Re: sftp server empty password login
On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua wrote: [...] > /bin/true is not in the /etc/shells file on my system. > Did you suggest I should add it ? I did suggest that as a possible resolution to your problem. Since your problem is now resolved, I wouldn't change it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sftp server empty password login
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p ", then connect with "sftp -oport="), but... On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua wrote: [...] > # useradd -g media -s /sbin/nologin -u 2000 -v media Unless /sbin/nologin is in /etc/shells (which it probably shouldn't be), that will probably prevent the login. I'd suggest /bin/true for both the user and in /etc/shells. > `# passwd media') does not work either. What am I doing wrong ? What do you mean by "does not work"? When I've done something similar in the past I've edited the passwd file with vipw and removed the hashed password value leaving nothing in the password field, ie someuser::1001:1001: [etc ...] -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Booting OpenBSD 7.3's i386 bsd.rd
On Mon, 1 May 2023 at 12:38, Damian McGuckin wrote: [...] > it appears to loads bsd.rd, but then drops straight back into the BIOS > and starts the BIOS boot. > > Any suggestions. Try switching the console to serial instead of relying on the BIOS: boot> stty com0 19200 boot> set tty com0 (Replace 19200 with whatever the console speed is). If that works, put it in /etc/boot.conf -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: LAN slow speed transfer
On Fri, 3 Feb 2023 at 22:40, Crystal Kolipe wrote: > On Fri, Feb 03, 2023 at 10:33:16PM +1100, Darren Tucker wrote: > > Fast ethernet (100base-T) uses pins 1, 2, 3 & 6 [...] > But the output from ifconfig does suggest that the link was running with > 1000baseT modulation: > > > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) Good point! Dunno then. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: LAN slow speed transfer
On Fri, 3 Feb 2023 at 13:49, vitmau...@gmail.com wrote: > thank you Stu for the feedback. Turns out the problem was one of the > cables. It is advertised as 5E, but maybe there is something fishy > with it. Fact is, I bought another, changed it, and now I got > something around 95 MBytes/s of LAN transfer rate. Fast ethernet (100base-T) uses pins 1, 2, 3 & 6 while gigabit needs all eight. If you get a cable where one of 4, 5, 7 or 8 is broken (or someone cheaped out on the cable and it only has two pairs to begin with) you'll have a cable that can only do 100 mbit, which is about the speed that you saw. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
On Fri, 13 May 2022 at 11:07, Darren Tucker wrote: > I've had two people ask me about this device in the last few days > so I thought I'd post a followup describing what I did and found. > As a reminder, this is an gl.inet GL-MV1000[0] (aka Brume) device. Current status: > Using the .dtb file that ships with OpenWRT will cause OpenBSD to report > "sdhc0: base clock frequency unknown" errors and not find the sdcard. This was fixed in -current by kettenis: https://cvsweb.openbsd.org/src/sys/dev/fdt/mvclock.c?rev=1.12&content-type=text/x-cvsweb-markup > - as previously mentioned the internal ethernet switch isn't supported This is not well stated. The internal switch is supported as an unmanaged switch by mvsw(4) > - USB interface doesn't seem to work This was fixed in -current by dlg: https://cvsweb.openbsd.org/src/sys/dev/fdt/ehci_fdt.c?rev=1.9&content-type=text/x-cvsweb-markup I've put up a summary here, which I'll update with any further information. https://www.dtucker.net/brume/ -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
I've had two people ask me about this device in the last few days so I thought I'd post a followup describing what I did and found. As a reminder, this is an gl.inet GL-MV1000[0] (aka Brume) device. I had previously installed OpenWRT 21.02.something onto this device's internal eMMC card, but I suspect the process will work with other OpenWRT versions or the stock firmware (which is itself an OpenWRT derivative). 1) Grab a an OpenBSD miniroot71.img for 7.1 or -current and write it to an sdcard ("dd if=miniroot71.img of=/dev/sdXc bs=1k"). 2) Grab the OEM firmware[1], extract armada-gl-mv1000-emmc.dtb from it (or grab it from [2]) and copy it to the root of the first partition of the sdcard ("mount /dev/sdXi /mnt; cp armada-gl-mv1000-emmc.dtb /mnt; umount /mnt"). Using the .dtb file that ships with OpenWRT will cause OpenBSD to report "sdhc0: base clock frequency unknown" errors and not find the sdcard. If your device still has the stock firmware you can probably skip this step and change the first "load mmc 1:1" in the bootcmd below to "load mmc 0:1" to load the vendor-supplied .dtb from the internal eMMC device. 3) Connect a serial console and ethernet to the Brume. Power it on and type "gl" into the console to interrupt the boot sequence. At the "Marvel>>" prompt, change the bootcmd env variable and save it: Marvel>> setenv bootcmd "load mmc 1:1 ${fdt_addr} armada-gl-mv1000-emmc.dtb; load mmc 1:1 ${kernel_addr} efi/boot/bootaa64.efi; bootefi ${kernel_addr} ${fdt_addr}" Marvel>> saveenv This wil cause the Brume to always boot the OpenBSD bootloader from the sdcard. 4) Boot from the sdcard by typing "boot". At this point the OpenBSD bsd.rd should boot from the sdcard and you can perform a normal network installation back to the sdcard (which should be sd0 in the installer, but will be sd1 when the system reboots). Leave the "i" partition on the sdcard and all of the internal eMMC unchanged. If you make a mistake after you start writing to the sdcard you'll need to to start again at step 1. The good: - seems stable and survived a kernel build just fine - network (mvneta0) and sdcard seem to work The bad: - as previously mentioned the internal ethernet switch isn't supported - USB interface doesn't seem to work - it won't reboot cleanly (shuts down OK but doesn't reset). [0] https://www.gl-inet.com/products/gl-mv1000/ [1] https://docs.gl-inet.com/en/3/release_notes/gl-mv1000/ [2] https://www.dtucker.net/brume/armada-gl-mv1000-emmc.dtb OpenBSD 7.1-current (GENERIC.MP) #0: Thu May 12 23:48:16 AEST 2022 dtuc...@obsd-brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP real mem = 1046306816 (997MB) avail mem = 981606400 (936MB) random: good seed from bootblocks mainbus0 at root: GL.inet GL-MV1000 psci0 at mainbus0: PSCI 1.0 cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu0: 256KB 64b/line 16-way L2 cache cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16 cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu1: 256KB 64b/line 16-way L2 cache cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16 efi0 at mainbus0: UEFI 2.0.5 efi0: Das U-boot rev 0x0 apm0 at mainbus0 agtimer0 at mainbus0: 12500 kHz "pmu" at mainbus0 not configured simplebus0 at mainbus0: "soc" simplebus1 at simplebus0: "internal-regs" mvclock0 at simplebus1 mvclock1 at simplebus1 mvclock2 at simplebus1 mvpinctrl0 at simplebus1 syscon0 at simplebus1: "syscon" mvpinctrl1 at simplebus1 agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: "interrupt-controller" mvspi0 at simplebus1 mvuart0 at simplebus1 mvneta0 at simplebus1 mvneta0: Ethernet address fe:e1:ba:d0:19:1a mvmdio0 at simplebus1: "mdio" mvsw0 at mvmdio0 phy 1: 88E6141 rev 0 xhci0 at simplebus1, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 "usb" at simplebus1 not configured "u3d" at simplebus1 not configured "udc" at simplebus1 not configured "xor" at simplebus1 not configured sdhc0 at simplebus1 sdhc0: SDHC 3.0, 400 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma sdhc1 at simplebus1 sdhc1: SDHC 3.0, 400 MHz base clock sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma "regulator" at mainbus0 not configured gpioleds0 at mainbus0: "gl-mv1000:green:vpn", "gl-mv1000:green:wifi", "gl-mv1000:green:power" scsibus0 at sdmmc1: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 7456MB, 512 bytes/sector, 15269888 sectors scsibus1 at sdmmc0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: remova
Re: ssh authlog: Failed none for invalid user
On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan wrote: > Hello, > > I was hoping somebody could set me straight here. On one of my machines I > have a number of entries in my /var/log/authlog file that look like this: > > Failed none for invalid user admin from 14.239.50.255 port 51796 > > The machine has been being hammered with SSH bruteforce attempts and I > noticed that "Failed none" entry popping up frequently. > > What exactly does "Failed none" mean here in this in this context? It's the attempted authentication method, and it's normal behaviour. The SSH protocol has a number of authentication methods, for example "password" and "publickey".The client sends a message that says "I'd like to authenticate via password using the password 'hunter2'" and the server replies with either "yes that worked", or "nope" and a list of authentication methods that it might accept. Publickey authentication has a couple of extra steps but works in a similar way. The protocol also specifies a "none" [0] authentication method, which will succeed if the server requires no further authentication (eg in OpenSSH, if PermitEmptyPassword is set and the account does not have a password). Many SSH clients including OpenSSH's start by asking for "none" authentication then, if that doesn't work, use the list of possible authentication methods to decide what to do next. This is what you're seeing. When I last looked, the bulk of the password guessing bots just sent a single "password" auth method and if it doesn't work, disconnect. Apparently the bots you're seeing behave a bit more like other clients. [0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: poor ethernet network performance
On Mon, 17 May 2021 at 08:23, Keegan Saunders wrote: > I'm noticing that my OpenBSD desktop with a Realtek 8168 ethernet > controller > (re(4) driver) is experiencing slow network speeds on OpenBSD 6.9 (not > recent, has been an issue before) > I've had something similar in the past and it was a duplex mismatch. If you have a managed switch, check that it and ifconfig agree on the duplex setting that was auto-negotiated. Failing that, try forcing either full-duplex or half-duplex with ifconfig and/or hostname.re0. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
On Mon, 5 Apr 2021 at 07:32, Mark Kettenis wrote: > [...] > > # man 4 mvsw > > > man: No entry for mvsw in section 4 of the manual. > > You must be doing that on an OpenBSD 6.8 system. Man page is there on > -current. > That's true! I ran it on the Brume itself, which is still running 6.8 stable due to the aforementioned problem finding the sdcard. Any thanks to you and Patrick for the analysis and fix. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
On Sun, 4 Apr 2021 at 01:32, Patrick Wildt wrote: > [...] > Maybe you both can try my revert and make sure it doesn't introduce any > other regressions? > That also seems to work on the Brume in question: >> OpenBSD/arm64 BOOTAA64 1.2 boot> boot /bsd.test booting sd0a:/bsd.test: 8808452+1793560+567784+830080 [634134+109+1073400+630260]=0xf904a0 type 0x2 pa 0x0 va 0x0 pages 0x4000 attr 0x8 [lots snipped] type 0x2 pa 0x3ffa6000 va 0x3e715000 pages 0x5a attr 0x8 [ using 2338872 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2021 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.9-beta (GENERIC.MP) #1: Thu Apr 1 19:48:05 AEDT 2021 dtuc...@brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP real mem = 1032523776 (984MB) avail mem = 968355840 (923MB) random: good seed from bootblocks mainbus0 at root: GL.inet GL-MV1000 (Marvell) psci0 at mainbus0: PSCI 1.0 cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu0: 256KB 64b/line 16-way L2 cache cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16 cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu1: 256KB 64b/line 16-way L2 cache cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16 efi0 at mainbus0: UEFI 2.0.5 efi0: Das U-boot rev 0x0 apm0 at mainbus0 agtimer0 at mainbus0: 12500 kHz "pmu" at mainbus0 not configured simplebus0 at mainbus0: "soc" simplebus1 at simplebus0: "internal-regs" mvclock0 at simplebus1 mvclock1 at simplebus1 mvclock2 at simplebus1 mvpinctrl0 at simplebus1 syscon0 at simplebus1: "syscon" mvpinctrl1 at simplebus1 agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: "interrupt-controller" mvspi0 at simplebus1 mvuart0 at simplebus1 mvneta0 at simplebus1 mvneta0: Ethernet address 94:83:c4:03:b0:d9 mvmdio0 at simplebus1: "mdio" mvsw0 at mvmdio0 phy 1: 88E6141 rev 0 xhci0 at simplebus1, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 "usb" at simplebus1 not configured "u3d" at simplebus1 not configured "udc" at simplebus1 not configured "xor" at simplebus1 not configured sdhc0 at simplebus1 sdhc0: SDHC 3.0, 400 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma sdhc1 at simplebus1 sdhc1: SDHC 3.0, 400 MHz base clock sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma "sata" at simplebus1 not configured mvkpcie0 at simplebus0 mvkpcie0: timeout "regulator" at mainbus0 not configured scsibus0 at sdmmc1: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 7456MB, 512 bytes/sector, 15269888 sectors scsibus1 at sdmmc0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: removable sd1: 30436MB, 512 bytes/sector, 62333952 sectors vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b WARNING: CHECK AND RESET THE DATE! Automatic boot in progress: starting file system checks. /dev/sd1a (9e51f250b602291d.a): file system is clean; not checking 9e51f250b602291d.i: 6 files, 16034 free (8017 clusters) pf enabled starting network starting early daemons: syslogd pflogd ntpd. starting RPC daemons:. savecore: can't find device 255/16777088 checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd smtpd sndiod. starting local daemons: cron. Thu Apr 1 19:50:48 AEDT 2021 OpenBSD/arm64 (brume.dtucker.net) (console) > > That BRUME thingy looks cute, but has a bit of an issue. It doesn't > > > really have three Ethernet ports. Instead those ports are part of a > > > switch that also connects to an Ethernet interface on the SoC. > > > > Yeah I noticed that. Single ethernet plus programmable switch seems to > > be pretty common in this class of device. > > And if someone wants to program it, feel free to, mvsw(4) exists for a > reason, might just need some code. :) > and maybe docs :-) # man 4 mvsw man: No entry for mvsw in section 4 of the manual. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: The simplest full cray data core with 3 cpu's and a physics hack that makes it work
On Sat, 3 Apr 2021 at 10:09, Balder Oddson wrote: [...] > Many old and cool antique architectures, Cray is the premiere > architecture, he promised 10x performance and did so, not likely to get > one on ebay to boot BSD on, not sure if you can get the OS or blueprints > either. > To drag this a tiny bit toward the approximate direction of being on-topic: if you do find one and want to run OpenSSH on it, you'll need to use 7.6p1 or earlier since I removed UNICOS support in 7.7p1 ( https://github.com/openssh/openssh-portable/commit/ddc0f3814881ea279a6b6d4d98e03afc60ae1ed7 ). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
1f5c name: 'regulator' compatible: 'regulator-gpio' regulator-name: 'vcc_sd1' regulator-min-microvolt: 001b7740 regulator-max-microvolt: 00325aa0 regulator-boot-on: gpios: 000d.0004. gpios-states: states: 001b7740.0001.00325aa0. enable-active-high: linux,phandle: 000e phandle: 000e OpenBSD 6.9-beta (GENERIC.MP) #0: Thu Apr 1 19:30:31 AEDT 2021 dtuc...@brume.dtucker.net:/usr/src/sys/arch/arm64/compile/GENERIC.MP real mem = 1032523776 (984MB) avail mem = 968355840 (923MB) random: good seed from bootblocks mainbus0 at root: GL.inet GL-MV1000 (Marvell) psci0 at mainbus0: PSCI 1.0 cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu0: 256KB 64b/line 16-way L2 cache cpu0: CRC32,SHA2,SHA1,AES+PMULL,ASID16 cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu1: 256KB 64b/line 16-way L2 cache cpu1: CRC32,SHA2,SHA1,AES+PMULL,ASID16 efi0 at mainbus0: UEFI 2.0.5 efi0: Das U-boot rev 0x0 apm0 at mainbus0 agtimer0 at mainbus0: 12500 kHz "pmu" at mainbus0 not configured simplebus0 at mainbus0: "soc" simplebus1 at simplebus0: "internal-regs" mvclock0 at simplebus1 mvclock1 at simplebus1 mvclock2 at simplebus1 mvpinctrl0 at simplebus1 syscon0 at simplebus1: "syscon" mvpinctrl1 at simplebus1 agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: "interrupt-controller" mvspi0 at simplebus1 mvuart0 at simplebus1 mvneta0 at simplebus1 mvneta0: Ethernet address 94:83:c4:03:b0:d9 mvmdio0 at simplebus1: "mdio" mvsw0 at mvmdio0 phy 1: 88E6141 rev 0 xhci0 at simplebus1, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 "usb" at simplebus1 not configured "u3d" at simplebus1 not configured "udc" at simplebus1 not configured "xor" at simplebus1 not configured sdhc0 at simplebus1 sdhc0: SDHC 3.0, 400 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma sdhc1 at simplebus1 sdhc1: SDHC 3.0, 400 MHz base clock sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma "sata" at simplebus1 not configured mvkpcie0 at simplebus0 mvkpcie0: timeout "regulator" at mainbus0 not configured scsibus0 at sdmmc1: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 7456MB, 512 bytes/sector, 15269888 sectors scsibus1 at sdmmc0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: removable sd1: 30436MB, 512 bytes/sector, 62333952 sectors vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b WARNING: CHECK AND RESET THE DATE! -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
gl.inet Brume (GL-MV1000): sdcard works with 6.8 but not -current
; at simplebus1 not configured mvuart0 at simplebus1 mvneta0 at simplebus1 mvneta0: Ethernet address 94:83:c4:03:b0:d9 mvmdio0 at simplebus1 xhci0 at simplebus1, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00 addr 1 "usb" at simplebus1 not configured "u3d" at simplebus1 not configured "udc" at simplebus1 not configured "xor" at simplebus1 not configured sdhc0 at simplebus1 sdhc0: SDHC 3.0, 400 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, ddr52, dma sdhc1 at simplebus1 sdhc1: SDHC 3.0, 400 MHz base clock sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma "sata" at simplebus1 not configured mvkpcie0 at simplebus0 mvkpcie0: timeout "regulator" at mainbus0 not configured scsibus0 at sdmmc1: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 7456MB, 512 bytes/sector, 15269888 sectors scsibus1 at sdmmc0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: removable sd1: 30436MB, 512 bytes/sector, 62333952 sectors softraid0 at root scsibus2 at softraid0: 256 targets bootfile: sd0a:/bsd boot device: sd0 root on rd0a swap on rd0b dump on rd0b WARNING: CHECK AND RESET THE DATE! erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/arm64 6.8 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? and 6.8-stable: Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2020 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.8 (GENERIC.MP) #2: Sat Dec 5 05:53:36 MST 2020 r...@syspatch-68-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.P real mem = 1032802304 (984MB) avail mem = 968712192 (923MB) random: good seed from bootblocks mainbus0 at root: GL.inet GL-MV1000 (Marvell) psci0 at mainbus0: PSCI 1.0 cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu0: 256KB 64b/line 16-way L2 cache cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu1: 256KB 64b/line 16-way L2 cache efi0 at mainbus0: UEFI 2.0.5 efi0: Das U-boot rev 0x0 apm0 at mainbus0 agtimer0 at mainbus0: tick rate 12500 KHz "pmu" at mainbus0 not configured simplebus0 at mainbus0: "soc" simplebus1 at simplebus0: "internal-regs" mvclock0 at simplebus1 mvclock1 at simplebus1 mvclock2 at simplebus1 mvpinctrl0 at simplebus1 syscon0 at simplebus1: "syscon" mvpinctrl1 at simplebus1 agintc0 at simplebus1 shift 4:3 nirq 224 nredist 2 ipi: 0, 1: "interrupt-contro" mvspi0 at simplebus1 mvuart0 at simplebus1 mvneta0 at simplebus1 mvneta0: Ethernet address 94:83:c4:03:b0:d9 mvmdio0 at simplebus1 xhci0 at simplebus1, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.001 "usb" at simplebus1 not configured "u3d" at simplebus1 not configured "udc" at simplebus1 not configured "xor" at simplebus1 not configured sdhc0 at simplebus1 sdhc0: SDHC 3.0, 400 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, ddr52, dma sdhc1 at simplebus1 sdhc1: SDHC 3.0, 400 MHz base clock sdmmc1 at sdhc1: 8-bit, sd high-speed, mmc high-speed, ddr52, dma "sata" at simplebus1 not configured mvkpcie0 at simplebus0 mvkpcie0: timeout "regulator" at mainbus0 not configured scsibus0 at sdmmc1: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 7456MB, 512 bytes/sector, 15269888 sectors scsibus1 at sdmmc0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: removable sd1: 30436MB, 512 bytes/sector, 62333952 sectors vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets bootfile: sd0a:/bsd boot device: sd0 root on sd1a (9e51f250b602291d.a) swap on sd1b dump on sd1b WARNING: CHECK AND RESET THE DATE! Automatic boot in progress: starting file system checks. /dev/sd1a (9e51f250b602291d.a): file system is clean; not checking 9e51f250b602291d.i: 6 files, 16034 free (8017 clusters) pf enabled starting network reordering libraries: done. starting early daemons: syslogd pflogd ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd smtpd sndiod. starting local daemons: cron. Mon Jan 11 15:54:21 AEDT 2021 OpenBSD/arm64 (brume.dtucker.net) (console) -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshd: no IP address in error msg?
On Sun, 14 Mar 2021 at 07:43, Claus Assmann wrote: > > My authlog file contains entries like this: > sshd[89023]: error: kex_exchange_identification: banner line contains invalid > characters > but I can't find the IP address of the host which triggered this > by looking for more log entries of sshd with the same pid. What version are you using? at least -current has some additional standardized logging that should include the source address and port: kex_exchange_identification: banner line contains invalid characters banner exchange: Connection from 127.0.0.1 port 21285: invalid format -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding
On Thu, 11 Jul 2019 at 20:55, morgan.loner wrote: [...] > What was missing? Please advice. Suggestions: - run "ssh -vvv" to crank up the ssh client's verbosity, you should see the port forward requests (or not, if ssh is not seeing them for some reason). - test with nc -x as the socks client to an IP address as well as domain name. The test to an IP address will remove the DNS variable. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: RS-232 serial to ethernet
On Tue, 9 Apr 2019 at 02:14, LÉVAI Dániel wrote: > [...] > It basically should be able convert the serial port to TCP/IP > networking. Is this something anyone else has used before -- or if you > know something similar, I'm really interested! > I use a gl.inet GL-AR150 (US$24 on dx.com) running openwrt with a USB RS232 adapter. Pro: it supports ssh (including key auth), can use wifi to avoid cabling, can add a USB hub you can support multiple serial ports (I don't) and it's small and low powered enough to velcro to the back of the machine and power from its USB port. Con: a bit more involved setup (I use it with conserver). Happy to share setup details if you want to go this route (off list since it's veering off-topic). If you wanted to stick with a similar but pure OpenBSD solution you could look at something like an Orange Pi Lite (US$20) but you'd have to add parts (microsd card, case) so it'd probably cost more (and the onboard wifi isn't supported so if you wanted wifi you'd have to add a USB one). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Broken links on https://www.openssh.com/goals.html
On Thu, 4 Apr 2019 at 20:18, Alex Naumov wrote: > it seems some links on the goals page [1] are broken. > Please check links to: > * RSA > * DSA > * HD Looks like the man pages have been restructured since those links were created. I've pointed them at the existing man pages for the existing functions pending a better solution. The change should be live shortly. Thanks. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh -Y behaviour change
On 12 September 2018 at 16:13, Solene Rapenne wrote: [...] > I think you are supposed to use ssh -XY when using a remote X11 app. Nope, both -X and -Y enable ForwardX11, but -Y also enables ForwardX11Trusted. Unfortunately I don't see anything in the OpenSSH 7.7->7.8 changelog (https://www.openssh.com/txt/release-7.8) that would explain the observed change in behaviour. $ egrep -C2 "'(X|Y)'" ssh.c options.forward_x11 = 0; break; case 'X': options.forward_x11 = 1; break; -- config_test = 1; break; case 'Y': options.forward_x11 = 1; options.forward_x11_trusted = 1; -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Two Factor Authentication Prompt
On 10 August 2018 at 07:24, Gav wrote: [about login_ldap+login_oauth] > I can successfully have a user authenticate with either (switching the > login class). However, is it possible to use both as consecutive login > prompts? I'm not sure about how to configure it on the login.conf side, but sshd's ChallengeResponseAuthentication/keyboard-interactive does support that. You can ensure you are using that on the client side by adding "-o PreferredAuthentication=keyboard-interactive" on the client side or disabling PasswordAuthentication in sshd_config. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: IPQoS values in sshd
On 8 August 2018 at 05:29, Mik J wrote: > Does anyone knows what means lowdelay and thoughput for IPQoS parameter ? > To what DSCP correspond these words >From https://www.openssh.com/specs.html, which documents the most recent release: they're the values specified in RFC1349, the first of the dozen or so attempts to specify the meaning of those few bits (RFCs 2474, 2597, 2598, 3168, 3246, 3260, 3662, 4301, 4594, 5865 and 8325). > I did a capture when writing ls in my terminal and I see DSCP=cs0. > I would have expected something else. The default values have been changed in -current but that change has not yet made it to a release. From https://man.openbsd.org/ssh_config.5: "The default is af21 (Low-Latency Data) for interactive sessions and cs1 (Lower Effort) for non-interactive sessions." -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: SSH segfault when SendEnv is used in .ssh/config
On 10 June 2018 at 17:43, Tom Murphy wrote: > I upgraded to the June 9th snapshot and noticed ssh segfaults > when I make connections. After a bit of checking in my .ssh/config, > I discovered the SendEnv directive is making is segfault. Not sure > if it has to do with the changes made 2 days ago? This may have been fixed: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c?rev=1.291&content-type=text/x-cvsweb-markup If not, could you please share the fragment of your config that triggers it? -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Best testcases for SSHD when fuzzing with afl?
On 5 May 2018 at 21:50, Hess THR wrote: [...] > But the question: does anybody have more? Or better? Any idea how to have > more and better quality testcases? https://anongit.mindrot.org/openssh-fuzz-cases.git/ -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Disabling message CRCs in SSHD
On 28 April 2018 at 03:20, Hess THR wrote: > Based on the: > > http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html > > I tried to search for these code pieces (I know he was using openbsd-compat > and not the original OpenSSH code) but didn't found it, didn't even find > similar for disabling message CRCs: Short answer: It's gone, you can ignore that part. Long answer: CRC32 was the message integrity method for SSH Protocol v1 and the last of the SSH1 code was removed[0] in the 7.6 release[1] (in part because CRC32 a weak integrity guarantee compared to a proper MAC). [0] https://github.com/openssh/openssh-portable/commit/3d6d09f2 [1] https://www.openssh.com/releasenotes.html#7.6 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: kernel relink segfaults on ALIX
On 19 April 2018 at 16:52, Jan Stary wrote: > This is a fresh upgrade of current/i386 on an ALIX 2D3. > Upon start, kernel relinking fails, with relink.log saying: Do you have any swap configured? Relinking takes a reasonable amount of ram and the ALIX doesn't have a lot. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: What's the inc. SSH conn. launch seq., rel. to login.conf rlimit enforcement?
On 20 March 2018 at 14:11, Tinker wrote: > Hi, > > When connecting to SSHD and authenticating as a user, in what sequence > are various processes launched (shell / shell with "-l" argument / sshd > child / login(1)), and in particular, at what stage are login.conf > settings enforced into the process context by login(1)? The general rule of thumb is that whatever must be run as root is, everything else is done after privileges have been dropped. sshd didn't use login(1) unless UseLogin was set, and that was removed in the 7.4 release. > I would guess this is what's described by the "LOGIN PROCESS" section > in the sshd(8) man page: > > * A child SSHD process is spawned already at connect time, meaning >prior to step 1, right. > * Steps 1 up to 4 are run as root by the sshd child, > > * login(1) is execve:ed at step "4. Changes to run with normal user >privileges.", and it will login isn't used at all. On OpenBSD, sshd calls the equivalent functions in session.c:do_setusercontext(). On other platforms exactly what happens varies depending on platform and configuration but it's roughly the same. [...] > * execve /bin/sh (or sshd??) to perform the remaining steps (5-9) Steps 5-9 are done by sshd. > > * The user's shell (without "-l") is execve:ed in step 9. > > http://man.openbsd.org/sshd.8#LOGIN_PROCESS > http://man.openbsd.org/login.conf.5 > > Also I'd guess it should be a similar process for SFTP sftp works approximately the same as a shell except sftp-server is exec'ed instead of the shell. >, telnet telnetd is no longer supported but I think it always exec'ed login(1). > other authenticated services. Can't speak to those. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh from cisco to OpenBSD 6.2 error status 0
On 28 December 2017 at 21:45, Marko Cupać wrote: [...] > I saw this in auth.log: > Protocol major versions differ for 192.168.223.1 port 45187: > SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25 > That's a bug in the Cisco implementation. RFC4253 section 4.2 says the protocol version MUST be 2.0. "5.1 defines "1.99" as a backward compatibility alias for servers that speak both 1.5 and 2.0 protocols, but it is not specified for a client. sshd used to accept it but it probably shouldn't have (see https://bugzilla.mindrot.org/show_bug.cgi?id=2810). I started passing different cipher options to ssh client on cisco, and > finally managed to connect to OpenBSD 6.2 with: > > ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS > On Unix systems you can put the equivalent Ciphers and MACs directives into ~/.ssh/config under a Host for that device to save you having to remember it. I don't know if your Cisco has any equivalent. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: NTP issue on Lanner FW-7526B
On 9 December 2017 at 09:40, Christian Weisgerber wrote: > On 2017-12-08, Darren Tucker wrote: > > > If your hardware doesn't have a clock (or the clock is bad) then it can > > take ntpd a long time to adjust it back to the correct time (it uses > > adjtime(), which I think adjusts at +/- 10%). > > Actually, 5000 parts per million, so 0.5%. > ntp_update_second(int64_t *adjust) [...] if (adjtimedelta > 0) adj = MIN(5000, adjtimedelta); else adj = MAX(-5000, adjtimedelta); I sit corrected :-). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: NTP issue on Lanner FW-7526B
On 9 December 2017 at 01:58, mabi wrote: > > I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say > it's a nice small firewall but unfortunately the ntp daemon does not seem > to manage to set the time correctly with this hardware. The time is off by > approximately 1:20h and every 2-3 minutes I see the following log entries: > If your hardware doesn't have a clock (or the clock is bad) then it can take ntpd a long time to adjust it back to the correct time (it uses adjtime(), which I think adjusts at +/- 10%). You can avoid this long convergence by telling ntpd to step to the correct time on startup (although this won't step after startup, so it requires that your NTP servers be reachable at boot time). $ grep ntp /etc/rc.conf.local ntpd_flags="-s" -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: relayd TLS load balancer for multiple websites
On 28 September 2017 at 06:32, mabi wrote: > Thanks for the pointer regarding SNI not being supported in relayd. I will go > on and find another solution, probably HAproxy. For a small number of domains it would probably be feasible to get a single certificate with multiple SANs. Letsencrypt at least supports this as long as all of the domains map (or can be made to map) to the place requesting the certificate. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails
On 7 September 2017 at 16:35, Heiko wrote: > Hello, > > ./config for Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails on Debian > Linux: As per https://www.openssh.com/report.html this query would be better directed to the portable list openssh-unix-...@mindrot.org. Please send any followups there. > checking OpenSSL header version... not found > configure: error: OpenSSL version header not found. This means the little test program in configure either failed to build and run or did not produce the expected output. The exact reason will be in config.log (although you may have to scroll back a way to find it). A common cause of this is not having added the new lib directory to the runtime linker config via ldconfig(8). -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OpenSSH logging and MaxAuthTries
On Sun, Mar 19, 2017 at 11:47 PM, Lars Noodén wrote: > Looking at a recent snapshot, see dmesg at the bottom, I have two > questions about OpenSSH logging. > > 1) The entry in sshd_config(5) for MaxAuthTries states the following > about log entries: > > ... Once the number of failures reaches half this > value, additional failures are logged. The default is 6. > > Yet the logging of failures seems to occur these days from the very first try. > Has this behavior changed? No, but it's always logged password attempts regardless of whether or not you've got to MaxAuthTries/2: $ cvs annotate auth.c | grep -C2 max_auth Annotations for auth.c *** 1.13 (markus 18-Jan-01): if (authenticated == 1 || 1.13 (markus 18-Jan-01): !authctxt->valid || 1.54 (dtucker 23-May-04): authctxt->failures >= options.max_authtries / 2 || 1.13 (markus 18-Jan-01): strcmp(method, "password") == 0) 1.47 (itojun 08-Apr-03): authlog = logit; > 2) The client gets disconnected before MaxAuthTries is reached. If I > have it set to 6, I get 5 only tries: Your log level isn't high enough to see it, but I suspect you have a failed pubkey attempt before the password attempts. You should be able to see it if you add "-vvv" to the command line. [...] > Is there any way to get the full number of MaxAuthTries log in attempts? Assuming my guess above is correct, PreferredAuthentications=password -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
panic: rw_enter: netlock locking against myself (NFS related?)
0x80 mfsidlmount_mfs 95554 163307 0 0 3 0x14200 pgzerozerothread 32466 276221 0 0 3 0x14200 aiodoned aiodoned 2040 346712 0 0 3 0x14200 syncerupdate 68632 214983 0 0 3 0x14200 cleaner cleaner 32975 192724 0 0 3 0x14200 reaperreaper 80353 431894 0 0 3 0x14200 pgdaemon pagedaemon 19644 238730 0 0 3 0x14200 bored bfd 8400 177792 0 0 3 0x14200 bored crynlk 88703 341462 0 0 3 0x14200 bored crypto 82731 207716 0 0 3 0x14200 pftm pfpurge 54415 346439 0 0 3 0x14200 bored viomb 39436 37 0 0 3 0x40014200 acpi0 acpi0 69614 24706 0 0 3 0x14200 bored softnet 65266 358625 0 0 3 0x14200 bored systqmp 78420 65487 0 0 3 0x14200 bored systq 25519 499550 0 0 3 0x40014200 bored softclock 67706 213188 0 0 3 0x40014200idle0 1 179173 0 0 30x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: pledging a portable program
On Tue, Jan 17, 2017 at 6:05 AM, Jordon wrote: > What is the “official" way to pledge(2) a portable program? OpenSSH Portable checks for the presence of pledge in configure (https://anongit.mindrot.org/openssh.git/tree/configure.ac#n1715) and if not found defines a no-op pledge function (https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-misc.c#n282) The advantage of doing it this way is that the mainline code is unchanged and so does not add additional maintenance burden (ie merge conflicts). It also provides a hook for alternative implementation mechanisms although there are no drop-in replacements at the moment. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17, 2016 at 1:08 PM, Damian McGuckin wrote: [...] > What is the max throughput people have seen on these? > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? I doubt it. I did some work[1] on the vr driver on a pcengines ALIX, which has very similar hardware (500MHz Geode CPUs and VT6105M ethernet chips). The most I got though it for a TCP stream was 85MBit/s routing only. It had CPU to spare, so I suspect the limitation was either the chip or the driver. The VT6105M doesn't have any receive-side interrupt mitigation (and OpenBSD doesn't have a polling mode) so I suspect it'd be easy to DoS it with tiny packets. As long as that's not happening, there's probably enough CPU to run PF. Depending on your use case and environment this may or may not be good enough. If you do try it I'd be interested in hearing the result. [1] http://undeadly.org/cgi?action=article&sid=20130201054156 -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: unknown hostname on ssh tunnel end causes 'administratively prohibited: open failed'
els.h === RCS file: /cvs/src/usr.bin/ssh/channels.h,v retrieving revision 1.120 diff -u -p -r1.120 channels.h --- channels.h 18 Oct 2016 17:32:54 - 1.120 +++ channels.h 24 Nov 2016 04:36:58 - @@ -272,7 +272,8 @@ void channel_update_permitted_opens(int voidchannel_clear_permitted_opens(void); voidchannel_clear_adm_permitted_opens(void); voidchannel_print_adm_permitted_opens(void); -Channel*channel_connect_to_port(const char *, u_short, char *, char *); +Channel*channel_connect_to_port(const char *, u_short, char *, char *, int *, +char **); Channel *channel_connect_to_path(const char *, char *, char *); Channel*channel_connect_stdio_fwd(const char*, u_short, int, int); Channel*channel_connect_by_listen_address(const char *, u_short, Index: serverloop.c === RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v retrieving revision 1.187 diff -u -p -r1.187 serverloop.c --- serverloop.c23 Oct 2016 22:04:05 - 1.187 +++ serverloop.c24 Nov 2016 04:36:58 - @@ -423,7 +423,7 @@ server_input_keep_alive(int type, u_int3 } static Channel * -server_request_direct_tcpip(void) +server_request_direct_tcpip(int *reason, char **errmsg) { Channel *c = NULL; char *target, *originator; @@ -442,11 +442,12 @@ server_request_direct_tcpip(void) if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && !no_port_forwarding_flag) { c = channel_connect_to_port(target, target_port, - "direct-tcpip", "direct-tcpip"); + "direct-tcpip", "direct-tcpip", reason, errmsg); } else { logit("refused local port forward: " "originator %s port %d, target %s port %d", originator, originator_port, target, target_port); + *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; } free(originator); @@ -563,8 +564,8 @@ static int server_input_channel_open(int type, u_int32_t seq, void *ctxt) { Channel *c = NULL; - char *ctype; - int rchan; + char *ctype, *errmsg = NULL; + int rchan, reason = SSH2_OPEN_CONNECT_FAILED; u_int rmaxpack, rwindow, len; ctype = packet_get_string(&len); @@ -578,7 +579,7 @@ server_input_channel_open(int type, u_in if (strcmp(ctype, "session") == 0) { c = server_request_session(); } else if (strcmp(ctype, "direct-tcpip") == 0) { - c = server_request_direct_tcpip(); + c = server_request_direct_tcpip(&reason, &errmsg); } else if (strcmp(ctype, "direct-streamlo...@openssh.com") == 0) { c = server_request_direct_streamlocal(); } else if (strcmp(ctype, "t...@openssh.com") == 0) { @@ -601,9 +602,9 @@ server_input_channel_open(int type, u_in debug("server_input_channel_open: failure %s", ctype); packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); - packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); + packet_put_int(reason); if (!(datafellows & SSH_BUG_OPENFAILURE)) { - packet_put_cstring("open failed"); + packet_put_cstring(errmsg ? errmsg : "open failed"); packet_put_cstring(""); } packet_send(); -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Serverkeybits, protocol 2
On Thu, Nov 3, 2016 at 8:14 AM, Jonathan Paquet wrote: > Ok, so for protocol 2, what is used by default? There is no exact equivalent of ServerKeyBits in ssh Protocol 2. In Protocol 1 the server generates an ephemeral RSA key that is ServerKeyBits in size when it starts up, and regenerates it every ~1h if it has been used. That key is used to encrypt the SSH session key sent to the client. In Protocol 2 the session key is derived from a Diffie-Hellman[1] exchange at the beginning of each connection, which produces a shared secret that both sides contribute to but neither controls. > > The minimum key encryption that we want to allow is 1024, and the > version > > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p. > Short answer: OpenSSH's Protocol 2 doesn't support anything weaker than 1024 bits. Long answer: The absolute minimum strength key exchange in the SSHv2 spec is diffie-hellman-group1-sha1, which is specified as 1024 bits. It is considered weak and has been disabled by default since OpenSSH 7.0. There is another set of Diffie-Hellman algorithms where the server picks the group (diffie-hellman-group-exchange-sha{1,256}) and in OpenSSH those are picked from the moduli file. OpenSSH hasn't ever shipped a moduli file with groups <1k bits, 1k bit groups were removed around 7.0 as well, then 1.5kbit groups some time later. [1] Actually there are several supported key exchange algorithms (see KexAlgorithms in sshd_config(8)), and exactly which one gets used will depend on what the client and server support and/or have enabled. They all have the same security properties, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: serial input line not working
On Thu, Sep 22, 2016 at 12:29 PM, Peer Janssen wrote: > # cu -d -l cua00 -s 9600 > cu: open("/dev/cua00"): Device not configured > # cu > cu: open("/dev/cua00"): Device not configured I have an ALIX 2d[something] and on it, the serial ports show up as com devices: $ dmesg | egrep '^com' com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo I notice that the com devices are missing from your dmesg output, though. Maybe it's not enabled in the BIOS? I see http://pcengines.ch/alix3d3.htm has "fix serial port" against the most recent firmware version... -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: usb disk dirty after every reboot
On Tue, Sep 20, 2016 at 1:43 AM, Jan Stary wrote: > > This is current/i386 on an ALIX.1E (demsg below). > I have an USB disk connected for /backup. > > Upon every reboot, the filesystem on that disk is dirty: > WARNING: R/W mount of /backup denied. Filesystem is not clean - run fsck I saw something similar on an APU where the root disk was on (USB-attached) sdcard: http://marc.info/?l=openbsd-misc&m=144237305322074&w=2 It seems to be a race. There used to be a 4sec pause in the kernel that was removed: """ Remove 4 second delay on reboot/shutdown that was added 8 years ago to "workaround MP timeout/splhigh/scsi race at reboot time". """ > It seems that it does not get properly umounted when shutting down. > I added 'umount /backup' to my rc.shutdown and that works around it. > > However, what could be causing this? I suspect your addition to the shutdown script makes the unmount early enough that it has time to complete whatever operation it's trying to complete. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: PC Engines APU NIC (RTL8111E) performance
phy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:31:30:76 rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 1.2 ahci0: port 0: 6.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa. sd0: 30029MB, 512 bytes/sector, 6150 sectors, thin ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1 ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling iic0 at piixpm0 pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40 ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40 pci4 at ppb3 bus 4 ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00 pci5 at ppb4 bus 5 ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb2 at ehci2: USB revision 2.0 uhub2 at usb2 "ATI EHCI root hub" rev 2.00/1.00 addr 1 pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43 pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00 pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00 pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00 pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00 pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00 pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00 usb3 at ohci0: USB revision 1.0 uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci1: USB revision 1.0 uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52 usb5 at ohci2: USB revision 1.0 uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb6 at ohci3: USB revision 1.0 uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1 umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card Reader/Writer" rev 2.01/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct removable serial.058f6366058F63666485 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (2b4cdf5e1e14b9e7.a) swap on sd0b dump on sd0b -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: PC Engines APU NIC (RTL8111E) performance
On Fri, Aug 05, 2016 at 11:56:15AM +1000, Darren Tucker wrote: > On Thu, Aug 04, 2016 at 02:46:44PM +0200, Momtchil Momtchev wrote: > [...] > > What is the problem with software interrupt moderation? That it has a > > fixed timer while the hardware one scales with the RX rate? > > The hardware moderation can do per-N-packets in addition to a timer. > > > This shouldn't > > halve the performance? It should be more like 10% to 15% and some latency > > benefit? I have also noticed that the TX rate is higher than the RX rate > > (about 320 Mbit/s vs 260 Mbit/s). Could it be that the FreeBSD driver uses > > MSI interrupts and the OpenBSD one does not? > > Dunno. If I knew what the cause was I'd have fixed it :-( Hey, I might have found it. From my other diff: > + * According to the Linux driver, supposedly: > + * (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets however in the header the RXTIME/TXTIME macros didn't match that: > #define RL_IM_RXTIME(t) ((t) & 0xf) > +#define RL_IM_RXPKTS(t) (((t) & 0xf) << 4) > #define RL_IM_TXTIME(t) (((t) & 0xf) << 8) > +#define RL_IM_TXPKTS(t) (((t) & 0xf) << 12) so assuming the comment was correct, I wasn't actually setting the holdoff timers :-( A quick test with this diff (just routing through it, no PF, no pool debug) gives me: $ iperf -c host -i 10 -t 60 Client connecting to nfs, TCP port 5001 TCP window size: 43.8 KByte (default) [ 3] local 192.168.32.1 port 43092 connected with 192.168.33.44 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 803 MBytes 674 Mbits/sec [ 3] 10.0-20.0 sec 844 MBytes 708 Mbits/sec [ 3] 20.0-30.0 sec 876 MBytes 735 Mbits/sec [ 3] 30.0-40.0 sec 915 MBytes 768 Mbits/sec [ 3] 40.0-50.0 sec 929 MBytes 779 Mbits/sec [ 3] 50.0-60.0 sec 917 MBytes 769 Mbits/sec [ 3] 0.0-60.0 sec 5.16 GBytes 739 Mbits/sec Index: dev/ic/re.c === RCS file: /cvs/src/sys/dev/ic/re.c,v retrieving revision 1.192 diff -u -p -r1.192 re.c --- dev/ic/re.c 20 Apr 2016 12:15:24 - 1.192 +++ dev/ic/re.c 9 Aug 2016 00:52:45 - @@ -747,7 +747,7 @@ re_attach(struct rl_softc *sc, const cha sc->rl_flags |= RL_FLAG_PHYWAKE | RL_FLAG_PHYWAKE_PM | RL_FLAG_PAR | RL_FLAG_DESCV2 | RL_FLAG_MACSTAT | RL_FLAG_CMDSTOP | RL_FLAG_AUTOPAD | RL_FLAG_JUMBOV2 | - RL_FLAG_WOL_MANLINK; + RL_FLAG_WOL_MANLINK | RL_FLAG_HWIM; sc->rl_max_mtu = RL_JUMBO_MTU_9K; break; case RL_HWREV_8168E_VL: @@ -821,13 +821,19 @@ re_attach(struct rl_softc *sc, const cha /* Reset the adapter. */ re_reset(sc); - sc->rl_tx_time = 5; /* 125us */ - sc->rl_rx_time = 2; /* 50us */ - if (sc->rl_flags & RL_FLAG_PCIE) - sc->rl_sim_time = 75; /* 75us */ - else - sc->rl_sim_time = 125; /* 125us */ - sc->rl_imtype = RL_IMTYPE_SIM; /* simulated interrupt moderation */ + if (sc->rl_flags & RL_FLAG_HWIM) { + /* hardware interrupt moderation */ + sc->rl_imtype = RL_IMTYPE_HW; + sc->rl_tx_time = 5; /* 125us */ + sc->rl_rx_time = 2; /* 50us */ + } else { + /* simulated interrupt moderation */ + sc->rl_imtype = RL_IMTYPE_SIM; + if (sc->rl_flags & RL_FLAG_PCIE) + sc->rl_sim_time = 75; /* 75us */ + else + sc->rl_sim_time = 125; /* 125us */ + } if (sc->sc_hwrev == RL_HWREV_8139CPLUS) sc->rl_bus_speed = 33; /* XXX */ @@ -2233,6 +2239,8 @@ re_stop(struct ifnet *ifp) void re_setup_hw_im(struct rl_softc *sc) { + u_int16_t im; + KASSERT(sc->rl_flags & RL_FLAG_HWIM); /* @@ -2258,11 +2266,15 @@ re_setup_hw_im(struct rl_softc *sc) * Currently we only know how to set 'timer', but not * 'number of packets', which should be ~30, as far as I * tested (sink ~900Kpps, interrupt rate is 30KHz) -*/ - CSR_WRITE_2(sc, RL_IM, - RL_IM_RXTIME(sc->rl_rx_time) | - RL_IM_TXTIME(sc->rl_tx_time) | - RL_IM_MAGIC); +* +* According to the Linux driver, supposedly: +* (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets +* Linux uses hard coded 0x5151.
Re: PC Engines APU NIC (RTL8111E) performance
On Thu, Aug 04, 2016 at 02:46:44PM +0200, Momtchil Momtchev wrote: [...] > What is the problem with software interrupt moderation? That it has a > fixed timer while the hardware one scales with the RX rate? The hardware moderation can do per-N-packets in addition to a timer. > This shouldn't > halve the performance? It should be more like 10% to 15% and some latency > benefit? I have also noticed that the TX rate is higher than the RX rate > (about 320 Mbit/s vs 260 Mbit/s). Could it be that the FreeBSD driver uses > MSI interrupts and the OpenBSD one does not? Dunno. If I knew what the cause was I'd have fixed it :-( > PS. On the APU my interrupt rate is about 6000 IRQ/s when doing 320 > MBit/s, this is one IRQ every 165us or one IRQ for about 3 or 4 packets. I > will make rl_sim_time tunable and I will test if it affects performance. I dug up my patch. If you're experimenting, making the value used to set the RL_IM register tunable then seeing what impact various values have on throughput would be interesting. Index: dev/ic/re.c === RCS file: /cvs/src/sys/dev/ic/re.c,v retrieving revision 1.192 diff -u -p -r1.192 re.c --- dev/ic/re.c 20 Apr 2016 12:15:24 - 1.192 +++ dev/ic/re.c 5 Aug 2016 00:31:04 - @@ -747,7 +747,7 @@ re_attach(struct rl_softc *sc, const cha sc->rl_flags |= RL_FLAG_PHYWAKE | RL_FLAG_PHYWAKE_PM | RL_FLAG_PAR | RL_FLAG_DESCV2 | RL_FLAG_MACSTAT | RL_FLAG_CMDSTOP | RL_FLAG_AUTOPAD | RL_FLAG_JUMBOV2 | - RL_FLAG_WOL_MANLINK; + RL_FLAG_WOL_MANLINK | RL_FLAG_HWIM; sc->rl_max_mtu = RL_JUMBO_MTU_9K; break; case RL_HWREV_8168E_VL: @@ -821,13 +821,19 @@ re_attach(struct rl_softc *sc, const cha /* Reset the adapter. */ re_reset(sc); - sc->rl_tx_time = 5; /* 125us */ - sc->rl_rx_time = 2; /* 50us */ - if (sc->rl_flags & RL_FLAG_PCIE) - sc->rl_sim_time = 75; /* 75us */ - else - sc->rl_sim_time = 125; /* 125us */ - sc->rl_imtype = RL_IMTYPE_SIM; /* simulated interrupt moderation */ + if (sc->rl_flags & RL_FLAG_HWIM) { + /* hardware interrupt moderation */ + sc->rl_imtype = RL_IMTYPE_HW; + sc->rl_tx_time = 5; /* 125us */ + sc->rl_rx_time = 2; /* 50us */ + } else { + /* simulated interrupt moderation */ + sc->rl_imtype = RL_IMTYPE_SIM; + if (sc->rl_flags & RL_FLAG_PCIE) + sc->rl_sim_time = 75; /* 75us */ + else + sc->rl_sim_time = 125; /* 125us */ + } if (sc->sc_hwrev == RL_HWREV_8139CPLUS) sc->rl_bus_speed = 33; /* XXX */ @@ -2233,6 +2239,8 @@ re_stop(struct ifnet *ifp) void re_setup_hw_im(struct rl_softc *sc) { + u_int16_t im; + KASSERT(sc->rl_flags & RL_FLAG_HWIM); /* @@ -2258,11 +2266,15 @@ re_setup_hw_im(struct rl_softc *sc) * Currently we only know how to set 'timer', but not * 'number of packets', which should be ~30, as far as I * tested (sink ~900Kpps, interrupt rate is 30KHz) -*/ - CSR_WRITE_2(sc, RL_IM, - RL_IM_RXTIME(sc->rl_rx_time) | - RL_IM_TXTIME(sc->rl_tx_time) | - RL_IM_MAGIC); +* +* According to the Linux driver, supposedly: +* (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets +* Linux uses hard coded 0x5151. +*/ + im = RL_IM_TXTIME(sc->rl_tx_time) | RL_IM_TXPKTS(4) | + RL_IM_RXTIME(sc->rl_rx_time) | RL_IM_RXPKTS(4); + printf("setting interrupt moderation %hx\n", im); /* XXX */ + CSR_WRITE_2(sc, RL_IM, im); } void Index: dev/ic/rtl81x9reg.h === RCS file: /cvs/src/sys/dev/ic/rtl81x9reg.h,v retrieving revision 1.98 diff -u -p -r1.98 rtl81x9reg.h --- dev/ic/rtl81x9reg.h 20 Apr 2016 12:15:24 - 1.98 +++ dev/ic/rtl81x9reg.h 5 Aug 2016 00:31:04 - @@ -570,7 +570,9 @@ #define RL_IM_MAGIC0x5050 #define RL_IM_RXTIME(t)((t) & 0xf) +#define RL_IM_RXPKTS(t)(((t) & 0xf) << 4) #define RL_IM_TXTIME(t)(((t) & 0xf) << 8) +#define RL_IM_TXPKTS(t)(((t) & 0xf) << 12) struct rl_chain_data { u_int16_t cur_rx; -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: PC Engines APU NIC (RTL8111E) performance
On Wed, Aug 3, 2016 at 8:07 PM, Momtchil Momtchev wrote: > Does anyone with a working knowledge of re(4) have any idea why the PC > Engines APU NICs perform so poorly in OpenBSD? Most likely lack of hardware interrupt moderation in the driver. There's code in re_setup_hw_im() that looks like might do something plausible with the interrupt moderation register but AFAICT it'll never be called because rl_imtype is always set to "RL_IMTYPE_SIM". I tried to get hardware interrupt moderation working a while back but it didn't seem to make a difference (which is probably an indication that I did something wrong). I could dig up the patch if you'd like to try it. The other thing to be aware of is that if you're following current, POOL_DEBUG is usually set in your config, which will be quite expensive when pushing packets. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
On Sat, Jun 18, 2016 at 6:11 PM, Dennis Matthiesen wrote: > Hi Darren, > > Thanks for the right syntax, sshd is now coming up but the initial problem > persists. Same picture in the packet capture. The packet capture didn't make it to the list, the attachment got stripped. > Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group > Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is > sending a FIN ACK instead. Try running the server in debug mode (eg "/usr/sbin/sshd -ddde -p 222" to run it on port 222) and if the reason isn't obvious from the log please post it to the list. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
On Sat, Jun 18, 2016 at 6:08 AM, Dennis Matthiesen wrote: > Thanks Todd, Did a fresh install. Added the following line to sshd_config > but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, > +diffie-hellman-group-exchange-sha1 The first "+" means "append this to the list of accepted algorithms". The second "+" doesn't mean anything so sshd is trying to parse that as an algorithm name and failing (this should be obvious from the log message). Try: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshd Connection Failures - 2 June Snapshot (amd64)
On Sun, Jun 5, 2016 at 7:40 AM, Alex Greif wrote: [...] > hash mismatch > debug1: ssh_rsa_verify: signature incorrect > key_verify failed for server_host_key Thanks for the report. We believe we've identified the problem and backed out the offending commit in usr.bin/ssh/kexgexs.c rev 1.29. The original change was this one to kexgexs.c: revision 1.28 date: 2016/06/01 04:19:49; author: dtucker; state: Exp; lines: +9 -9; commitid: H7nQMlahTocwHINf; Check min and max sizes sent by the client against what we support before passing them to the monitor. ok djm@ It caused the problem because it modified the value that had already been sent to the client so it computed the exchange hash it didn't match what the server computed. It didn't cause more problems (or fail the regression tests, which I ran, honest!) because any client that send a min group size >- DH_GRP_MIN (2048 since OpenBSD 5.9) thus didn't cause the min value to be modified, and any client that preferred another key exchange method (most recent versions of OpenSSH) never triggered the problem. Sorry for the inconvenience. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: document the actual meaning of ssh's "command" argument
On Thu, Jun 2, 2016 at 2:06 PM, wrote: > On Thu, Jun 02, 2016 at 08:53:49AM +1000, Darren Tucker wrote: > > > i'm inclined to disagree with this diff, for the following reasons: > > > > - other than the concatenation with spaces, it's not a behaviour of > ssh(1) > > but of the server at the other end of the connection, which might use sh > -c > > or might do something completely different depending on the server. > > The ssh(1) man page is already documenting quite exhaustively the behaviour > of the server at the other end; it is assumed that you're connecting to > a real ssh server. If that's not the case, there are a lot of things > from that man page that do not work (just try ssh -R 0:host:port with a > dropbear server). > That would be dropbear's fault; using zero for the bind port in tcpip-forward requests is specified in RFC4254 section 7.1. The behaviour of "exec" channel requests isn't specified other than the command being a single string. A better example of what you're referring to would be the inclusion of ~/.ssh/authorized_keys in the ssh(1) man page. That's definitely server side (and dependent) behaviour. IMO that shouldn't be there either and I don't think we should be adding more like it. And please notice that's it's not sh -c as in system(3) or popen(3); if > you have /foo/bar as your login shell in /etc/passwd, it's /foo/bar -c. > Well for sshd(8), if you have a shell specified, sure. If you don't it'll use /bin/sh. If you have some other server it might do something different. It depends on the server. I didn't cover every case in my one sentence reply. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: document the actual meaning of ssh's "command" argument
On Thu, Jun 2, 2016 at 3:53 AM, Jason McIntyre wrote: > > [...] > i'm inclined to disagree with this diff, for the following reasons: > - other than the concatenation with spaces, it's not a behaviour of ssh(1) but of the server at the other end of the connection, which might use sh -c or might do something completely different depending on the server. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: how to submit bug report regarding pf queueing?
On Thu, Mar 10, 2016 at 1:38 AM, Marko Cupać wrote: [...] > queue download on $if_int bandwidth 10M max 10M What's $if_int set to? I played with queueing recently and initially used interface group names instead of interface names ("queue foo on egress ...") since that's how the rest of my rules are written but while the ruleset loads fine it doesn't actually do anything because queues must be assigned to real interface names (quoth pf.conf(5): "The root queue must specifically reference an interface") -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: APU.1D RealtekRTL8111E
On Mon, Nov 2, 2015 at 12:56 PM, Darren Tucker wrote: > Not that I have seen, but I don't know what the limiting factor is. > iperf will push ~500Mbit/s from userspace (mtu 1500) [...] > I also notice dlg just made the following change to sys/dev/ic/re.c > which will probably make a difference (this change is not on the > device I tested): I reran the test with dlg's change and the iperf output rate went up to ~535Mbit/s with a couple of percent of idle cpu. I should update my interrupt mitigation diff and see if that helps further. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: APU.1D RealtekRTL8111E
v 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:31:30:74 rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci2 at ppb1 bus 2 re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:31:30:75 rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:31:30:76 rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 1.2 scsibus1 at ahci0: 32 targets ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1 ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling iic0 at piixpm0 pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40 ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40 pci4 at ppb3 bus 4 ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00 pci5 at ppb4 bus 5 ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb2 at ehci2: USB revision 2.0 uhub2 at usb2 "ATI EHCI root hub" rev 2.00/1.00 addr 1 pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43 pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00 pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00 pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00 pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00 pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00 pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00 usb3 at ohci0: USB revision 1.0 uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci1: USB revision 1.0 uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52 usb5 at ohci2: USB revision 1.0 uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb6 at ohci3: USB revision 1.0 uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1 umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card Reader/Writer" rev 2.01/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct removable serial.058f6366058F63666485 sd0: 3886MB, 512 bytes/sector, 7959552 sectors udav0 at uhub3 port 5 configuration 1 interface 0 "Unknown Vendor RD9700" rev 1.10/1.01 addr 2 udav0: address 00:e0:4c:53:44:58 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (0b606ebc9774a32b.a) swap on sd0b dump on sd0b WARNING: /mnt was not properly unmounted -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Sep 13 snapshot doesn't cleanly unmount / on reboot?
On Thu, Sep 17, 2015 at 1:48 AM, Chris Cappuccio wrote: > > Sometime before 5.8 release, a 4 second pause was removed from the shutdown > path. This must have been giving your USB disk time to finish before the > reset. > Interesting, was that in the rc scripts or the kernel? > Have you tried stuff like sync;sync;reboot or sync;sync;sleep 2;reboot ? > For a sample size of 1 trial each, neither helps. Also, shouldn't the last-mounted location have been updated to "/" when the root filesystem got remounted read-write? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Sep 13 snapshot doesn't cleanly unmount / on reboot?
AMD64 14h Reserved" rev 0x00 pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00 pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00 usb3 at ohci0: USB revision 1.0 uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci1: USB revision 1.0 uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52 usb5 at ohci2: USB revision 1.0 uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb6 at ohci3: USB revision 1.0 uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1 umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card Reader/Writer" rev 2.01/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct removable serial.058f6366058F63666485 sd0: 3886MB, 512 bytes/sector, 7959552 sectors udav0 at uhub3 port 5 configuration 1 interface 0 "Unknown Vendor RD9700" rev 1.10/1.01 addr 2 udav0: address 00:e0:4c:53:44:58 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (0b606ebc9774a32b.a) swap on sd0b dump on sd0b WARNING: /mnt was not properly unmounted Automatic boot in progress: starting file system checks. /dev/sd0a (0b606ebc9774a32b.a): FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGED) /dev/sd0a (0b606ebc9774a32b.a): 148615 files, 1630100 used, 308347 free (47619 frags, 32591 blocks, 2.5% fragmentation) /dev/sd0a (0b606ebc9774a32b.a): MARKING FILE SYSTEM CLEAN setting tty flags kern.bufcachepercent: 20 -> 70 kern.pool_debug: 1 -> 0 net.inet.ip.forwarding: 0 -> 1 hw.perfpolicy: manual -> auto starting network starting early daemons: syslogd(failed) ntpd(failed). starting RPC daemons:. savecore: /dev/sd0b: Device not configured checking quotas: done. clearing /tmp starting pre-securelevel daemons:. kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd smtpd(failed) sndiod. starting local daemons: cron. Tue Sep 15 20:21:38 MDT 2015 OpenBSD/amd64 (apu.dtucker.net) (tty00) login: -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
sparc64 panic: IOMMU overwrite with vr(4) under load
trap+0x19c ddb> ps PID PPID PGRPUID S FLAGS WAIT COMMAND 16365 25652 16365500 30x83 thrsleep iperf * 1785 25652 16365500 7 0x403iperf 23364 25652 16365500 2 0x403iperf 25652 14049 25652500 30x8b pause ksh 14049 27404 27404500 30x90 selectsshd 27404 24028 27404 0 30x92 poll sshd 26196 1 26196 77 30x90 poll dhclient 27374 1 27374 0 30x80 poll dhclient 10066 13625 10066500 30x83 ttyin ksh 13625 15818 15818500 30x90 selectsshd 15818 24028 15818 0 30x92 poll sshd 3825 1 3825 0 30x83 ttyin getty 7668 1 7668 0 30x80 poll cron 24028 1 24028 0 30x80 selectsshd 412 1412 0 30x80 poll ntpd 14694 6288 14694 83 30x90 poll ntpd 6288 1 6288 83 30x90 poll ntpd 24714 12631 12631 74 30x90 bpf pflogd 12631 1 12631 0 30x80 netio pflogd 76 32265 32265 73 20x90syslogd 32265 1 32265 0 30x80 netio syslogd 31185 0 0 0 2 0x14200zerothread 814 0 0 0 3 0x14200 aiodoned aiodoned 31718 0 0 0 3 0x14200 syncerupdate 7143 0 0 0 3 0x14200 cleaner cleaner 10923 0 0 0 3 0x14200 reaperreaper 2288 0 0 0 3 0x14200 pgdaemon pagedaemon 7775 0 0 0 3 0x14200 bored crypto 3555 0 0 0 3 0x14200 pftm pfpurge 6871 0 0 0 3 0x14200 usbtskusbtask 13170 0 0 0 3 0x14200 usbatsk usbatsk 15447 0 0 0 3 0x14200 bored sensors 1989 0 0 0 2 0x14200softnet 9001 0 0 0 3 0x14200 bored systqmp 17203 0 0 0 3 0x14200 bored systq 28833 0 0 0 3 0x40014200idle0 26016 0 0 0 3 0x14200 kmalloc kmthread 1 0 1 0 30x82 wait init 0 -1 0 0 3 0x10200 scheduler swapper ddb> boot reboot extent `psycho0 dvma' (0xc000 - 0xe000), flags=2 0xc000 - 0xc0005fff 0xc0006000 - 0xc0007fff 0xc0008000 - 0xc000dfff 0xc000e000 - 0xc000 0xc001 - 0xc0011fff 0xc0012000 - 0xc0013fff 0xc0014000 - 0xc0015fff 0xc0016000 - 0xc0017fff 0xc0018000 - 0xc0019fff 0xc001a000 - 0xc001bfff 0xc001c000 - 0xc001dfff 0xc001e000 - 0xc001 0xc002 - 0xc0021fff 0xc0022000 - 0xc0023fff 0xc0024000 - 0xc0025fff 0xc0026000 - 0xc0027fff 0xc0028000 - 0xc0029fff 0xc002a000 - 0xc002bfff 0xc002c000 - 0xc002dfff 0xc002e000 - 0xc002 0xc003 - 0xc0031fff 0xc0032000 - 0xc0033fff 0xc0034000 - 0xc0035fff 0xc0036000 - 0xc0037fff 0xc0038000 - 0xc0039fff 0xc003a000 - 0xc003bfff 0xc003c000 - 0xc003dfff 0xc003e000 - 0xc003 0xc004 - 0xc0041fff 0xc0042000 - 0xc0043fff 0xc0044000 - 0xc0045fff 0xc0046000 - 0xc0047fff 0xc0048000 - 0xc0049fff 0xc004a000 - 0xc004bfff 0xc0062000 - 0xc0065fff 0xc006a000 - 0xc006dfff 0xc006e000 - 0xc0073fff 0xc0074000 - 0xc0077fff 0xc0078000 - 0xc007bfff 0xc008 - 0xc0085fff 0xc0086000 - 0xc008bfff 0xc008c000 - 0xc008 0xc009 - 0xc0093fff 0xc0094000 - 0xc0099fff 0xc009a000 - 0xc009dfff 0xc009e000 - 0xc00a1fff 0xc00a2000 - 0xc00a7fff 0xc0108000 - 0xc010bfff 0xc010c000 - 0xc0111fff 0xc0112000 - 0xc0117fff 0xc0118000 - 0xc011bfff 0xc011c000 - 0xc0121fff 0xc0122000 - 0xc0125fff 0xc0126000 - 0xc0129fff 0xc012a000 - 0xc012dfff 0xc012e000 - 0xc0131fff 0xc0132000 - 0xc0137fff 0xc0138000 - 0xc013dfff 0xc013e000 - 0xc0141fff 0xc0142000 - 0xc0145fff 0xc0146000 - 0xc014bfff extent_free: start 0xc00b4000, end 0xc00b9fff panic: extent_free: region not found kdb breakpoint at 155ef04 Stopped at Debugger+0x8: nop RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb> rebooting -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OpenSSH and Android
On Thu, May 7, 2015 at 11:19 PM, Kevin Chadwick wrote: > So nevermind, connectbot will have to do for now unless someone has a > cluestick to hand. > What gcc version was that? Anyway... openbsd-compat/openbsd-compat.h:217:22: error: expected identifier or '(' before numeric constant # define mblen(x, y) 1 The obvious thing to try would be to change that to: # define mblen(x, y) (1) (BTW openssh-unix-...@mindrot.org is the best place to get help with portable OpenSSH. See http://www.openssh.com/report.html for details.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: WinSCP clients unable to connect to recent amd64 -current
On Tue, May 5, 2015 at 3:02 PM, wrote: > On 5/4/2015 at 9:39 PM, "Darren Tucker" wrote: > >Please try this patch on your server. > [...] > We upgrade from snapshots, and don't have the source installed, so we > can't easily check this patch. > I have committed the patch and it should be in the next snapshot. However, your response prompted us to look again into the WinSCP options, > and under Advanced Site Settings > SSH > Key exchange, there is the ability > to reorder the preferred key exchange algorithms. > You could probably work around it by removing diffie-hellman-group-exchange-sha1 from KexAlgorithms in sshd_config (but that'd also disable it for clients that do it properly). Preferring "D-H group 14" before "D-H group exchange" allows the client to > connect. If D-H group exchange is obsolete then the fix should really be > applied to WinSCP? > DH Group Exchange is not obsolete, but WinSCP is using an obsolete form of it that was never standardized. Right now we're blacklisting all versions of WinSCP from DH-GEX but if someone can tell us which versions have the problem and which future ones won't then we can restrict the blacklist. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: WinSCP clients unable to connect to recent amd64 -current
On Mon, May 04, 2015 at 09:23:53PM -0700, lawgi...@nym.hush.com wrote: > We follow -current on amd64, upgrading about once a month. Thanks! [...] > debug1: Client protocol version 2.0; client software version > WinSCP_release_5.7.2 [...] > Hm, kex protocol error: type 30 seq 1 [preauth] message type 30 is the pre-RFC4419 group exchange message. Since RFC4419 was published nearly 10 years ago support for the non-standardized message was recently removed from OpenSSH. > What did we break and how can we fix it? Please try this patch on your server. Index: compat.c === RCS file: /cvs/src/usr.bin/ssh/compat.c,v retrieving revision 1.91 diff -u -p -r1.91 compat.c --- compat.c4 May 2015 06:10:48 - 1.91 +++ compat.c5 May 2015 04:33:04 - @@ -177,6 +177,7 @@ compat_datafellows(const char *version) "TTSSH/2.70*," "TTSSH/2.71*," "TTSSH/2.72*",SSH_BUG_HOSTKEYS }, + { "WinSCP*",SSH_OLD_DHGEX }, { NULL, 0 } }; -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Alix, pppoe(VDSL), extremely low upload speed
On Fri, Oct 10, 2014 at 6:23 AM, Mark Patruck wrote: > I'm running 5.6-current on a Alix 2c3. The box is connected > via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set > to 1440. > > Running a few speed tests, i get almost always > 50.000kbit/s > down, but not more than 400-600kbit/s up. > I just found this message looking for something else but it reminded me of something I found with my ALIX recently: for some reason it had autonegotiated with the (dlink) switch as half-duplex while the switch thought it was full. Nailing the speed to 100/full in the hostname.vr? files resulted in the speed going back up to what I expected (about 85 mbit/s). If you are still having problems you might want to check that out. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: panic on beaglebone black with sdcard with no partitions
On Mon, Jan 5, 2015 at 9:14 PM, Darren Tucker wrote: [..] > sd0 at scsibus0 targ 1 lun 0: SCSI2 0/direct fixed > sd0: 7580MB, 512 bytes/sector, 15523840 sectors > scsibus1 at sdmmc1: 2 targets, initiator 0 > sd1 at scsibus1 targ 1 lun 0: SCSI2 0/direct fixed > sd1: 1832MB, 512 bytes/sector, 3751936 sectors > nevermind, I think I see why: I have the default firmware boot order (external sdcard then internal sdcard) and they are being detected in that order, making the root disk sd1 rather than sd0 as the kernel expects. I guess I need to figure out how to change that. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
panic on beaglebone black with sdcard with no partitions
- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused fdisk: 1> fdisk: eof # disklabel -E sd1 Label editor (enter '?' for help at any prompt) > p OpenBSD area: 0-3451136; size: 3451136; free: 3451136 #size offset fstype [fsize bsize cpg] c: 34511360 unused > -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Packet Filter router i368 vs 64bit
On Sat, Dec 6, 2014 at 9:25 AM, Stuart Henderson wrote: > > Linux developers were seeing higher throughput (though obviously higher > cpu usage) when offload was disabled. Apparently the checksum offload > can't pipeline. I'm not sure if vlan hw tagging was also implicated. > IIRC there were more details in an old lkml post. > I think I found the one you are referring to: http://lkml.iu.edu/hypermail/linux/kernel/0712.3/1199.html I can't test this at the moment since the hardware is on the other side of the planet, but I might give this a spin when I get a chance. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Packet Filter router i368 vs 64bit
On Fri, Nov 28, 2014 at 6:32 PM, Blaise Hizded wrote: > > I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a > home firewall with 10MB WAN broadband and 100MB between computers. > All is fine: low temperature, low consumption, same speed as with a > basic 100MBB switch. > I spent some time tuning the vr(4) driver on ALIX a while back[1], and in my experience the throughput maxes out at around 85 Mbit/s of TCP (ie iperf) traffic through it. I don't know what the limiting factor is, but it's not CPU. My guess is it's the checksum offload hardware in the chips, in which case doing those in software would be faster at the cost of using more CPU, but I never tested this theory. [1] http://undeadly.org/cgi?action=article&sid=20130201054156 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: panic on qemu Sep 10 kernel
On Sun, Sep 21, 2014 at 12:10:06AM +1000, Darren Tucker wrote: > On Sat, Sep 20, 2014 at 11:41:38PM +1000, Darren Tucker wrote: > > This is qemu/kvm on a linux host. It has previously worked fine. > > There's a similar panic in the mp kernel which I can also capture if > > it'll help. > > I was able to bring it up in single-user enough to ifconfig the network > up, cvs up and build a kernel and reproduce the panic with -current. Removing iscsid from /etc/rc allows it to come up normally and running iscsid provokes the panic: # iscsid # uvm_fault(0xd0ba3ac0, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at scsi_plug_detach+0x12: movl0x18(%eax),%edx -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: panic on qemu Sep 10 kernel
On Sat, Sep 20, 2014 at 11:41:38PM +1000, Darren Tucker wrote: > This is qemu/kvm on a linux host. It has previously worked fine. > There's a similar panic in the mp kernel which I can also capture if > it'll help. I was able to bring it up in single-user enough to ifconfig the network up, cvs up and build a kernel and reproduce the panic with -current. booting hd0a:/bsd: 9826364+1062060 [72+404160+397896]=0xb263d4 entry point at 0x200120 [ using 802540 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2014 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.6-current (GENERIC) #5: Sun Sep 21 00:02:11 AEST 2014 dtucker@:/usr/src/sys/arch/i386/compile/GENERIC cpu0: QEMU Virtual CPU version 1.0 ("GenuineIntel" 686-class) 2.67 GHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,PGE,CMOV,MMX,FXSR,SSE,SSE2,SS,SSE3,VMX,CX16,LAHF,PERF real mem = 536367104 (511MB) avail mem = 515198976 (491MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfd4cf, SMBIOS rev. 2.4 @ 0xf19c0 (10 entries) bios0: vendor Bochs version "Bochs" date 01/01/2011 bios0: Bochs Bochs acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 mpbios at bios0 function 0x0 not configured bios0: ROM list: 0xc/0x9000 0xc9000/0xa00 0xca000/0x2400 0xe9800/0x6800! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) virtio0 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00: Virtio Network Device vio0 at virtio0: address 52:54:00:f6:02:ea virtio0: irq 11 virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio Block Device vioblk0 at virtio1 scsibus2 at vioblk0: 2 targets sd0 at scsibus2 targ 0 lun 0: SCSI3 0/direct fixed sd0: 16384MB, 512 bytes/sector, 33554432 sectors virtio1: irq 10 virtio2 at pci0 dev 6 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio Memory Balloon Device viomb0 at virtio2 virtio2: irq 10 virtio3 at pci0 dev 7 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio Block Device vioblk1 at virtio3 scsibus3 at vioblk1: 2 targets sd1 at scsibus3 targ 0 lun 0: SCSI3 0/direct fixed sd1: 16384MB, 512 bytes/sector, 33554432 sectors virtio3: irq 11 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 1: density unknown nvram: invalid checksum vscsi0 at root scsibus4 at vscsi0: 256 targets softraid0 at root scsibus5 at softraid0: 256 targets root on sd0a (1afc9f32ece695a9.a) swap on sd0b dump on sd0b clock: unknown CMOS layout /etc/rc: no closing quote Automatic boot in progress: starting file system checks. /dev/rsd0a: file system is clean; not checking /dev/rsd1a: 652784 files, 3280489 used, 4881422 free (220318 frags, 582638 blocks, 2.7% fragmentation) /dev/rsd1a: MARKING FILE SYSTEM CLEAN setting tty flags pf enabled ddb.console: 0 -> 1 kern.splassert: 1 -> 2 starting network /etc/netstart: no closing quote WARNING: /etc/hostname.vio0 is insecure, fixing permissions starting early daemons: syslogd unbound(failed) iscsiduvm_fault(0xd0ba3ac0, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at scsi_plug_detach+0x12: movl0x18(%eax),%edx ddb> trace scsi_plug_detach(d5d4f000,0,0,0,) at scsi_plug_detach+0x12 taskq_thread(d0b3f120) at taskq_thread+0x30 Bad frame pointer: 0xd0d28e08 ddb> ps PID PPID PGRPUID S FLAGS WAIT COMMAND 23286 1161 25586 0 2 0x1
panic on qemu Sep 10 kernel
92000,0,0,0,) at scsi_plug_detach+0x12 taskq_thread(d0b3f120) at taskq_thread+0x30 Bad frame pointer: 0xd0d28e08 ddb> ps PID PPID PGRPUID S FLAGS WAIT COMMAND 28090 24652 10655 0 2 0x1sh 24652 10942 10655 0 30x8b pause sh 10942 10655 10655 0 30x8b pause sh 10061 8486 8486 73 20x90syslogd 8486 1 8486 0 30x80 netio syslogd 10655 1 10655 0 30x8b pause sh 12265 0 0 0 3 0x14200 aiodoned aiodoned 16597 0 0 0 3 0x14200 syncerupdate 5807 0 0 0 3 0x14200 cleaner cleaner 13248 0 0 0 3 0x14200 reaperreaper 13444 0 0 0 3 0x14200 pgdaemon pagedaemon 24669 0 0 0 3 0x14200 bored crypto 18072 0 0 0 3 0x14200 pftm pfpurge 9197 0 0 0 3 0x14200 bored viomb 809 0 0 0 3 0x40014200 acpi0 acpi0 27407 0 0 0 3 0x14200 bored systqmp * 1365 0 0 0 7 0x14200systq 25722 0 0 0 3 0x14200 bored syswq 10704 0 0 0 3 0x40014200idle0 25159 0 0 0 3 0x14200 kmalloc kmthread 1 0 1 0 20x82init 0 -1 0 0 3 0x10200 scheduler swapper ddb> -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshd segfaults with incomplete /etc/hosts
On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote: > Indeed. It looks like a bug in the libc resolver rather than sshd, though. > I've been kinda busy recently so I haven't kept up with recent changes so > I'm not sure exactly what's changed in there. Looks like it should be > readily reproducible outside of sshd with a call to getnameinfo(). It's a null pointer deref. Without understanding the surrounding code, the following naive diff fixes it for me. Eric? Index: libc/asr/gethostnamadr_async.c === RCS file: /cvs/src/lib/libc/asr/gethostnamadr_async.c,v retrieving revision 1.28 diff -u -p -r1.28 gethostnamadr_async.c --- libc/asr/gethostnamadr_async.c 26 Mar 2014 18:13:15 - 1.28 +++ libc/asr/gethostnamadr_async.c 12 May 2014 20:46:54 - @@ -577,6 +577,8 @@ hostent_set_cname(struct hostent_ext *h, name = buf; } + if (name == NULL) + return (-1); n = strlen(name) + 1; if (h->pos + n >= h->end) return (-1); -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshd segfaults with incomplete /etc/hosts
On Sun, May 11, 2014 at 10:41 PM, Seth Hanford wrote: > While working on consolidating some firewalls, I ended up creating an > incomplete /etc/hosts file entry. One line of that file was simply an IP > address: > 192.168.100.25 > > Upon ssh from that host (.25) to my sshd server (192.168.100.4), the > sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below. > > It appears as if line 71 of canohost.c is not properly handling this > hosts entry. I verified this on another host that I had at the same > patch level & which I hadn't been messing around with. (all it took was > to add the IP to /etc/hosts and 'pkill -HUP sshd') > > Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't > segfault here. [...] Indeed. It looks like a bug in the libc resolver rather than sshd, though. I've been kinda busy recently so I haven't kept up with recent changes so I'm not sure exactly what's changed in there. Looks like it should be readily reproducible outside of sshd with a call to getnameinfo(). $ sudo gdb -q --args /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p 2022 (gdb) run Starting program: /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p 2022 [...] Program received signal SIGSEGV, Segmentation fault. strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43 43 for (s = str; *s; ++s) (gdb) bt #0 strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43 #1 0x0154422d in hostent_set_cname (h=0x88f4f800, name=0x0, isdname=Variable "isdname" is not available. ) at /usr/src/lib/libc/asr/gethostnamadr_async.c:580 #2 0x01544a65 in gethostnamadr_async_run (as=0x86bef800, ar=0xcfbcc68c) at /usr/src/lib/libc/asr/gethostnamadr_async.c:452 #3 0x01558e13 in asr_run (as=0x86bef800, ar=0xcfbcc68c) at /usr/src/lib/libc/asr/asr.c:199 #4 0x01541acf in getnameinfo_async_run (as=0x83012d00, ar=0xcfbcc68c) at /usr/src/lib/libc/asr/getnameinfo_async.c:157 #5 0x01558e13 in asr_run (as=0x83012d00, ar=0xcfbcc68c) at /usr/src/lib/libc/asr/asr.c:199 #6 0x01558e87 in asr_run_sync (as=0x83012d00, ar=0xcfbcc68c) at /usr/src/lib/libc/asr/asr.c:224 #7 0x0154178b in getnameinfo (sa=0xcfbcc854, salen=16, host=0xcfbccdb0 "", hostlen=256, serv=0x0, servlen=0, flags=8) at /usr/src/lib/libc/asr/getnameinfo.c:47 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sftp -R as ssh_config option
On Sun, Mar 9, 2014 at 7:51 AM, LEVAI Daniel wrote: > For the life of me I can not find the correspondig ssh option in > ssh_config(5) for sftp's -R switch. Is that even configurable with -o ? Nope, sorry. -R is specific to sftp and sftp doesn't read ssh_config. As far as sftp is concerned, the underlying ssh is just an 8-bit clean bidirectional pipe. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: pf redirect through socks tunnel?
On Sun, Feb 2, 2014 at 9:33 AM, Stuart Henderson wrote: [...] > Rather than writing a helper running as root, you can change from using > nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy > will receive unmodified packets and can just use getsockname(2) to retrieve > the original address which does not require privileges. That does look like a better way of doing it and would likely also simplify things. If I'm reading commit logs correctly, divert-to was added about 6 months after I originally wrote that code. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: pf redirect through socks tunnel?
On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne wrote: > Hi there, > > When I use a client, which is behind a pf firewall, I use this redirect > rule: > pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to > 10.1.2.3 > > Now I have a client that is connected via a socks5 SSH tunnel to the pf > firewall. Can I still have a pf redirect to this client? I wrote code to do this for PF some time back based on work by Luca Barbieri for the same functionality on Linux: https://bugzilla.mindrot.org/show_bug.cgi?id=1295 I suspect the patch will have bitrotted since then. The other gotcha is that it needed to be run as root to open the PF device to look up the NAT states. That could potentially be mitigated by a setuid helper program, but from memory it needed write access for the DIOCNATLOOK ioctl, so it'd still be potentially dangerous. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Is Soekris OpenBSD friendly?
On Sat, Nov 16, 2013 at 11:27 AM, Chris Cappuccio wrote: > Why not just get a Soekris 5501 or a similar PC Engines ALIX, +1 for the ALIX (I've got two alix2d3 and have been very happy with them) > they can do 100Mbps with the improved vr ethernet driver these days. Have you been able to get more than 85Mbit/s out of a single interface on an ALIX? 85 was the best I could get when playing the tx interrupt mitigation stuff[1] but it had plenty of spare CPU. My guess was it was maxing out the NIC hardware, and that turning off checksum offloading would make it go faster at the cost of more CPU usage although I never tested that. [1] http://undeadly.org/cgi?action=article&sid=20130201054156 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: matching single-part label in ssh_config ?
On Sun, Nov 03, 2013 at 01:00:28PM +0200, Lars Nooden wrote: > On Sun, 3 Nov 2013, Darren Tucker wrote: > [snip] > > Also: it's not in 5.4 but it is in current: check out the Match keyword > > for a more flexible method. > > Cool. Were there any particular use cases in mind with 'exec' ? ProxyCommand is the one that springs immediately to mind (ie picking the right proxy for the network you're currently on) but I haven't actually tried it yet. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: matching single-part label in ssh_config ?
On Sat, Nov 02, 2013 at 02:36:01PM -0500, Adam Thompson wrote: > Reading the ssh_config manpage, I don't see a way to do this... > > I want to match single-part labels, e.g. "servername" without > matching everything "servername.somewhere.else". > (I do rely on my local resolver's search functionality.) > > So far, the best I can come up with is "*,!*.*" which doesn't seem to work. > Is there a way to do this? The parser is first-match, so you can do something like this: Host *.* Ciphers aes128-ctr,aes192-ctr,aes256-ctr,... Host * Ciphers arcfour256,arcfour128,... which will use the first for any hostname containing a dot, and the second for anything without. Also: it's not in 5.4 but it is in current: check out the Match keyword for a more flexible method. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: My VPS is acting slow (KVM)
On Sun, Oct 06, 2013 at 09:13:21AM +, openda...@hushmail.com wrote: > Good point. I'm doing asset precompilation in this Ruby on Rails app > - a process that should only take a couple of minutes if not seconds, > but ends up taking over 1 hour on my VPS. I asked around and it seems > to be a very I/O intensive process. > So what are my options? Demand better services from my ISP or stop > using VPS altogether? one thing you can try is disabling mpbios and, if you don't need usb, uhci in the kernel. I've only seen this make a diffence on i386 and it may be specific to some versions of qemu. # config -o /bsd -e /bsd ukc> disable mpbios ukc> disable uhci ukc> quit then reboot. anyway, this is just a guess. you might get some better advice if you provide more info, like the output of dmesg. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OpenBSD not forwarding to specific sites
On Mon, Sep 30, 2013 at 11:18:55PM +1000, John Tate wrote: > I am having trouble with IP forwarding to specific sites on a very > typical configuration. The router itself can access these sites but > clients can not. I have looked in obvious places on the clients, but I > cannot find a cause. I reinstalled OpenBSD on the router after getting > SSL errors where SSL servers could not be reached from clients, and I > bought a cheap Netgear router to use which works fine ruling out that > my ISP is causing problems. > > I really need to find out what is causing these issues with my > Internet it is something bizarre. My server I've literally only > changed the following files... > > /etc/hostname.fxp0 > /etc/hostname.athn0 > /etc/hostname.pppoe0 > /etc/hostname.xl0 > /var/named/etc/named.conf > /etc/rndc.conf > /etc/resolv.conf > /etc/pf.conf > /etc/dhcpd.conf Is IP forwarding (net.inet.ip.forwarding=1) on? It's in sysctl.conf (not in that list) and it's off by default. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh/sftp performance
On Wed, Aug 21, 2013 at 01:29:50AM -0300, Hugo Osvaldo Barrera wrote: [...] > I noticed my CPU supports AES, but not AESNI, so at first, I though that > that might be using up all my CPU, but that only accounts for for 48% of > CPU usage. Is there anything else I can do to improve performance? Try one of the faster MACs (umac...@openssh.com is probably going to be the fastest one but you might want to try the others too). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Canceled SSH forwarding
On Thu, May 23, 2013 at 10:58:32AM +0300, Lars Nooden wrote: > On Wed, 22 May 2013, Lars Nooden wrote: > [snip] > > However, the remote machine is still able to use the forwarded port until > > the connection is finally closed. The same syntax seems to shutdown > > regular (-L) forwarded ports, just not for reverse (-R) forwarding. What > > am I missing? > > What I was missing was patience. With Chromium and Firefox, the > connection is kept open for only a short while longer, but definitely not > immediately shut down. With other programs, the tunnel seems to shut > right away. The port should stop listening immediately, but any connections that were established before the port stopped listening will continue until they're closed by either end of the forwarded connection or the ssh connection is forcibly terminated. In your case, I'd guess you were seeing HTTP/1.1 keep-alives. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Forcing choice of keys for ssh
On Thu, May 16, 2013 at 01:11:43PM +0300, Lars Nooden wrote: > but is there a better way to get ssh to use only the key specified on the > comand line besides that or leaving them out of the agent in the first > place? IdentitiesOnly? from ssh_config(5): IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) or a PKCS11Provider offers more identities. The argument to this keyword must be ``yes'' or ``no''. This option is intended for situations where ssh-agent offers many different identities. The default is ``no''. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OpenSSH sshd -E
On Sun, Apr 28, 2013 at 08:32:39PM +0300, Lars Nooden wrote: > I see a useful feature in OpenSSH 6.2(?) in current that is not in the > release notes for 6.2. In the man page for sshd(1) in current there is > this: > > -E log_file > Append debug logs to log_file instead of the system log. [...] > Is this something from upcoming 6.3 or was it missed in the release notes > for 6.2? It was added after the 5.2 release and will be in 5.3. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: snapshot ssh: ChrootDirectory sftp Connection closed
On Wed, Apr 17, 2013 at 03:55:25PM +0800, f5b wrote: > BTW, > 1. UsePrivilegeSeparation default sshd_config and manual not sync in current. > 2. why ``yes''? but not 'yes' or "yes" in manual. > > # less /etc/ssh/sshd_config | grep UseP > UsePrivilegeSeparation sandbox # Default for new installations. > > # man sshd_config > Says The default is ``yes'' Actually both are correct, although maybe it's not clear why. The default setting in sshd (ie, what is in effect if you don't set it in the config file) is "yes": $ sudo /usr/sbin/sshd -T -f /dev/null | grep useprivilegeseparation useprivilegeseparation yes The value set in the config file from a new install, however, is indeed "sandbox". We do this for some settings where there's significant risk of breakage and we don't want to change behaviour of existing installations, at least in the short term. This allows some time for any problems to get shaken out, particularly in older/upgraded systems that may be significantly different from a new install. The other recent example of this was disabling the ssh1 protocol, where it was disabled in new installations for about 2.5 years before the default compiled into sshd was changed. I would expect the compiled in default for UsePrivilegeSeparation to change at some point down the track, at which point it will be commented out in sshd_config again. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: snapshot ssh: ChrootDirectory sftp Connection closed
On Tue, Apr 16, 2013 at 12:25:54PM +0800, f5b wrote: > the user share can not sftp to the server, > but same config in Mar 1 snapshot, sftp is ok. it's caused by this change (feed it to patch -R to revert it), and it's because the uid has already been set at this point. I haven't figured out the right way to fix it, though. For now, I think we should revert this. djm? Index: session.c === RCS file: /cvs/src/usr.bin/ssh/session.c,v retrieving revision 1.261 retrieving revision 1.262 diff -u -p -r1.261 -r1.262 --- session.c 2 Dec 2012 20:46:11 - 1.261 +++ session.c 6 Mar 2013 23:35:23 - 1.262 @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.262 2013/03/06 23:35:23 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland *All rights reserved @@ -1216,7 +1216,10 @@ do_setusercontext(struct passwd *pw) perror("unable to set user context (setuser)"); exit(1); } - } + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) + fatal("server lacks privileges to chroot to ChrootDirectory"); + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); } -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Fallthrough in ssh_config
On Fri, Mar 22, 2013 at 7:30 AM, Ryan Kavanagh wrote: > Is there a way to have Host stanzas in an ssh_config containing a > HostName entry match Host stanzas corresponding to said HostName? In > other words, given an ssh config > > Host blah > HostName blah.example.org > > Host *.example.org > User bob > > can I have "ssh blah" also use the settings in the "*.example.org"? No, not currently. The matching of Host is done on the name you provide to the ssh command, not whatever the name/address ultimately resolves to, and they're simple string matches. There is an open enhancement request to let it match subnets, which may or may not be sufficient for what you want (https://bugzilla.mindrot.org/show_bug.cgi?id=1169). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Can I change ssh port forwardings on a active connection *non-interactively* ?
On Fri, Nov 16, 2012 at 12:10:19AM +0200, Manolis Tzanidakis wrote: > Hello all, > I want to send the '~C' escape to ssh followed by ie. '-L 1024:localhost:1024' > from the active ssh connection's shell, non-interactively from a script. > Is it possible? Or is there a better way to accomplish this? If you start ssh with ControlMaster mode enabled you can use "ssh -O forward" to add forwardings to an established connection, eg: $ ssh -o ControlMaster=yes -o ControlPath=/tmp/ctl localhost $ ssh -o ControlMaster=no -o ControlPath=/tmp/ctl -O forward \ -L 1234:127.0.0.1:22 localhost -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: SSI
On Thu, Sep 27, 2012 at 01:04:23PM -0700, Brian Empson wrote: > Hello OpenBSD world, > > Has there been/are there plan to include some SSI functionality > for BSD? Single System Image was one of the original design goals for DragonFly, but they seem to have backed away from that recently (or, at least, it's taking much longer than they expected). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: after upgrade to current(25-06-2012), can not login ssh
On Tue, Jun 26, 2012 at 04:54:16PM +0800, johnw wrote: > HI, i found sandbox-systrace.c need the mquery() to work with > "UsePrivilegeSeparation sandbox" > > below change maybe related, > http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/malloc.c.diff?r1=1.143;r2=1.144;sortby=date > > anyway, add mquery() to sandbox-systrace.c work on my system. > thank you. Slight variant (SYSTR_POLICY_PERMIT) committed, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: hello I have question for openssh !
On Mon, Jun 25, 2012 at 9:52 PM, Tomasz Marszal wrote: [...] > Does it prevent man in the middle attack ? The RSA key exchange method? Yes, the last step is that the server signs a bunch of things including the shared secret and the ephemeral server key with the server's host key, which an MITM can't do since it doesn't have access to the corresponding private key. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: hello I have question for openssh !
On Thu, Jun 21, 2012 at 5:41 PM, Chris Cappuccio wrote: > ??? [hohoho...@dreamsecurity.com] wrote: > >> I have question for openssh >> >> SSH server with RSA key exchange? >> I need to look for a free ssh server that accepts RSA key exchange instead of diffie-hellman. > > openssh supports both Actually it doesn't. You're talking about different things: he's asking about RSA key exchange (ie how the client and server arrive at a shared secret, ie http://www.ietf.org/rfc/rfc4432.txt), but you're talking about RSA host key algorithms (ie how the server proves it is who you think it is, which happens latter in the connection). Here's the list of supported key exchange algorithms (from usr.bin/ssh/myproposal.h): #define KEX_DEFAULT_KEX \ "ecdh-sha2-nistp256," \ "ecdh-sha2-nistp384," \ "ecdh-sha2-nistp521," \ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" so no "rsa1024-sha1" or "rsa2048-sha256". To the original question: - Putty implements the client side, which makes me wonder what they tested against. Ben Harris mentioned that his initial implementation used OpenSSH. I don't know if the code is available anywhere, but it might be. - the threads on the ietf working group lists mentioned der Mouse implemented it, so it's probably in http://sparkle.rodents-montreal.org/mouseware/local-src/moussh/moussh/. On a related topic: I added an openssh specs page recently (http://www.openssh.com/specs.html) which should be the authoritative reference for what is supported. Corrections are welcome (but before someone says "RFC6594", note that I'm trying to keep it accurate for the most recent release). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: SSH connection failure: broken pipe
On 2/12/10 5:59 AM, Alex Popov wrote: I just did a snapshot upgrade from 4.7-snapshot (Apr 7) to 4.8-snapshot (Nov 30) and I can't establish outgoing SSH connections from this box. I noticed the problem when I tried to update src and ports via cvs and got "Read from socket failed: Connection reset by peer" error. What's kind of weird is that both ends see "reset by peer". My guess is that it's some kind of network problem, either the network itself or the stack. Does it fail immediately or does it take a while? If it hangs for a while, try running "netstat" on each, identify the TCP connection and check if the "send-q" is non zero (indicating un-acked data). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: umask for remote host in sftp / sftp-server
Lars Nooden wrote: How can umask be set on the remote host for chrooted sftp users? You can set it on the server side with sftp-server's "-u" option but that's very new (post 4.6). You would have something like this in sshd_config: Subsystem sftp sftp-server -u 0022 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: How to determine my ip address (logged in via ssh)
Falk Brockerhoff wrote: is there any gentle way how to determine my ip address if I connected via ssh to an openbsd system? echo $SSH_CLIENT | cut -f1 -d' ' -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Latest Portable OpenNTPD?
On Fri, Nov 21, 2008 at 04:36:36PM +0100, Henning Brauer wrote: > * Anirban Sinha <[EMAIL PROTECTED]> [2008-11-21 04:33]: > > On 2008-11-21, Don Hiatt <[EMAIL PROTECTED]> wrote: > > > I was looking at http://openntpd.org/ for the latest Portable > > > OpenBSD an saw that it is at 3.9p1 while the non-portable is > > > at 4.3. A colleague of mine is tired of fighting with ntpd.org's > > > ntpd server so I suggested OpenNTPD. Is there a newer version > > > of the Portable OpenNTPD or is 3.9p1 the latest? > > > > >That's the latest portable version, but the OpenBSD one has > > >since been improved. > > > > I am wondering if any work is currently underway to port the latest > > OpenNTPD to other platforms? Looks like there has been lot of good work > > in OpenNTPD since version 3.9. It would be really nice to have it for > > other platforms as well. > > not as far as I am aware. which is a pity. Robert Nagy did a bunch of work pulling in much of the recent changes. I put up a snapshot[1] a while back with these, but there's been no release. There's more work to be done, and some of it is going to be nontrivial to port (eg sensors, adjtime(NULL, olddelta) returning the remaining offset) and I have been busy with other things and slacking in this department. [1] http://www.zip.com.au/~dtucker/openntpd/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: IP over Simulated Radio/Satellite Channels
Rolf Sommerhalder wrote: In an effort to port a Performance Enhancing Proxy (PEP, see scps.org) to OpenBSD, I am looking at ways to simulate radio channels at IP level with loss rate, delay and jitter. [...] I am grateful for any pointers towards IP channel simulation and/or PEPs such as SCPS TP in OpenBSD. You could try tunbridge, which does loss, delay but not (I think) jitter. "tunbridge(1) emulate a long, possibly lossy, link using the tun device. tunbridge(1) reads packets from the tun(4) device, creates a delay, packet loss, and packet shaping, and then, reinjects the packets to the same tun device." http://www.iijlab.net/~kjc/software/dist/tunbridge-0.1.tar.gz -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens
Rogier Krieger wrote: While fiddling around to move my home directories onto AFS, I notice a bit of interesting behaviour. At a first glance, everything seems just fine. When logging in through the Krb5 mechanism (as defined in login.conf), OpenSSH nicely obtains an AFS token for me. Use case: Windows SSH client entering a username/password upon connecting. The following scenario, however, does not get me AFS tickets in my shell: obtaining Krb5 credentials on the client and logging into OpenSSH through GSSAPI. Although logging in seems to have nicely transfered my Krb5 ticket, OpenSSH does not obtain an AFS token for me. Running afslog manually fixes this, but I would greatly prefer to have afslog run automatically. Do you have "KerberosGetAFSToken yes" in sshd_config? KerberosGetAFSToken If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory. The default is ``no''. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: classify scp and ssh
Damien Miller wrote: On Sat, 7 Jul 2007, Lawrence Horvath wrote: Is there a way using pf to distinguish between ssh shell logins, and scp file transfers? Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, but does it after the TCP handshake. If you are assigning connections to queues statefully, this is too late, as the state would have already been created with the default TOS. You can use nc(1) as an ssh proxycommand and set the TOS to whatever you want, but it doesn't help for the normal case. Host somehost ProxyCommand nc -T lowdelay %h %p Host somehost-xfer Hostname somehost ProxyCommand nc -T throughput %h %p -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh and sudo, password not hidden
Tom Van Looy wrote: Oke, problem solved. But, why doesn't this flag get set implicitly when using a command with ssh? Because it's not 8bit-clean, the tty layer can change the data. It's usually ok for text, but it messes up binary data so having it on all the time would make ssh pipelines a lot less useful. $ dd if=/dev/arandom of=/tmp/tmp1 bs=1k count=1k 2>/dev/null $ ssh -t localhost "cat /tmp/tmp1" >/tmp/tmp2 Connection to localhost closed. $ ls -l /tmp/tmp* -rw-r--r-- 1 dtucker staff 1048576 Jul 2 07:49 /tmp/tmp1 -rw-r--r-- 1 dtucker staff 1067393 Jul 2 07:50 /tmp/tmp2 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Load balancing with DSR
Pierre-Yves Ritschard wrote: On Wed, 13 Jun 2007 15:40:36 +1000 Darren Tucker <[EMAIL PROTECTED]> wrote: [...] 1. add a static published arp entry for the cluster address on the balancer with its own mac address so packets aimed at the cluster address will go to the balancer. 2. configure all cluster members with a loopback interface with the cluster address. 3. use route-to pf rules with a next-hop to punt incoming packets to various nodes in the cluster I think all load balancers implementing direct server return / direct routing use this trick. You're not going to be able to get away without messing with arp so you're bound to a single broadcast domain. As long as you get the route-to right, all you need for this to work is for the incoming packets to be routed to the balancer. What if, eg, bgpd was configured to advertise a route to the /32 containing the cluster address via the balancer's real IP? Your scenario should be tried out, yes, but it is still just a ugly hack if you ask me :) Now you still can't really make this work with hoststated or any other LB on OpenBSD. I'd still like to find an elegant way to do this and integrate it with hoststated. And just for the record what you said maps to: pass in on $ext_if route-to { $webh1, $webh2 } round-robin proto tcp \ from any to $virt_ip port http no state pass out on $int_if from any to $virt_ip port http no state Wouldn't you need some kind of state here? Otherwise there's no guarantee of the packets for a given connection always being routed to the same physical server. If I get the occasion I'll try it out and see how that works. I also wonder how it would behave when setting the arp entry to that of a carp interface. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: SFTP no autocompletion?
On Tue, May 15, 2007 at 12:36:43PM +0200, Paul de Weerd wrote: > On Tue, May 15, 2007 at 11:33:27AM +0200, Pieter Verberne wrote: > | Hi there, > | > | does SFTP have no TAB-autocompletion for local/remote files? TAB > | doesn't work. It makes transferring files very clumsy. And does SFTP > | secure my username and password or only my file transfers by default? > > SFTP uses ssh and thus secures the entire connection. The sftp(1) > client that comes by default with OpenBSD does not do tabcompletion. > Feel free to use another client or to write support for it and send a > patch ;) Anyone looking into this would probably want to look at what Ben Lindstrom has already done with this: http://www.eviladmin.org/patches/sftp-tab.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: skey with scp
On Tue, May 15, 2007 at 04:36:15PM -0500, Eric Johnson wrote: > Does anyone know of a method of using skey for scp transfers (apart > from port forwarding through an ssh tunnel)? > > I've tried: > scp username:[EMAIL PROTECTED]:/home/username/foo.bar . > and > scp "username:skey"@host.example.com:/home/username/foo.bar . > > Any other suggestions? I don't use skey so I can't test it but this will probably work: scp -o User="username:skey" host.example.com:/home/username/foo.bar . -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ksh: ssh password prompt handling
[EMAIL PROTECTED] wrote: > when using ssh in a ksh script where previously configured public key auth > is expected but not always the case, i want to have ssh commands that > prompt for a password to be handled as errors and exit the script. the > idea is to not have anyhing printed to the console and to exit with a > non-zero error code instead of a password prompt, etc. > > clues on how to do this are appreciated. Sounds like you want LogLevel=QUIET and Batchmode=yes. eg: $ ssh -o PreferredAuthentications=password -o LogLevel=QUIET \ -o BatchMode=yes localhost $ echo $? 255 You can also put them in ~/.ssh/config or ssh_config. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: SCP/SFTP: Couldn't open /dev/null
Tasmanian Devil wrote: > Has anybody an idea what I could do to find the cause of this > "disappearing /dev/null"? Thank you in advance for your help! Well, it doesn't disappear so much as having its permissions altered, but I'm certain you are aware of that. Are you sure it's OpenSSH? What other daemons are using to /dev/null (fstat?)? It would make sense if some daemon thought it was a logfile or somesuch and decided to 'secure' it... Hm, fstat doesn't show much unusual, mainly httpd and mysql besides the standard daemons. I have the same combination of daemons running on older machines (GENERIC 4.0 -stable without ACPI though), but no problem there. The permissions of /dev/null change directly after (or maybe even while) using SFTP, and not always. It's not just permissions, it's no longer a character special (device) file, it's a regular file. This usually happens when /dev/null is deleted, and sooner or later something with root perms will write to it, at which point it gets recreated as a regular file. Sometimes I can log in several times over a few hours without fixing /dev/null, and then again only one single time. E.g. right now I can't reproduce the error. And if I don't use SCP/SFTP at all, everything works fine, for weeks, so it seems to be related to SCP/SFTP. During that time, is /dev/null still a character special, or has it turned into a regular file? I suspect that something else (maybe a cron job?) is removing /dev/null and the scp/sftp error is just a symptom. You could try something like this running from cron regularly: test -c /dev/null || echo /dev/null vanished or not character special and see if/when it starts mailing you. Probably it's only happening after using SFTP (and SCP doesn't work afterwards), but unfortunately I'm not sure as I don't transfer files that often. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.