef04
Stopped at  Debugger+0x8:   nop
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> 
rebooting

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: OpenSSH and Android

[Darren Tucker]

On Thu, May 7, 2015 at 11:19 PM, Kevin Chadwick  wrote:

> So nevermind, connectbot will have to do for now unless someone has a
> cluestick to hand.
>

What gcc version was that?  Anyway...

openbsd-compat/openbsd-compat.h:217:22:
error: expected identifier or '(' before numeric constant
# define mblen(x, y) 1

The obvious thing to try would be to change that to:

# define mblen(x, y) (1)

(BTW openssh-unix-...@mindrot.org is the best place to get help with
portable OpenSSH.  See http://www.openssh.com/report.html for details.)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: WinSCP clients unable to connect to recent amd64 -current

[Darren Tucker]

On Tue, May 5, 2015 at 3:02 PM,  wrote:

> On 5/4/2015 at 9:39 PM, "Darren Tucker"  wrote:
> >Please try this patch on your server.
>
[...]

> We upgrade from snapshots, and don't have the source installed, so we
> can't easily check this patch.
>

I have committed the patch and it should be in the next snapshot.

However, your response prompted us to look again into the WinSCP options,
> and under Advanced Site Settings > SSH > Key exchange, there is the ability
> to reorder the preferred key exchange algorithms.
>

You could probably work around it by removing
diffie-hellman-group-exchange-sha1 from KexAlgorithms in sshd_config (but
that'd also disable it for clients that do it properly).

Preferring "D-H group 14" before "D-H group exchange" allows the client to
> connect.  If D-H group exchange is obsolete then the fix should really be
> applied to WinSCP?
>

DH Group Exchange is not obsolete, but WinSCP is using an obsolete form of
it that was never standardized.  Right now we're blacklisting all versions
of WinSCP from DH-GEX but if someone can tell us which versions have the
problem and which future ones won't then we can restrict the blacklist.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: WinSCP clients unable to connect to recent amd64 -current

[Darren Tucker]

On Mon, May 04, 2015 at 09:23:53PM -0700, lawgi...@nym.hush.com wrote:
> We follow -current on amd64, upgrading about once a month.

Thanks!

[...]
> debug1: Client protocol version 2.0; client software version 
> WinSCP_release_5.7.2
[...]
> Hm, kex protocol error: type 30 seq 1 [preauth]

message type 30 is the pre-RFC4419 group exchange message.  Since
RFC4419 was published nearly 10 years ago support for the
non-standardized message was recently removed from OpenSSH.

> What did we break and how can we fix it?

Please try this patch on your server.

Index: compat.c
===
RCS file: /cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.91
diff -u -p -r1.91 compat.c
--- compat.c4 May 2015 06:10:48 -   1.91
+++ compat.c5 May 2015 04:33:04 -
@@ -177,6 +177,7 @@ compat_datafellows(const char *version)
  "TTSSH/2.70*,"
  "TTSSH/2.71*,"
  "TTSSH/2.72*",SSH_BUG_HOSTKEYS },
+   { "WinSCP*",SSH_OLD_DHGEX },
        { NULL, 0 }
};
 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Alix, pppoe(VDSL), extremely low upload speed

[Darren Tucker]

On Fri, Oct 10, 2014 at 6:23 AM, Mark Patruck  wrote:

> I'm running 5.6-current on a Alix 2c3. The box is connected
> via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set
> to 1440.
>
> Running a few speed tests, i get almost always > 50.000kbit/s
> down, but not more than 400-600kbit/s up.
>

I just found this message looking for something else but it reminded me of
something I found with my ALIX recently: for some reason it had
autonegotiated with the (dlink) switch as half-duplex while the switch
thought it was full.  Nailing the speed to 100/full in the hostname.vr?
files resulted in the speed going back up to what I expected (about 85
mbit/s).  If you are still having problems you might want to check that out.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: panic on beaglebone black with sdcard with no partitions

[Darren Tucker]

On Mon, Jan 5, 2015 at 9:14 PM, Darren Tucker  wrote:
[..]

> sd0 at scsibus0 targ 1 lun 0:  SCSI2 0/direct fixed
> sd0: 7580MB, 512 bytes/sector, 15523840 sectors
> scsibus1 at sdmmc1: 2 targets, initiator 0
> sd1 at scsibus1 targ 1 lun 0:  SCSI2 0/direct fixed
> sd1: 1832MB, 512 bytes/sector, 3751936 sectors
>

nevermind, I think I see why: I have the default firmware boot order
(external sdcard then internal sdcard) and they are being detected in that
order, making the root disk sd1 rather than sd0 as the kernel expects.  I
guess I need to figure out how to change that.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

panic on beaglebone black with sdcard with no partitions

[Darren Tucker]

-
 0: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

 3: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

fdisk: 1> fdisk: eof

# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
> p
OpenBSD area: 0-3451136; size: 3451136; free: 3451136
#size   offset  fstype [fsize bsize  cpg]
  c:  34511360  unused
>

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Packet Filter router i368 vs 64bit

[Darren Tucker]

On Sat, Dec 6, 2014 at 9:25 AM, Stuart Henderson 
wrote:
>
> Linux developers were seeing higher throughput (though obviously higher
> cpu usage) when offload was disabled. Apparently the checksum offload
> can't pipeline. I'm not sure if vlan hw tagging was also implicated.
> IIRC there were more details in an old lkml post.
>

I think I found the one you are referring to:
http://lkml.iu.edu/hypermail/linux/kernel/0712.3/1199.html

I can't test this at the moment since the hardware is on the other side of
the planet, but I might give this a spin when I get a chance.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Packet Filter router i368 vs 64bit

[Darren Tucker]

On Fri, Nov 28, 2014 at 6:32 PM, Blaise Hizded  wrote:
>
> I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
> home firewall with 10MB WAN broadband and 100MB between computers.
> All is fine: low temperature, low consumption, same speed as with a
> basic 100MBB switch.
>

I spent some time tuning the vr(4) driver on ALIX a while back[1], and in
my experience the throughput maxes out at around 85 Mbit/s of TCP (ie
iperf) traffic through it.  I don't know what the limiting factor is, but
it's not CPU.  My guess is it's the checksum offload hardware in the chips,
in which case doing those in software would be faster at the cost of using
more CPU, but I never tested this theory.

[1] http://undeadly.org/cgi?action=article&sid=20130201054156

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: panic on qemu Sep 10 kernel

[Darren Tucker]

On Sun, Sep 21, 2014 at 12:10:06AM +1000, Darren Tucker wrote:
> On Sat, Sep 20, 2014 at 11:41:38PM +1000, Darren Tucker wrote:
> > This is qemu/kvm on a linux host.  It has previously worked fine.
> > There's a similar panic in the mp kernel which I can also capture if
> > it'll help.
> 
> I was able to bring it up in single-user enough to ifconfig the network
> up, cvs up and build a kernel and reproduce the panic with -current.

Removing iscsid from /etc/rc allows it to come up normally and running
iscsid provokes the panic:

# iscsid
# uvm_fault(0xd0ba3ac0, 0x0, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at  scsi_plug_detach+0x12:  movl0x18(%eax),%edx


-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: panic on qemu Sep 10 kernel

[Darren Tucker]

On Sat, Sep 20, 2014 at 11:41:38PM +1000, Darren Tucker wrote:
> This is qemu/kvm on a linux host.  It has previously worked fine.
> There's a similar panic in the mp kernel which I can also capture if
> it'll help.

I was able to bring it up in single-user enough to ifconfig the network
up, cvs up and build a kernel and reproduce the panic with -current.

booting hd0a:/bsd: 9826364+1062060 [72+404160+397896]=0xb263d4
entry point at 0x200120

[ using 802540 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2014 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 5.6-current (GENERIC) #5: Sun Sep 21 00:02:11 AEST 2014
dtucker@:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: QEMU Virtual CPU version 1.0 ("GenuineIntel" 686-class) 2.67 GHz
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,PGE,CMOV,MMX,FXSR,SSE,SSE2,SS,SSE3,VMX,CX16,LAHF,PERF
real mem  = 536367104 (511MB)
avail mem = 515198976 (491MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfd4cf, SMBIOS 
rev. 2.4 @ 0xf19c0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2011
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios at bios0 function 0x0 not configured
bios0: ROM list: 0xc/0x9000 0xc9000/0xa00 0xca000/0x2400 0xe9800/0x6800!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00: Virtio 
Network Device
vio0 at virtio0: address 52:54:00:f6:02:ea
virtio0: irq 11
virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio 
Block Device
vioblk0 at virtio1
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 16384MB, 512 bytes/sector, 33554432 sectors
virtio1: irq 10
virtio2 at pci0 dev 6 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio 
Memory Balloon Device
viomb0 at virtio2
virtio2: irq 10
virtio3 at pci0 dev 7 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio 
Block Device
vioblk1 at virtio3
scsibus3 at vioblk1: 2 targets
sd1 at scsibus3 targ 0 lun 0:  SCSI3 0/direct fixed
sd1: 16384MB, 512 bytes/sector, 33554432 sectors
virtio3: irq 11
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
nvram: invalid checksum
vscsi0 at root
scsibus4 at vscsi0: 256 targets
softraid0 at root
scsibus5 at softraid0: 256 targets
root on sd0a (1afc9f32ece695a9.a) swap on sd0b dump on sd0b
clock: unknown CMOS layout
/etc/rc: no closing quote
Automatic boot in progress: starting file system checks.
/dev/rsd0a: file system is clean; not checking

/dev/rsd1a: 652784 files, 3280489 used, 4881422 free (220318 frags, 582638 
blocks, 2.7% fragmentation)
/dev/rsd1a: MARKING FILE SYSTEM CLEAN
setting tty flags
pf enabled
ddb.console: 0 -> 1
kern.splassert: 1 -> 2
starting network
/etc/netstart: no closing quote
WARNING: /etc/hostname.vio0 is insecure, fixing permissions
starting early daemons: syslogd unbound(failed) iscsiduvm_fault(0xd0ba3ac0, 
0x0, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at  scsi_plug_detach+0x12:  movl0x18(%eax),%edx
ddb> trace
scsi_plug_detach(d5d4f000,0,0,0,) at scsi_plug_detach+0x12
taskq_thread(d0b3f120) at taskq_thread+0x30
Bad frame pointer: 0xd0d28e08
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 23286   1161  25586  0  2 0x1   

panic on qemu Sep 10 kernel

[Darren Tucker]

92000,0,0,0,) at scsi_plug_detach+0x12
taskq_thread(d0b3f120) at taskq_thread+0x30
Bad frame pointer: 0xd0d28e08
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 28090  24652  10655  0  2 0x1sh
 24652  10942  10655  0  30x8b  pause sh
 10942  10655  10655  0  30x8b  pause sh
 10061   8486   8486 73  20x90syslogd
  8486  1   8486  0  30x80  netio syslogd
 10655  1  10655  0  30x8b  pause sh
 12265  0  0  0  3 0x14200  aiodoned  aiodoned
 16597  0  0  0  3 0x14200  syncerupdate
  5807  0  0  0  3 0x14200  cleaner   cleaner
 13248  0  0  0  3 0x14200  reaperreaper
 13444  0  0  0  3 0x14200  pgdaemon  pagedaemon
 24669  0  0  0  3 0x14200  bored crypto
 18072  0  0  0  3 0x14200  pftm  pfpurge
  9197  0  0  0  3 0x14200  bored viomb
   809  0  0  0  3  0x40014200  acpi0 acpi0
 27407  0  0  0  3 0x14200  bored systqmp
* 1365  0  0  0  7 0x14200systq
 25722  0  0  0  3 0x14200  bored syswq
 10704  0  0  0  3  0x40014200idle0
 25159  0  0  0  3 0x14200  kmalloc   kmthread
     1      0  1  0  20x82init
 0 -1  0  0  3 0x10200  scheduler swapper
ddb> 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshd segfaults with incomplete /etc/hosts

[Darren Tucker]

On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
>  I've been kinda busy recently so I haven't kept up with recent changes so
> I'm not sure exactly what's changed in there.  Looks like it should be
> readily reproducible outside of sshd with a call to getnameinfo().

It's a null pointer deref.  Without understanding the surrounding code,
the following naive diff fixes it for me.

Eric?

Index: libc/asr/gethostnamadr_async.c
===
RCS file: /cvs/src/lib/libc/asr/gethostnamadr_async.c,v
retrieving revision 1.28
diff -u -p -r1.28 gethostnamadr_async.c
--- libc/asr/gethostnamadr_async.c  26 Mar 2014 18:13:15 -  1.28
+++ libc/asr/gethostnamadr_async.c  12 May 2014 20:46:54 -
@@ -577,6 +577,8 @@ hostent_set_cname(struct hostent_ext *h,
name = buf;
}
 
+   if (name == NULL)
+   return (-1);
n = strlen(name) + 1;
if (h->pos + n >= h->end)
    return (-1);

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sshd segfaults with incomplete /etc/hosts

[Darren Tucker]

On Sun, May 11, 2014 at 10:41 PM, Seth Hanford  wrote:

> While working on consolidating some firewalls, I ended up creating an
> incomplete /etc/hosts file entry. One line of that file was simply an IP
> address:
> 192.168.100.25
>
> Upon ssh from that host (.25) to my sshd server (192.168.100.4), the
> sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below.
>
> It appears as if line 71 of canohost.c is not properly handling this
> hosts entry. I verified this on another host that I had at the same
> patch level & which I hadn't been messing around with. (all it took was
> to add the IP to /etc/hosts and 'pkill -HUP sshd')
>
> Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't
> segfault here.

[...]

Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
 I've been kinda busy recently so I haven't kept up with recent changes so
I'm not sure exactly what's changed in there.  Looks like it should be
readily reproducible outside of sshd with a call to getnameinfo().

$ sudo gdb -q --args /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p
2022
(gdb) run
Starting program: /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p 2022
[...]
Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
43  for (s = str; *s; ++s)
(gdb) bt
#0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
#1  0x0154422d in hostent_set_cname (h=0x88f4f800, name=0x0,
isdname=Variable "isdname" is not available.
)
at /usr/src/lib/libc/asr/gethostnamadr_async.c:580
#2  0x01544a65 in gethostnamadr_async_run (as=0x86bef800, ar=0xcfbcc68c)
at /usr/src/lib/libc/asr/gethostnamadr_async.c:452
#3  0x01558e13 in asr_run (as=0x86bef800, ar=0xcfbcc68c)
at /usr/src/lib/libc/asr/asr.c:199
#4  0x01541acf in getnameinfo_async_run (as=0x83012d00, ar=0xcfbcc68c)
at /usr/src/lib/libc/asr/getnameinfo_async.c:157
#5  0x01558e13 in asr_run (as=0x83012d00, ar=0xcfbcc68c)
at /usr/src/lib/libc/asr/asr.c:199
#6  0x01558e87 in asr_run_sync (as=0x83012d00, ar=0xcfbcc68c)
at /usr/src/lib/libc/asr/asr.c:224
#7  0x0154178b in getnameinfo (sa=0xcfbcc854, salen=16, host=0xcfbccdb0 "",
    hostlen=256, serv=0x0, servlen=0, flags=8)
at /usr/src/lib/libc/asr/getnameinfo.c:47


-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: sftp -R as ssh_config option

[Darren Tucker]

On Sun, Mar 9, 2014 at 7:51 AM, LEVAI Daniel  wrote:
> For the life of me I can not find the correspondig ssh option in
> ssh_config(5) for sftp's -R switch. Is that even configurable with -o ?

Nope, sorry.  -R is specific to sftp and sftp doesn't read ssh_config.
 As far as sftp is concerned, the underlying ssh is just an 8-bit
clean bidirectional pipe.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: pf redirect through socks tunnel?

[Darren Tucker]

On Sun, Feb 2, 2014 at 9:33 AM, Stuart Henderson  wrote:
[...]
> Rather than writing a helper running as root, you can change from using
> nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy
> will receive unmodified packets and can just use getsockname(2) to retrieve
> the original address which does not require privileges.

That does look like a better way of doing it and would likely also
simplify things.  If I'm reading commit logs correctly, divert-to was
added about 6 months after I originally wrote that code.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: pf redirect through socks tunnel?

[Darren Tucker]

On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
 wrote:
> Hi there,
>
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?

I wrote code to do this for PF some time back based on work by Luca
Barbieri for the same functionality on Linux:
https://bugzilla.mindrot.org/show_bug.cgi?id=1295

I suspect the patch will have bitrotted since then.

The other gotcha is that it needed to be run as root to open the PF
device to look up the NAT states.  That could potentially be mitigated
by a setuid helper program, but from memory it needed write access for
the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Is Soekris OpenBSD friendly?

[Darren Tucker]

On Sat, Nov 16, 2013 at 11:27 AM, Chris Cappuccio  wrote:
> Why not just get a Soekris 5501 or a similar PC Engines ALIX,

+1 for the ALIX (I've got two alix2d3 and have been very happy with them)

> they can do 100Mbps with the improved vr ethernet driver these days.

Have you been able to get more than 85Mbit/s out of a single interface
on an ALIX?  85 was the best I could get when playing the tx interrupt
mitigation stuff[1] but it had plenty of spare CPU.  My guess was it
was maxing out the NIC hardware, and that turning off checksum
offloading would make it go faster at the cost of more CPU usage
although I never tested that.

[1] http://undeadly.org/cgi?action=article&sid=20130201054156

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: matching single-part label in ssh_config ?

[Darren Tucker]

On Sun, Nov 03, 2013 at 01:00:28PM +0200, Lars Nooden wrote:
> On Sun, 3 Nov 2013, Darren Tucker wrote:
> [snip]
> > Also: it's not in 5.4 but it is in current: check out the Match keyword
> > for a more flexible method.
> 
> Cool.  Were there any particular use cases in mind with 'exec' ?

ProxyCommand is the one that springs immediately to mind (ie picking the
right proxy for the network you're currently on) but I haven't actually
tried it yet.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: matching single-part label in ssh_config ?

[Darren Tucker]

On Sat, Nov 02, 2013 at 02:36:01PM -0500, Adam Thompson wrote:
> Reading the ssh_config manpage, I don't see a way to do this...
> 
> I want to match single-part labels, e.g. "servername" without
> matching everything "servername.somewhere.else".
> (I do rely on my local resolver's search functionality.)
> 
> So far, the best I can come up with is "*,!*.*" which doesn't seem to work.
> Is there a way to do this?

The parser is first-match, so you can do something like this:

Host *.*
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,...

Host *
Ciphers arcfour256,arcfour128,...

which will use the first for any hostname containing a dot, and the
second for anything without.

Also: it's not in 5.4 but it is in current: check out the Match keyword
for a more flexible method.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: My VPS is acting slow (KVM)

[Darren Tucker]

On Sun, Oct 06, 2013 at 09:13:21AM +, openda...@hushmail.com wrote:
> Good point. I'm doing asset precompilation in this Ruby on Rails app
> - a process that should only take a couple of minutes if not seconds,
> but ends up taking over 1 hour on my VPS. I asked around and it seems
> to be a very I/O intensive process.

> So what are my options? Demand better services from my ISP or stop
> using VPS altogether?

one thing you can try is disabling mpbios and, if you don't need usb,
uhci in the kernel.  I've only seen this make a diffence on i386 and it
may be specific to some versions of qemu.

# config -o /bsd -e /bsd
ukc> disable mpbios
ukc> disable uhci
ukc> quit

then reboot.

anyway, this is just a guess.  you might get some better advice if you
provide more info, like the output of dmesg.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: OpenBSD not forwarding to specific sites

[Darren Tucker]

On Mon, Sep 30, 2013 at 11:18:55PM +1000, John Tate wrote:
> I am having trouble with IP forwarding to specific sites on a very
> typical configuration. The router itself can access these sites but
> clients can not. I have looked in obvious places on the clients, but I
> cannot find a cause. I reinstalled OpenBSD on the router after getting
> SSL errors where SSL servers could not be reached from clients, and I
> bought a cheap Netgear router to use which works fine ruling out that
> my ISP is causing problems.
> 
> I really need to find out what is causing these issues with my
> Internet it is something bizarre. My server I've literally only
> changed the following files...
> 
> /etc/hostname.fxp0
> /etc/hostname.athn0
> /etc/hostname.pppoe0
> /etc/hostname.xl0
> /var/named/etc/named.conf
> /etc/rndc.conf
> /etc/resolv.conf
> /etc/pf.conf
> /etc/dhcpd.conf

Is IP forwarding (net.inet.ip.forwarding=1) on?  It's in sysctl.conf
(not in that list) and it's off by default.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ssh/sftp performance

[Darren Tucker]

On Wed, Aug 21, 2013 at 01:29:50AM -0300, Hugo Osvaldo Barrera wrote:
[...]
> I noticed my CPU supports AES, but not AESNI, so at first, I though that
> that might be using up all my CPU, but that only accounts for for 48% of
> CPU usage. Is there anything else I can do to improve performance?

Try one of the faster MACs (umac...@openssh.com is probably going to be
the fastest one but you might want to try the others too).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Canceled SSH forwarding

[Darren Tucker]

On Thu, May 23, 2013 at 10:58:32AM +0300, Lars Nooden wrote:
> On Wed, 22 May 2013, Lars Nooden wrote:
> [snip]
> > However, the remote machine is still able to use the forwarded port until 
> > the connection is finally closed.  The same syntax seems to shutdown 
> > regular (-L) forwarded ports, just not for reverse (-R) forwarding.  What 
> > am I missing?  
> 
> What I was missing was patience.  With Chromium and Firefox, the 
> connection is kept open for only a short while longer, but definitely not 
> immediately shut down.  With other programs, the tunnel seems to shut 
> right away.

The port should stop listening immediately, but any connections that
were established before the port stopped listening will continue until
they're closed by either end of the forwarded connection or the ssh
connection is forcibly terminated.  In your case, I'd guess you were
seeing HTTP/1.1 keep-alives.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Forcing choice of keys for ssh

[Darren Tucker]

On Thu, May 16, 2013 at 01:11:43PM +0300, Lars Nooden wrote:
> but is there a better way to get ssh to use only the key specified on the 
> comand line besides that or leaving them out of the agent in the first 
> place?

IdentitiesOnly?  from ssh_config(5):

IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1) or
a PKCS11Provider offers more identities.  The argument to this
keyword must be ``yes'' or ``no''.  This option is intended for
situations where ssh-agent offers many different identities.  The
    default is ``no''.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: OpenSSH sshd -E

[Darren Tucker]

On Sun, Apr 28, 2013 at 08:32:39PM +0300, Lars Nooden wrote:
> I see a useful feature in OpenSSH 6.2(?) in current that is not in the 
> release notes for 6.2.  In the man page for sshd(1) in current there is 
> this:
> 
>  -E log_file
>  Append debug logs to log_file instead of the system log.
[...]
> Is this something from upcoming 6.3 or was it missed in the release notes 
> for 6.2?

It was added after the 5.2 release and will be in 5.3.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: snapshot ssh: ChrootDirectory sftp Connection closed

[Darren Tucker]

On Wed, Apr 17, 2013 at 03:55:25PM +0800, f5b wrote:
> BTW,
> 1. UsePrivilegeSeparation default sshd_config and manual not sync in current.
> 2. why ``yes''? but not  'yes' or "yes" in manual.
> 
> # less /etc/ssh/sshd_config | grep UseP
> UsePrivilegeSeparation sandbox  # Default for new installations.
> 
> # man sshd_config
> Says The default is ``yes''

Actually both are correct, although maybe it's not clear why.  The default
setting in sshd (ie, what is in effect if you don't set it in the config
file) is "yes":

$ sudo /usr/sbin/sshd -T -f /dev/null | grep useprivilegeseparation
useprivilegeseparation yes

The value set in the config file from a new install, however, is indeed
"sandbox".  We do this for some settings where there's significant
risk of breakage and we don't want to change behaviour of existing
installations, at least in the short term.  This allows some time for
any problems to get shaken out, particularly in older/upgraded systems
that may be significantly different from a new install.

The other recent example of this was disabling the ssh1 protocol, where it
was disabled in new installations for about 2.5 years before the default
compiled into sshd was changed.

I would expect the compiled in default for UsePrivilegeSeparation to
change at some point down the track, at which point it will be commented
out in sshd_config again.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: snapshot ssh: ChrootDirectory sftp Connection closed

[Darren Tucker]

On Tue, Apr 16, 2013 at 12:25:54PM +0800, f5b wrote:
> the user share can not sftp to the server,
> but same config in Mar 1 snapshot, sftp is ok.

it's caused by this change (feed it to patch -R to revert it), and it's
because the uid has already been set at this point.  I haven't figured
out the right way to fix it, though.  For now, I think we should revert
this.  djm?

Index: session.c
===
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.261
retrieving revision 1.262
diff -u -p -r1.261 -r1.262
--- session.c   2 Dec 2012 20:46:11 -   1.261
+++ session.c   6 Mar 2013 23:35:23 -   1.262
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
+/* $OpenBSD: session.c,v 1.262 2013/03/06 23:35:23 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland
  *All rights reserved
@@ -1216,7 +1216,10 @@ do_setusercontext(struct passwd *pw)
perror("unable to set user context (setuser)");
exit(1);
}
-   }
+   } else if (options.chroot_directory != NULL &&
+   strcasecmp(options.chroot_directory, "none") != 0)
+   fatal("server lacks privileges to chroot to ChrootDirectory");
+
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
    fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 }

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Fallthrough in ssh_config

[Darren Tucker]

On Fri, Mar 22, 2013 at 7:30 AM, Ryan Kavanagh  wrote:
> Is there a way to have Host stanzas in an ssh_config containing a
> HostName entry match Host stanzas corresponding to said HostName? In
> other words, given an ssh config
>
> Host blah
> HostName blah.example.org
>
> Host *.example.org
> User bob
>
> can I have "ssh blah" also use the settings in the "*.example.org"?

No, not currently.  The matching of Host is done on the name you
provide to the ssh command, not whatever the name/address ultimately
resolves to, and they're simple string matches.

There is an open enhancement request to let it match subnets, which
may or may not be sufficient for what you want
(https://bugzilla.mindrot.org/show_bug.cgi?id=1169).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Can I change ssh port forwardings on a active connection *non-interactively* ?

[Darren Tucker]

On Fri, Nov 16, 2012 at 12:10:19AM +0200, Manolis Tzanidakis wrote:
> Hello all,
> I want to send the '~C' escape to ssh followed by ie. '-L 1024:localhost:1024'
> from the active ssh connection's shell, non-interactively from a script.
> Is it possible? Or is there a better way to accomplish this?

If you start ssh with ControlMaster mode enabled you can use "ssh -O
forward" to add forwardings to an established connection, eg:

$ ssh -o ControlMaster=yes -o ControlPath=/tmp/ctl localhost

$ ssh -o ControlMaster=no -o ControlPath=/tmp/ctl -O forward \
-L 1234:127.0.0.1:22 localhost

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: SSI

[Darren Tucker]

On Thu, Sep 27, 2012 at 01:04:23PM -0700, Brian Empson wrote:
> Hello OpenBSD world,
> 
> Has there been/are there plan to include some SSI functionality
> for BSD?

Single System Image was one of the original design goals for DragonFly,
but they seem to have backed away from that recently (or, at least, it's
taking much longer than they expected).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: after upgrade to current(25-06-2012), can not login ssh

[Darren Tucker]

On Tue, Jun 26, 2012 at 04:54:16PM +0800, johnw wrote:
> HI, i found sandbox-systrace.c need the mquery() to work with
> "UsePrivilegeSeparation sandbox"
> 
> below change maybe related,
> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/malloc.c.diff?r1=1.143;r2=1.144;sortby=date
> 
> anyway, add mquery() to sandbox-systrace.c work on my system.
> thank you.

Slight variant (SYSTR_POLICY_PERMIT) committed, thanks.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: hello I have question for openssh !

[Darren Tucker]

On Mon, Jun 25, 2012 at 9:52 PM, Tomasz Marszal  wrote:
[...]
> Does it prevent man in the middle attack ?

The RSA key exchange method?  Yes, the last step is that the server
signs a bunch of things including the shared secret and the ephemeral
server key with the server's host key, which an MITM can't do since it
doesn't have access to the corresponding private key.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: hello I have question for openssh !

[Darren Tucker]

On Thu, Jun 21, 2012 at 5:41 PM, Chris Cappuccio  wrote:
> ??? [hohoho...@dreamsecurity.com] wrote:
>
>> I have question for openssh
>>
>> SSH server with RSA key exchange?
>> I need to look for a free ssh server that accepts RSA key exchange instead
of diffie-hellman.
>
> openssh supports both

Actually it doesn't.  You're talking about different things: he's
asking about RSA key exchange (ie how the client and server arrive at
a shared secret, ie http://www.ietf.org/rfc/rfc4432.txt), but you're
talking about RSA host key algorithms (ie how the server proves it is
who you think it is, which happens latter in the connection).

Here's the list of supported key exchange algorithms (from
usr.bin/ssh/myproposal.h):

#define KEX_DEFAULT_KEX \
"ecdh-sha2-nistp256," \
"ecdh-sha2-nistp384," \
"ecdh-sha2-nistp521," \
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group-exchange-sha1," \
"diffie-hellman-group14-sha1," \
"diffie-hellman-group1-sha1"

so no "rsa1024-sha1" or "rsa2048-sha256".

To the original question:
 - Putty implements the client side, which makes me wonder what they
tested against.  Ben Harris mentioned that his initial implementation
used OpenSSH.  I don't know if the code is available anywhere, but it
might be.
 - the threads on the ietf working group lists mentioned der Mouse
implemented it, so it's probably in
http://sparkle.rodents-montreal.org/mouseware/local-src/moussh/moussh/.

On a related topic: I added an openssh specs page recently
(http://www.openssh.com/specs.html) which should be the authoritative
reference for what is supported.  Corrections are welcome (but before
someone says "RFC6594", note that I'm trying to keep it accurate for
the most recent release).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: SSH connection failure: broken pipe

[Darren Tucker]

On 2/12/10 5:59 AM, Alex Popov wrote:

I just did a snapshot upgrade from 4.7-snapshot (Apr 7) to 4.8-snapshot (Nov
30)  and I can't establish outgoing SSH connections from this box. I noticed
the problem when I tried to update src and ports via cvs and got "Read from
socket failed: Connection reset by peer" error.


What's kind of weird is that both ends see "reset by peer".  My guess is 
that it's some kind of network problem, either the network itself or the 
stack.  Does it fail immediately or does it take a while?  If it hangs 
for a while, try running "netstat" on each, identify the TCP connection 
and check if the "send-q" is non zero (indicating un-acked data).


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: umask for remote host in sftp / sftp-server

[Darren Tucker]

Lars Nooden wrote:

How can umask be set on the remote host for chrooted sftp users?


You can set it on the server side with sftp-server's "-u" option but 
that's very new (post 4.6).


You would have something like this in sshd_config:

Subsystem sftp sftp-server -u 0022


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: How to determine my ip address (logged in via ssh)

[Darren Tucker]

Falk Brockerhoff wrote:
is there any gentle way how to determine my ip address if I connected 
via ssh to an openbsd system?


echo $SSH_CLIENT | cut -f1 -d' '

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Latest Portable OpenNTPD?

[Darren Tucker]

On Fri, Nov 21, 2008 at 04:36:36PM +0100, Henning Brauer wrote:
> * Anirban Sinha <[EMAIL PROTECTED]> [2008-11-21 04:33]:
> > On 2008-11-21, Don Hiatt <[EMAIL PROTECTED]> wrote:
> > > I was looking at http://openntpd.org/ for the latest Portable
> > > OpenBSD an saw that it is at 3.9p1 while the non-portable is
> > > at 4.3. A colleague of mine is tired of fighting with ntpd.org's
> > > ntpd server so I suggested OpenNTPD. Is there a newer version
> > > of the Portable OpenNTPD or is 3.9p1 the latest?
> > 
> > >That's the latest portable version, but the OpenBSD one has
> > >since been improved.
> > 
> > I am wondering if any work is currently underway to port the latest
> > OpenNTPD to other platforms? Looks like there has been lot of good work
> > in OpenNTPD since version 3.9. It would be really nice to have it for
> > other platforms as well.
> 
> not as far as I am aware. which is a pity.

Robert Nagy did a bunch of work pulling in much of the recent changes.
I put up a snapshot[1] a while back with these, but there's been no
release.

There's more work to be done, and some of it is going to be nontrivial
to port (eg sensors, adjtime(NULL, olddelta) returning the remaining
offset) and I have been busy with other things and slacking in this
department.

[1] http://www.zip.com.au/~dtucker/openntpd/snapshot/

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: IP over Simulated Radio/Satellite Channels

[Darren Tucker]

Rolf Sommerhalder wrote:

In an effort to port a Performance Enhancing Proxy (PEP, see scps.org)
to OpenBSD, I am looking at ways to simulate radio channels at IP
level with loss rate, delay and jitter.

[...]

I am grateful for any pointers towards IP channel simulation and/or
PEPs such as SCPS TP in OpenBSD.


You could try tunbridge, which does loss, delay but not (I think) jitter.

"tunbridge(1) emulate a long, possibly lossy, link using the tun device.
tunbridge(1) reads packets from the tun(4) device, creates a delay,
packet loss, and packet shaping, and then, reinjects the packets to the
same tun device."

http://www.iijlab.net/~kjc/software/dist/tunbridge-0.1.tar.gz

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens

[Darren Tucker]

Rogier Krieger wrote:

While fiddling around to move my home directories onto AFS, I notice a
bit of interesting behaviour. At a first glance, everything seems just
fine. When logging in through the Krb5 mechanism (as defined in
login.conf), OpenSSH nicely obtains an AFS token for me. Use case:
Windows SSH client entering a username/password upon connecting.

The following scenario, however, does not get me AFS tickets in my
shell: obtaining Krb5 credentials on the client and logging into
OpenSSH through GSSAPI. Although logging in seems to have nicely
transfered my Krb5 ticket, OpenSSH does not obtain an AFS token for
me. Running afslog manually fixes this, but I would greatly prefer to
have afslog run automatically.


Do you have "KerberosGetAFSToken yes" in sshd_config?

 KerberosGetAFSToken
  If AFS is active and the user has a Kerberos 5 TGT, attempt to
  acquire an AFS token before accessing the user's home directory.
  The default is ``no''.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: classify scp and ssh

[Darren Tucker]

Damien Miller wrote:

On Sat, 7 Jul 2007, Lawrence Horvath wrote:


Is there a way using pf to distinguish between ssh shell logins, and
scp file transfers?


Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions,
but does it after the TCP handshake. If you are assigning connections
to queues statefully, this is too late, as the state would have already
been created with the default TOS.


You can use nc(1) as an ssh proxycommand and set the TOS to whatever you 
want, but it doesn't help for the normal case.


Host somehost
ProxyCommand nc -T lowdelay %h %p

Host somehost-xfer
Hostname somehost
ProxyCommand nc -T throughput %h %p

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ssh and sudo, password not hidden

[Darren Tucker]

Tom Van Looy wrote:

Oke, problem solved. But, why doesn't this flag get set implicitly when
using a command with ssh?


Because it's not 8bit-clean, the tty layer can change the data.  It's 
usually ok for text, but it messes up binary data so having it on all 
the time would make ssh pipelines a lot less useful.


$ dd if=/dev/arandom of=/tmp/tmp1 bs=1k count=1k 2>/dev/null
$ ssh -t localhost "cat /tmp/tmp1" >/tmp/tmp2
Connection to localhost closed.
$ ls -l /tmp/tmp*
-rw-r--r--  1 dtucker  staff  1048576 Jul  2 07:49 /tmp/tmp1
-rw-r--r--  1 dtucker  staff  1067393 Jul  2 07:50 /tmp/tmp2

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Load balancing with DSR

[Darren Tucker]

Pierre-Yves Ritschard wrote:

On Wed, 13 Jun 2007 15:40:36 +1000
Darren Tucker <[EMAIL PROTECTED]> wrote:

[...]
1. add a static published arp entry for the cluster address on the 
balancer with its own mac address so packets aimed at the cluster 
address will go to the balancer.


2. configure all cluster members with a loopback interface with the 
cluster address.


3. use route-to pf rules with a next-hop to punt incoming packets to 
various nodes in the cluster


I think all load balancers implementing direct server return / direct
routing use this trick.
You're not going to be able to get away without messing with arp so
you're bound to a single broadcast domain.


As long as you get the route-to right, all you need for this to work is 
for the incoming packets to be routed to the balancer.  What if, eg, 
bgpd was configured to advertise a route to the /32 containing the 
cluster address via the balancer's real IP?



Your scenario should be tried out, yes, but it is still just a ugly
hack if you ask me :)

Now you still can't really make this work with hoststated or any
other LB on OpenBSD. I'd still like to find an elegant way to do this
and integrate it with hoststated.

And just for the record what you said maps to:

pass in on $ext_if route-to { $webh1, $webh2 } round-robin proto tcp \
 from any to $virt_ip port http no state
pass out on $int_if from any to $virt_ip port http no state


Wouldn't you need some kind of state here?  Otherwise there's no 
guarantee of the packets for a given connection always being routed to 
the same physical server.



If I get the occasion I'll try it out and see how that works.
I also wonder how it would behave when setting the arp entry to that of
a carp interface.


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: SFTP no autocompletion?

[Darren Tucker]

On Tue, May 15, 2007 at 12:36:43PM +0200, Paul de Weerd wrote:
> On Tue, May 15, 2007 at 11:33:27AM +0200, Pieter Verberne wrote:
> | Hi there,
> | 
> | does SFTP have no TAB-autocompletion for local/remote files? TAB
> | doesn't work. It makes transferring files very clumsy. And does SFTP
> | secure my username and password or only my file transfers by default?
> 
> SFTP uses ssh and thus secures the entire connection. The sftp(1)
> client that comes by default with OpenBSD does not do tabcompletion.
> Feel free to use another client or to write support for it and send a
> patch ;)

Anyone looking into this would probably want to look at what Ben
Lindstrom has already done with this:

http://www.eviladmin.org/patches/sftp-tab.patch

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: skey with scp

[Darren Tucker]

On Tue, May 15, 2007 at 04:36:15PM -0500, Eric Johnson wrote:
> Does anyone know of a method of using skey for scp transfers (apart
> from port forwarding through an ssh tunnel)?
> 
> I've tried:
>   scp username:[EMAIL PROTECTED]:/home/username/foo.bar .
> and
>   scp "username:skey"@host.example.com:/home/username/foo.bar .
> 
> Any other suggestions?

I don't use skey so I can't test it but this will probably work:

scp -o User="username:skey" host.example.com:/home/username/foo.bar .

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ksh: ssh password prompt handling

[Darren Tucker]

[EMAIL PROTECTED] wrote:
> when using ssh in a ksh script where previously configured public key auth
> is expected but not always the case, i want to have ssh commands that
> prompt for a password to be handled as errors and exit the script. the
> idea is to not have anyhing printed to the console and to exit with a
> non-zero error code instead of a password prompt, etc.
> 
> clues on how to do this are appreciated.

Sounds like you want LogLevel=QUIET and Batchmode=yes.  eg:

$ ssh -o PreferredAuthentications=password -o LogLevel=QUIET \
-o BatchMode=yes localhost
$ echo $?
255

You can also put them in ~/.ssh/config or ssh_config.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: SCP/SFTP: Couldn't open /dev/null

[Darren Tucker]

Tasmanian Devil wrote:

> Has anybody an idea what I could do to find the cause of this
> "disappearing /dev/null"? Thank you in advance for your help!

Well, it doesn't disappear so much as having its permissions altered,
but I'm certain you are aware of that.

Are you sure it's OpenSSH? What other daemons are using to /dev/null
(fstat?)? It would make sense if some daemon thought it was a logfile or
somesuch and decided to 'secure' it...


Hm, fstat doesn't show much unusual, mainly httpd and mysql besides
the standard daemons. I have the same combination of daemons running
on older machines (GENERIC 4.0 -stable without ACPI though), but no
problem there.

The permissions of /dev/null change directly after (or maybe even
while) using SFTP, and not always.


It's not just permissions, it's no longer a character special (device) 
file, it's a regular file.  This usually happens when /dev/null is 
deleted, and sooner or later something with root perms will write to it, 
at which point it gets recreated as a regular file.



Sometimes I can log in several
times over a few hours without fixing /dev/null, and then again only
one single time. E.g. right now I can't reproduce the error. And if I
don't use SCP/SFTP at all, everything works fine, for weeks, so it
seems to be related to SCP/SFTP.


During that time, is /dev/null still a character special, or has it 
turned into a regular file?


I suspect that something else (maybe a cron job?) is removing /dev/null 
and the scp/sftp error is just a symptom.


You could try something like this running from cron regularly:

test -c /dev/null || echo /dev/null vanished or not character special

and see if/when it starts mailing you.


Probably it's only happening after
using SFTP (and SCP doesn't work afterwards), but unfortunately I'm
not sure as I don't transfer files that often.


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.