Re: Why renice not work in OpenBSD?
On 10/12/10 07:54, frantisek holop wrote: hmm, on Mon, Oct 11, 2010 at 07:12:57AM -0500, Jacob Yocom-Piatt said that use linux, you are clearly a moron, it will suit you better. your civility on this mailing list is decreasing by the day. it was much better when you started. perhaps now you feel you earned some right to call people names. after seeing all the crap this guy continued to post after i made my comment how can you possibly argue with my classification? i *totally* called it. plenty of other people became fed up with this guy after he continued to demonstrate his complete inability to grok attempts at educating him. trolls abound on this list, you can count yourself amongst their numbers. why not harass any of the other people who, like me, were rightly critical of dmitry? you do it because you are a troll. it's great to know you are professionally offended, i'm sure that must be a really rewarding career path. when you are using an OS you will rarely or never renice processes, it is a total waste of time. get a faster machine or let your machine sit and do its work. micromanaging a computer is a fool's errand. are you trying to tell me how should i use my computer? that's a fool's erand indeed. nice/renice has legitimate uses both on desktop and server. it can really make the difference between a "business as usual" and an almost unresponsive machine. listen, it's not 1985 anymore, renice does not matter. if renice mattered someone would have fixed this long ago. i noticed this same behavior back in 2004 when i was screwing around with running cpu intensive simulations on an openbsd machine. after a bit of thought i realized that i was not using the machine correctly: i should not have services running on such a machine and expect it to be responsive when i slam the cpu.
Re: Why renice not work in OpenBSD?
On 10/11/10 02:27, Dmitry-T wrote: 11.10.10, 08:46, "Tomas Bodzar": 6) Did you test it on real OpenBSD, real HW and latest release or snapshot? I'm search stable and secure OS. I'm test: my work Mac OS X 10.6.3, FreeBSD 8.1 on livecd frenzy-1.3-ju-release-rus, my home Linux Debian - renice work more correct. Why renice algorithm depends from hardware and why I need install OS on HDD? Is this renice behavior typical only for BSDanywhere and atypical for OpenBSD? use linux, you are clearly a moron, it will suit you better. you have posted to this list about a dozen times in a 12 hour period, this is a sign you are an idiot. you complain about not being able to renice i/o, another sign. you are not even using openbsd on vmware, yet another sign you are an idiot. i'd say the case that you are an idiot is pretty well settled. when you are using an OS you will rarely or never renice processes, it is a total waste of time. get a faster machine or let your machine sit and do its work. micromanaging a computer is a fool's errand.
Re: FreeBSD isn't Free
On 10/06/10 00:22, Theo de Raadt wrote: Just for fun. since i don't bother with freebsd much i have to guess this is a result of the project being US-based and containing integrated crypto. these laws are stupid and slow down the development of technology in the both the open source and commercial software communities. maybe in a pre-internet cold-war world these laws made sense. with the rise of "terrorism" export laws based on country-of-origin are increasingly irrelevant. the export laws in the US are a reflection of why the US has been steadily losing its edge in rankings of its educational system, especially in mathematics and the sciences. as US citizen who is educated in these subjects, i find it patently backward and embarrassing that this policy continues. despite your (theo's) amusement at the freebsd project's missteps in this regard, i am reminded of how embarrassing it is to be from the US where such export compliance is required. * 4.3. Licensee shall not export, either directly or indirectly, any of this * software or system incorporating such software without first obtaining any * required license or other approval from the U. S. Department of Commerce or * any other agency or department of the United States Government. In the * event Licensee exports any such software from the United States or * re-exports any such software from a foreign destination, Licensee shall * ensure that the distribution and export/re-export of the software is in * compliance with all laws, regulations, orders, or other restrictions of the * U.S. Export Administration Regulations. Licensee agrees that neither it nor * any of its subsidiaries will export/re-export any technical data, process, * software, or service, directly or indirectly, to any country for which the * United States government or any agency thereof requires an export license, * other governmental approval, or letter of assurance, without first obtaining * such license, approval or letter. http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/dev/acpica/hardware/hwsleep.c?rev=1.2
Re: Suggest, Recomendations and advices
On 09/16/10 10:14, Francisco Valladolid wrote: :D Always pathetic The subject say, advices: suggestions and recomendations. This list is for Advanced users or for misc topics ? There are a people that can reply honestly and funny. While I can read the mail archives and seach in internet, I need fresh ideas for new projects and heard the experience voice. stupid people ask stupid questions, case in point is your mail. anybody who has any experience with the things you describe knows that you cannot design a solution without knowing a lot more details about the application. your question is very vague and far too open ended. - what volume of traffic is coming to each service? - are there machines already in place that perform these functions? - what do you aim to accomplish besides simply using openbsd instead of another OS? without at least this much information you cannot expect a reasonable reply. the questions you posed are so unbelievably open ended that someone could write a whole fucking book in repsonse: "I need ideas, comments, regarding the performance of OpenBSD in a production environment. Advantages, disadvantages and because I use OpenBSD." it would make for a long book title but i think people would get the point. Regards. 2010/9/16 Abel Abraham Camarillo Ojeda: On Thu, Sep 16, 2010 at 12:16 AM, Francisco Valladolid wrote: Hi Folks I'm using OpenBSD in my home and laptops machines from severals years ago, from 2.8 release. But I have never used this in a production environment, today I have the need to mount mail services / web / dns. I need ideas, comments, regarding the performance of OpenBSD in a production environment. Advantages, disadvantages and because I use OpenBSD. Perhaps the answers I know, but would listen. Greetings. P.S. Viva Mexico. ! -- ficovh You should start by trying to do your homework... Read the mail archives, and do specific questions.
testing iked
took a quick stab at getting iked working because isakmpd is so awesome. i was not able to figure out the proper way to get the CA cert and host cert and key imported to a non-CA host. i am using hosts 10.160.0.10 and 10.160.0.150 and the vpn subnets will be 10.160.10.0/24 on 10.160.0.10 and 10.160.150.0/24 on 10.160.0.150. the vpn subnets are vlan0 on each of these hosts, so that vlan0 on 10.160.0.10 has ip 10.160.10.1 and vlan0 on 10.160.0.150 has ip 10.160.150.1. created ca key and cert on 10.160.0.10 with the following info subject=/C=US/O=iked test/OU=iked ca/CN=10.160.0.10/emailaddress=r...@10.160.0.10 using command 'ikectl ca test create'. created host key and cert on 10.160.0.10 for host 10.160.0.10 with the following info subject=/C=US/O=iked test/OU=iked host/CN=10.160.0.10/emailaddress=r...@10.160.0.10 create host key and cert for 10.160.0.150 on 10.160.0.10 with the following info subject=/C=US/O=iked test/OU=iked host/CN=10.160.0.150/emailaddress=r...@10.160.0.150 the trouble now is getting the 10.160.0.150 cert, key and CA cert installed on 10.160.0.150. afaict there is no ikectl command to effect this. clues appreciated. i did initially want to test iked using PSK to get the simplest possible config but it appears that is somewhat at odds with the PKI setup that is encoded in ikectl.
Re: 4.8 Release and Download and
On 09/10/10 18:22, J.C. Roberts wrote: On Fri, 10 Sep 2010 11:19:16 -0700 Bryan Irvine wrote: I also heard it said once (though I'm sure I'll be corrected if wrong) that Theo's salary comes from CD purchases but not donations. So the only way to keep him employed full-time on OpenBSD is by buying the disks. i read the weekly world news and i also heard that the loch ness monster farted on a tourist boat http://books.google.com/books?id=aPMDMBAJ&pg=PA9&lpg=PA9&dq=nessie+has+child+weekly+world&source=bl&ots=d1cUi84SrF&sig=MJ_cbzvZf51AfcjdVaSg5eVcoO8&hl=en&ei=wcyKTIveGsapngeaqLCuCw&sa=X&oi=book_result&ct=result&resnum=2&ved=0CBYQ6AEwAQ (though i'm sure i'll be corrected if wrong). you better buy the cds or you will the face the wrath of nessie. -B Curiosity is only human, but to respect the privacy of others, sometimes it must be curtailed. I do possess a very vivid imagination, and worse, a truly caustic sense of humor, so should I start publicly and wildly speculating about how *you* make a living? The result might be very entertaining for some, but it wouldn't be very polite or fair to you. jcr -- The OpenBSD Journal - http://www.undeadly.org
Re: Checking Routes/Gateways For Good Connection
Don Tek wrote: I've recently implemented a firewall with two internet connections using multipath routing and round-robin outbound load balancing. I am looking for a solution from the shell to detect failure of these two internet gateways so I can force routing and pf changes from a script. I need something more robust than simply checking to see if the interface is up or down. I have managed a solution using traceroute that allows me to accomplish half of my goal. I can detect a failure and "down" that route, however, once I delete the default route from the routing table for the failed connection, I can no longer test it with traceroute. This is because it doesn't appear to me that OpenBSD's traceroute allows forcing an interface to work on. I am looking for better solutions from some of you more experienced users. Any suggestions are welcome. ifstated
Re: Some apps kill/hang X when using scrotwm(1) as wm
LEVAI Daniel wrote: On Tue, Aug 17, 2010 at 09:30:57 +0200, Tomas Bodzar wrote: Hi all, did someone saw similar problem in scrotwm(1)? Eg. when I start xeyes(1) on empty workspace from menu M-p it simply "shut down" X. Wish I hadn't tried it :) Yes, it happens here too. [...] So someone here with similar behaviour? Yep! not sure if it is the same bug but i have seen ephemeral windows e.g. the little "Sending mail..." windows from seamonkey's mail client cause scrotwm to crash. there is a patch to stop the crashing behavior in the current cvs version. checkout cvs and see if your problem persists: cvs -d anon...@anoncvs.freedaemon.com:/scrotwm co scrotwm cd scrotwm make obj && make depend && make && sudo make -DDEBUG install - issue M-q to soft restart scrotwm using the freshly installed binary - issue M-S-v to verify you are running the cvs version, should be 1.300 when i had scrotwm crashing, it would drop .core files and you can do a decent backtrace with gdb when you have the symbols in there. run 'gdb /usr/local/bin/scrotwm scrotwm.core' and issue 'bt full'. this output is helpful for finding the bug(s) you're hitting.
Re: Same shit all over again
David Hill wrote: This email comes from kd85.com. contact-hdl: CCOM-138654 person: Wim Vandeputte organization: KD85.com bvba email:w...@kd85.com address: Kasteeldreef 85 city: Lovendegem postal-code: 9920 country: BE phone:+32.478217355 wim should be happy that nobody decided to bring charges against him in .be over the disputed 'donation' funds he clearly misappropriated over the last several years. and seriously, who cares or is surprised if theo does crazy shit? there would be no openbsd project to speak of if he chose not to do "crazy" stuff. On 08/13/10 13:46, disgrun tled-developers wrote: Just to keep the mortals in the loop, This date to day, on Tuesday the 13th of August 2002, Theo had another fit and kicked out all the OpenBSD developers for a couple of days or so: Subject: Re: dealing with security issues when Theo is away Date: Tue, 13 Aug 2002 10:25:08 -0600 From: Theo de Raadt None of this that you posted changes a single thing. I DID say who was responsible. Those people were not contacted. It seems you still don't understand the level of not caring that happened. I am taking a holiday next week. For that time, I think cvs will be turned off. Good god, reading even further, you are so fucking out of touch. There are only 3 machines on at my house at the moment, and you start talking about OTHER machines? NOONE PHONED ME. And: Subject: And Date: Wed, 14 Aug 2002 17:35:30 -0600 From: Theo de Raadt If I don't get answers from the evasive developers soon, I am going to take this to misc, and I will be very open with naming names. This is now days of people trying to hide from what happened. -- snip snip So Theo shut down all machines in his basement and none of the developers had any access to the work they doing. I'd like to remind people that at this point we lost valuable developers like Niels Provos which turns out the be one of the few who fully understood crypto and the security improvements like separation of privileges. Not to forget Hugh, Aaron and a few others Others had their account re-enabled after groveling. And all that over a misunderstanding that is to blame to the fact that Theo had no written procedures on how to deal with 'issues'. When Theo is away, you just 'wing it'. Today, we see the same shit all over again... Theo just announced the following: - snip snip To: hack...@cvs.openbsd.org Subject: Tree locked Date: Fri, 13 Aug 2010 10:03:05 -0600 From: Theo de Raadt I am locking all the trees until the development community decides how future releases will be done. Yes, we all have to do our part. We write code, and some people go further by building, and some people go even further by building during the release cycle. But everyone also has to test, or we will ship crap. Yet on random releases this process totally falls over, and we end up shipping crap. Three architectures did not have one of their boot methods checked -- yes, they are listed in the TESTS file! -- and the bugs were found very very late in the process. Basically 1 week after the TEST file went up. pkg_add turns out to have a major bug which would have been spotted if just a few other people had tested another line item in the TESTS file. That is ridiculous. I cannot accept all this pressure being on me; I want recognition that all the people who thus far have accused me for not being clear are wrong. we have developers in the group who cannot by themselves recognize -- even ANTICIPATE -- that we are going into the same 6-month release cycle, EVERY feb/march, and EVERY august/sept, and then participate to identify the 10 last stupid bugs that we should fix. Is there that little desire to ship a good release? It will not be fixed by sending more mails out. I did send out mails and they were ignored. Communication coming from me is not the problem; it is clear that developers are NOT LISTENING. The problem is not new developers either. Anyone accusing them has got it all wrong. New developers are supposed to learn the ropes from old developers, and it is the old developers who are not doing their part. Yes, that means you. 31 people tested, meaning 140 people did not. Any suggestions for people who have idled out and don't want to be involved any more? When we ship a crap release, it is not my fault. It is YOUR fault. So tell me how we are going to fix this. Don't reply just to me. As I said, I will not accept responsibility for what went wrong here. And if anyone wants their account disabled, please accuse me just once more. - snip snip And he picks on a few individuals: - snip snip To: hack...@cvs.openbsd.org Subject: Testing Date: Fri, 13 Aug 2010 09:39:12 -0600 From: Theo de Raadt I would like to see some tests for the upcoming release from Henning. I hope this communication is c
Re: MTA choice
Dave Anderson wrote: On Fri, 13 Aug 2010, Jacob Yocom-Piatt wrote: Dave Anderson wrote: On Fri, 13 Aug 2010,j...@fixedpointgroup.com wrote: sendmail is fine if you have a few users at a relatively quiet domain, all of whom you want to have system accounts on the mailserver. You imply that sendmail is _only_ fine for such limited uses, which is certainly not true in my experience; I'm curious as to why you believe this. please don't try to put words in my mouth, it makes you look stupid. at no point did i say what you claim i 'implied' i.e. that it is the *only* use case, you assume too much. Implication is, by definition, about what you _didn't_ explicitly say. In the context of this thread, the implication seems quite clear to me -- but since it isn't what you intended, there's no reason for further discussion of it. it's a good thing you're doing whatever you're doing now because you'd make a terrible mathematician: i say 'item A is used for task A' you say 'your statement implies that item A is not suitable for task B or any other task besides task A' i say 'you are fucking retarded because that is not an implication of my original statement. usage is not a 1-to-1 mapping and a given item may be used many different ways' you say 'i define implication however the hell i want and live in a fantasy land, k thx bye'
Re: MTA choice
Dave Anderson wrote: On Fri, 13 Aug 2010,j...@fixedpointgroup.com wrote: sendmail is fine if you have a few users at a relatively quiet domain, all of whom you want to have system accounts on the mailserver. You imply that sendmail is _only_ fine for such limited uses, which is certainly not true in my experience; I'm curious as to why you believe this. please don't try to put words in my mouth, it makes you look stupid. at no point did i say what you claim i 'implied' i.e. that it is the *only* use case, you assume too much. sendmail is a piece of software that is historically notorious for security problems and has only been tuned up to get in the openbsd tree with input from some very sharp people. that says nothing about its ability to handle load, which it obviously can do just fine based on the ubiquity of its past and present usage as an mta. It doesn't require (or, AFAICT, benefit in any way) from users having any sort of account (let alone a system account) on the mailserver itself, and it's not hard to set up multiple domains on the same server. how about you *read* my earlier email before responding to shit that wasn't in it. try setting up a mailserver that does the following with sendmail and you will see the limitations of sendmail: - mail delivers to either mbox or maildir on the same machine as the mta - there is a per email address login for users who do not have a system account - host multiple domains and want separate mailboxes with separate logins to access each mailbox - authentication is done against a single password store for pop/imap and smtp auth - a copy of every email passing through the server is kept for auditing purposes sendmail works great when the final destination is a system user who may or may not run an mta on their workstation. this used to be one of the most common ways to configure a unix system e.g. students at a university who have shells and can register for classes on the same system. While I haven't needed to do it myself, there's plenty of anecdotal evidence of large, busy mailservers running sendmail. call CNN, this is serious news. thanks for letting us all know about this! I'm _not_ arguing whether sendmail is better or worse than the alternatives; while I've looked at a few others, I've never used any of them -- so I don't have any real basis for an opinion. I _have_ been using sendmail (on a light-duty, mostly-home mailserver) for 15 years. so why, exactly, did you choose to respond to my email? oh, that's right, you're a douchebag. i love rhetorical questions. thanks for cutting snippets out of my original email, taking them out of context and being annoying.
Re: mount ffs as msdos, system hangs
Theo de Raadt wrote: Thanks for telling me do so some reading, but a google of your name on these mailing lists will show a 10 year pattern of you not being able to self-help. Something to do with your parents, probably. 'this hammer *sucks* for putting screws in the wall! what's the deal with that?' speaking of long-running patterns i have noticed that frantisek has no end of msdos / windows problems with openbsd. after seeing the regularity with which the problems occur this seems like a stupid configuration. you could avoid all these problems by not using msdos support on openbsd e.g. have an openbsd machine setup as a samba server and save all your files there, instead of having some easily-broken dual-boot or external disk swapping setup. you can definitely put a screw in a wall using a hammer but it may occur to the more astute that you are using the wrong tool for the task.
Re: [openbsd] fwd: [dera...@cvs.openbsd.org: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/]
pourl...@hushmail.com wrote: There will always be OpenBSD haters, I want to be able to have a constructive, fact based discussion with them. If someone HAS valuable information, they can reply directly, without replying to misc. Thank you. fact: you are some douchebag who is late to the argument fact: i am an openbsd supporter and user who does not want to listen to your whining valuable information: reallocate your time doing something that does not expose you to be a douchebag who is too worried about being painted a douchebag to use a real identity. posting from anonymous hushmail accounts is no longer such a great idea, have a look into how untrustworthy hushmail.com is when it comes to the authorities.
Re: OT: Australia may allow punitive damages for security vulns
mark hellewell wrote: http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti on/story-e6frfro0-1225882656490 "Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers", apparently. Illegal to run without antivirus ... disconnection of vulnerable computers. A much needed kick up the arse for software makers or just bat-shit insane? Coming soon... is it really that unreasonable when you compare this treatment to any other physical product e.g. a car? it is only the lack of physicality that makes software differ from other products. when ford sold the pinto with the 'exploding' gas tank, it just paid money out to settle claims after many people were burned to death. although i don't believe there is a precedent for it, possibly until now, many software companies have been doing the same thing: selling crap products that in essence 'explode' and hemorrhage valuable personal data to script kiddies, etc. perhaps the threat of a lawsuit will encourage software development houses to turn out less shite products, in which case the consumer wins. one way to look at the explosion of software development in the past 30-40 years is that it is an industry lacking sufficient regulation and thus a very lucrative area to do business. because there is no regulation you can get some random idiot in whatever country to write your code and there are no repercussions if the code blows up after you sell it someone else, you cannot be held liable for using second-rate labor to build your product.
Re: dhcpd knob
Rod Whitworth wrote: On Sat, 19 Jun 2010 23:38:10 -0700, Mehma Sarja wrote: I can vouch for the water in India. Which is no doubt the reason that Mr Tata supplied us with crates of bottled water when we were working there? So you could vouch for it? We were instructed not to even use tap water in the Taj Residency to brush our teeth... why would someone not want to drink water from the ganges? the charred semi-decomposed bits of corpses really brings out the rest of the flavors.
Re: disk geometry issues when trying to set up encrypted partition
Harry Palmer wrote: Have you considered softraid crypto? Thanks for this independent advice. Looks like it works at the block device level which must be better. I must say that while the official openbsd documentation I've seen is second to none, there seems to be relatively little information out there on data encryption (compared to the biblical tombs on the subject in the linux world). I tend to look through practiacal examples and tutorials when I try something new, and the one I found for this was three years old. search the internet and mailing lists or read the softraid, bioctl and associated man pages before stating there is a lack of information. a quick search of this mailing list for the terms "disk encryption" yields plenty of information: http://marc.info/?l=openbsd-misc&w=2&r=1&s=disk+encryption&q=b alternatively you could have made a google search for "openbsd disk encryption" and found http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software What I'm trying to acheive is to stripe a few of these 300GB disks together and encrypt the resulting large volume. I shall persevere - thanks again for your replies.
Re: isakmpd falling over: alternatives?
Michiel van Baak wrote: And you want any help after talking to this list that way ? i explained my problem pretty succinctly in the first email - isakmpd is episodically unreliable, painful to debug, and i am looking for an alternative if anyone is using something else on openbsd for vpns e.g. ssh. instead of bryan responding to my query about alternatives, he condescendingly tells me what i already know about troubleshooting isakmpd: there are a dozen things to check that could be the cause of the problem e.g. endpoints too far out-of-sync, dpd not working, pf not passing esp. does it surprise you that i have a rude reply to someone in essence not reading my mail, or reading the first 2 sentences, and telling me to do what i already know to the be the case? note that at no point did i request assistance troubleshooting isakmpd, i asked about alternatives. it is also apparent that you did not take time to read my message but still have an opinion on it and my correspondingly abrasive reply to bryan's email. does this seem ridiculous to you? based on the lack of replies i speculate not many people use an ssh vpn... Nope, we run isakmpd. thanks for your input, it adds zero value. i would not be one bit surprised if part or a substantial portion of your and bryan's job security is related to the ability to 'read the chicken entrails' and keep isakmpd working properly. there are a couple of people i work with who are exceedingly good at this, as the two of you likely are, and even they cannot deny how challenging it is to debug certain problems. is it surprising i am seeking an alternative? at this point i have to conclude isakmpd is pretty much it for vpns on openbsd unless you want to run openvpn. i'll post back if ssh ends up working out.
Re: isakmpd falling over: alternatives?
Bryan wrote: On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com wrote: over the past several years i have encountered a variety of problems with isakmpd that range from difficult to translate error messages to tunnels dropping without explanation. Greetings, Did you try different hardware? Did you troubleshoot the issue and raise a question on m...@? Are you using 4.7 or even -current? What is on the distant end? is it openbsd -> openbsd, or is it something else on the other end? What network adapters are being used in both boxes? Are you using wireless to connect through to the distant end? shaky wireless could cause connection issues. I mean, have you asked any questions, or asked for help? Maybe if you took the time to explain what is wrong, you might get an answer. Make sure you have a dmesg, and can reproduce the error in 4.7 (-current or latest cvs pull is even better), and any and all error messages, and any verbose logfile output you can receive, your ipsec.conf, and pf.conf if you use that... Only you can help you... seriously... have you ever used isakmpd? i ask this because i get the impression that you have not used it much if you missed the point of my message. it totally sucks - i've been using it since 2003 and very little has changed except the ipsecctl interface making it quicker to setup tunnels. a number of people in the openbsd community have discussed the possibility of a total rewrite with me over the past several years because they too believe it is old and flaky. isakmpd is brittle as hell and endpoints being snapshots that are a few months apart is enough to cause serious interoperation problems. someone may or may not have developed an improved version of isakmpd that runs on openbsd, i will not name names, and that is because isakmpd is not commercial grade software. there is a lot of neat and challenging crypto code in isakmpd but, imo, further improvements are tolerated turd polishing. i'm looking for an alternative so i don't have to resort to excessive debugging and answering a series of 10 questions to figure out wtf is going on. i am not saying that your list of questions is the wrong way to debug this, it's totally correct, only that you're a fucking idiot for not getting the point of my original message. it is amazing that you have the patience to follow the ridiculously long trail to troubleshoot and fix isakmpd but don't see that walking this trail is due to the code being old and brittle. based on the lack of replies i speculate not many people use an ssh vpn...
Re: ok for softraid in production (v4.7) ?
Nick Holland wrote: jean-francois wrote: Hello, May I use with peace of mind the softraid device of OpenBSD 4.7 in 'small production' (personal servers for home use actually) ? NO. (or at least, for no more than about six months. :) http://www.openbsd.org/faq/upgrade47.html#softraid (yeah, perhaps not the most intuitive place to look for this question, but I figure most experienced OpenBSD users will be looking at this page at some point...) the recent sr metadata bump means you have to do a backup / restore after recreating your sr volumes with e.g. a new bsd.rd or booting from a recent snapshot on a removable/network device. it is a pita, but so long as you're competent this is not that tough. http://undeadly.org/cgi?action=article&sid=20100326172808 remember that when restoring using bsd.rd that you need to mount a proper sized /tmp since the ramdisk does not have enough /tmp space to handle restore-ing larger partition dumps. if the idea of doing this dump restore seems tough, you should probably wait.
Re: Resilient RAID
Jan Stary wrote: On May 21 16:28:32, John Rowe wrote: On Fri, 2010-05-21 at 11:25 +0100, Kevin Chadwick wrote: If you check usb flash stick packaging, it may say guaranteed for a 1000 writes which is marketing crypto speech for, sectors may fail after 1000 writes. However, the root partion is not often written to so presumably I could have / on the USB stick and swap, /var, /usr, /tmp et al. on a mirrored pair? You could also have everything on the USB stick, and possibly also STFU while you are at it, because it's a non-issue. =) you could run with *two* usb sticks in each of your *two* redundant embedded machines that each have *two* power supplies. the only single point of epic fail in this configuration is this thread.
Re: openbsd not blob free?
discovery channel has shark week, misc@openbsd.org has troll week. did you know that a troll's vision is actually very poor? their most acute sense is that of smell, which they routinely use to find garbage online. Marco Peereboom wrote: No one can resist UML & threads! On Thu, May 06, 2010 at 09:54:00AM +1000, Rod Whitworth wrote: On Wed, 05 May 2010 19:41:10 -0400, Eric Furman wrote: blobs? multithreading? What is this, troll week? And bloody UML as well. I wouldn't reply to any of the "discussion" because I'm in agreement with you. I think the trolls are getting a new "paradigm" though, selecting topics that look like something interesting even though they are totally irrelevant. Perhaps shunting these threads off to advocacy@ very early in the piece would be useful. I suspect that would result in less annoyance to developers and the genuine skilled people here who are truly helpful and for whom I'm very grateful. *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: low httpd performance. Apache 2.2 as default? never? *sighs
why doesn't openbsd do X? the license is not acceptable | benchmarking tools don't tell the full story | you do not understand the security implications of what you suggest in your case it's all 3 of the above. get a clue and do your homework before you post stupid stuff.
Re: crypt question/server hotel
Robert wrote: Jozsi Vadkan wrote: I want to put my server in a "server hotel". But: I don't trust my "server hotel owner". What can I do? 1) Even if you encrypt the whole disk and you have a remote console available (via serial port or KVM switch), you still will have to trust your provider that he doesn't sniff that traffic. 2) If you can't detect a reboot of your machine because the attacker has "cleaned" the logs etc., then anybody with physical access can own the machine. I'm not aware of any way to prevent this. (see also "cold boot attack", or simply creating a disk image and doing a brute force attack against the image) 3) Your only chance might be to have a card in the machine (e.g. IBM RSA) that allows remote control. But the traffic to it will have to be encrypted (-> 1) and it has to detect if it was temporarily removed from the machine during a physical attack, and even then it needs to report this back to you. I don't know if there is any card out there that can provide this level of protection... If you are really paranoid and the hacker type, then I guess you can hide a mobile phone inside the case, connect it via USB and have it constantly report the status (power, light sensor, GPS etc.). In the end it is as usual a question of cost vs benefit. If your machine is *that* valuable then you shouldn't put it in an untrusted environment in the first place. In your case I guess you should encrypt your data and have the machine email you if it reboots. Then you can login via SSH and enter the crypto key and start the "stage 2" applications that need the encrypted data. You will have to trust your provider that he doesn't do any physical attacks (e.g. replace OS files). ++ solution: if the security of the machine and its data are of sufficient importance you cannot trust 3rd parties with it and must keep it somewhere you feel confident that it is physically secure. even if you have the boot partition(s) fully encrypted there is nothing to stop someone from installing a fake boot prompt and yanking your passphrase. in most situations where the machine is running you also have to worry about someone freezing your RAM, powering the machine off and pulling your disk crypto keys directly from RAM. 'secure' memory for storing crypto keys is another option that is marginally better than RAM but requires hardware and software support. how worried you should be about this depends on your threat model. kind regards, Robert
Re: OpenBSD culture?
Zachary Uram wrote: As a long time Linux user I will soon try out OpenBSD, I have been reading the list emails and contacted 1 OpenBSD top person who was very rude. There is some of the "RTFM" or "get lost" attitude in Linux, but if a questioner seems sincere there is usually a certain level of friendliness in Linux community towards them. Just what I have briefly observed the OpenBSD community is more abrupt and less interested in helping newbies, they prefer one find the answer solely on their own if possible. I must say I detect a certain attitude that smacks of superiority and even condescension at times. Is this a fair assessment of 6the OpenBSD culture? openbsd is not about helping those who cannot or will not help themselves. please attend your local linux users group, halfway house, medical center or place of religious worship for this service. maybe those folks can share with you the gospel of using a search engine. google be with you my child. Zach <>< http://www.fidei.org ><>
pjsua + asterisk: debugging or working config
trying to get pjsua working with asterisk using a really basic config file and am having trouble: registration keeps timing out. here is the config file: --registrar=sip:A.B.C.D --id=sip:u...@a.b.c.d --realm=* --username=user --password=pass pjsua then sends registration requests and times out. 12:30:21.978 pjsua_core.c TX 410 bytes Request msg REGISTER/cseq=51529 (tdta0x20b5330a8) to UDP A.B.C.D:5060: REGISTER sip:A.B.C.D SIP/2.0 Via: SIP/2.0/UDP 172.17.57.242:5060;rport;branch=z9hG4bKPj6ac2000313cd8c03 Max-Forwards: 70 From: ;tag=6ac2000213cd8c03 To: Call-ID: 6ac2000113cd8c03 CSeq: 51529 REGISTER User-Agent: PJSUA v0.7.0/openbsd Contact: Expires: 55 Content-Length: 0 any clues as to how i can debug this or a working configuration for use with asterisk would be appreciated. cheers, jake
Re: Refusal to mention OpenBSD in a MSc Advanced Networking course
TS Lura wrote: I feel it's game over, at this point. But maybe you guys have some suggestion about good arguments that might persuade my professor? here's a quick little seminar on professors and academia. it is very advanced and you may not understand it at first: - professors have a thing called 'tenure', meaning after a number of years working at an institution they have job security i.e. cannot be fired unless they fuckup massively. this is required to keep talented professors in the profession and allows them not to worry about e.g. having sporadic work product and being fired. - tenure is a double-edged concept in an educational setting because it is a hedging mechanism. it will retain those brilliant people who may have otherwise chosen another career path but it will also retain those people who were just bright enough to get their tenure. as with any boundary or line one can toe in life, many professors do just enough to get their tenure and not much more. - it is common for there to be a high degree of toadyism amongst academics. many people succeed by allying themselves with other people of reputation and are weak on their own deliverables. this is borne out in the content of their papers, their coauthors and who chooses to cite their papers. - some professors are quite talented when younger and then decay substantially when older, it depends heavily on the department. a person may have been brilliant once and it is simply not the case any longer, they have 'lost it'. conclusion: it is doubtful you can make this professor understand the relevance of BSD, so don't waste your time. many professors live in their own world and care little for what others have to say because of ego, tenure and toadyism. this person sounds like they're an idiot and that will likely be clear if you check the papers they have authored. if they are highly regarded, perhaps they are a talented toady or did great work when they were younger. don't focus so much on what the professor thinks and think for yourself.
Re: routing and pf at 10Gbps
Mike Williams wrote: Really, nobody firewalls at multi-Gbps? anybody who does firewall at high bandwidth / pps is unlikely to provide this information freely. also note that you've not made an effort to do any tests and share them, so it is not surprising that others are not sharing data with you. i have found that openbsd mailing lists are not good places to post 'i want to do this' sort of stuff and expect a reply, especially on a topic that requires pretty specialized and likely valuable knowledge. if you try something out, it doesn't work how you want and you want assistance getting it to work you will likely get more feedback. Or have I contravened some convention, in my questions, or wording? On Friday 22 January 2010 23:55:45 Mike Williams wrote: I missed two bits of information... Routing. With only one upstream routing device these would only have one route, maybe two (internet, and internal). A bit of mental gymnastics, ok a calculator, gives something like 400 Kpps. Which, if my assumptions on packet sizes is right, isn't mind numbingly scary. On Friday 22 January 2010 20:12:29 Mike Williams wrote: Hey all, I was hoping there are some heavy PF users here, who wouldn't mind sharing some of their experiences? So I've watched Hennings talk about PF performance, read the PDF, but I haven't actually seen anyone saying they can, and do, PF at 10Gbps. Can it? If so, what actual hardware can? Or more precisely, what hardware could sustain our expected usage? We've got a big project in it's earliest stages which would require very basic firewalling at multi-gigabit-per-second. Probably in the region of 3Gbps (yes yes, PPS is the real killer), with peaks for software releases much higher. No NAT, just routing (bgpd/ospfd), and simple limits on what ports are available. I can't imagine needing more than 200-300 rules. I'm actually a Linux guy, and I'm pretty confident that netfilter simply won't keep up, and while we've not personally used OpenBSD in "anger" yet, there is plenty of time to get acquainted. So, at the edges I'm imagining a large hardware router, handing off to OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few 10s of Mbps of IPSec stuff back to base. The traffic patterns expected are very approximately: 5Mbps DNS 30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 hits per day. 300Mbps of "normal" HTTP. 2-3Gbps of several hundred KB, to many-MB, files over HTTP. 20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. Nearer the core will have much more complex PF rules, but only on a few hundred Mbps, so easy for modest hardware. Thanks
Re: anyone need old PC crap?
Nick Holland wrote: ropers wrote: You (or anyone else, really) wouldn't happen to have any 1st or 2nd generation PC stuff (as in, IBM 5150 PC / IBM 5155 Portable, or IBM 5160 PC XT)? http://en.wikipedia.org/wiki/IBM_5150 http://en.wikipedia.org/wiki/IBM_5155 http://en.wikipedia.org/wiki/IBM_5160 please answer off-list. Do not feed the old computer crap addition I have... :-/ i smell an episode of hoarders :) Nick. On 5 February 2010 14:03, Daniel Malament wrote: Are there any developers (or anyone else) in the NY area who have a use for old PC crap? A 286, a 386, at least one 486 motherboard, some Pentiums, some P2s, etc? Before I cart it to the recycling center...
pf and apache: to stop a scripter
there is a website protected by pf and running apache on a recent openbsd snapshot that needs to be protected against scripting attacks. i can configure both pf and apache to help block this behavior but am not familiar with the best practices for such configurations. the situation is that a user who authenticates to apache via htpasswd has run a script a number of times in an attempt to mine a database. all of the user activity is already logged by apache and it is crystal clear that scripting is going on. i would like to stop this scripting in its tracks and here is what i am already looking at: - pf - use max-src-X to stop this behavior and log it at the firewall - apache - less clear on what tools are best, possibly mod_security stuff the sort of behavior that suggests scripting is more than ~20 http requests in 120 seconds, in this case all from one ip and using a single apache/htpasswd username. i'm looking for some guidance both on which dials to set and where to set them. i am already aware of the max-src settings but do not know which ones would be best to set here or a prescription for finding the right numbers to dial in. with apache i am much more clueless and believe that the trouble behavior being limited to a single apache user might be helpful in terms of countermeasures. cheers, jake
smtpd alias entries: delivery trouble
i've got a machine that is running RT from packages and am having trouble getting smtpd to pass mail to RT. this is usually done with sendmail but i figured it should be no huge leap to use smtpd here. the config that works with sendmail has local aliases like so rt_queuename:"|/usr/local/bin/rt-mailgate --queue 'Queue Name' --action correspond --url https://rt.domain.com/"; where there is an alias like this for each queue. let me know if this sort of thing is not supported. what i do see from running smtpd -vd is ... command: RCPT TOargs: lka_resolve_node: node is filter: "|/usr/local/bin/rt-mailgate --queue 'Queue Name' --action correspond --url https://rt.domain.com/"; smtp_dispatch_queue: queue acknowledged message submission command: DATA args: (null) smtp_dispatch_queue: queue handled message creation smtp_dispatch_queue: queue acknowledged message submission 1264909788.hB74N4PO6lKzS8MR: from=, size=1080, nrcpts=1, proto=ESMTP, relay= [10.137.0.10] command: QUIT args: (null) session_destroy: killing client: 0x204aa in batch dispatch 1264909788.hB74N4PO6lKzS8MR: getpwnam: : user does not exist 1264909788.hB74N4PO6lKzS8MR: to=<@>, delay=1, stat=MdaPermError in batch dispatch smtp_new: incoming client on listener: 0x83fec0 session_pickup: greeting client ... at which point i get a DSN message stating Hi ! This is the MAILER-DAEMON, please DO NOT REPLY to this e-mail. An error has occurred while attempting to deliver a message. Recipient: @ Reason: so afaict smtpd is not grokking the alias line. clues as to what is going on here are welcome. cheers, jake
smtpd + dovecot: virtual map trouble
i am working on a new production mailserver using smtpd for an mta and dovecot for serving mail. i have run into a problem where i would like to use the same authentication mechanism for smtpd and dovecot so there is only one password database to maintain. as best i can tell i need to use system accounts and virtual user maps to get mail to dump into separate directories. the caveat is getting either dovecot to understand the virtual user mapping to system accounts or smtpd to do smtp authentication through dovecot. i would rather use bsdauth than have dovecot handle authentication. i currently have smtpd setup and delivering mail fine with the following config ext_if = "re0" listen on lo0 listen on $ext_if tls enable auth map "aliases" { source db "/etc/mail/aliases.db" } map "virtual" { source db "/etc/mail/virtual.db" } accept for local alias aliases deliver to mbox accept from all for virtual "virtual" deliver to maildir "/var/vmail/%d/%a" accept for all relay with the virtual map specified like so us...@domain1.com: user1_dom1 ... us...@domain1.com: userN_dom1 where i have added users user1_dom1 through userN_dom1 with the false shell to the system. all works fine with the mail delivery and relay. any insight into how i can get dovecot or smtpd to do what i want would be appreciated. cheers, jake
Re: Intel PRO/1000MF (82545GM) Hardware Initialization Failed - 4.6 amd64
Ben Franklan wrote: Hi All I have 2 identical machines running 4.6 stable. I have tried removing some of the other hardware and changing some irq settings in the bios, but there is not really much to change. Does anyone have any advice on getting these network cards to work? the relevant error is this one em0 at pci3 dev 2 function 0 "Intel PRO/1000MF (82545GM)" rev 0x04: apic 3 int 3 (irq 6)em0: Hardware Initialization Failedem0: Unable to initialize the hardware try booting a snapshot kernel on the machine, it should work. i had this problem with some em interfaces with snapshots from a few months back so i am guessing it's in 4.6 release.
Re: Security via the NSA?
Doug Milam wrote: Will OpenBSD be the next to be 'helped'? http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html can we stop these dumb posts about the NSA and windows 7? it's really not related to openbsd. spend less time being preoccupied with the fact that windows is likely backdoored and be more preoccupied with important stuff like what goes into the BIOS for various cpus and what your cell phone is or is not recording.
Re: Encrypting /home on OpenBSD Laptops
Brad Tilley wrote: On Fri, Nov 13, 2009 at 9:09 AM, Otto Moerbeek wrote: What's the point of encrypting certificates? They only contain information that is public. They can be revoked and re-issued as well. can you and elias please stop this thread? it is clear that you both know absolutely fuck all about cryptography but still want to posture and talk about it in front of all of us. i regret having taken the time to try to help you 2 weeks ago when this thread was fresh. hell, elias is asking questions that have ***already been answered in this thread***. can it get any dumber? let's talk about something we have no fucking clue about, repeat ourselves ad nauseum and then pat ourselves on the back after we ignore clueful people trying to make a meaningful contribution to the discussion.
Re: softraid crypto performance
Jan Stary wrote: On Nov 10 16:21:04, Alvaro Mantilla Gimenez wrote: On Tue, 2009-11-10 at 21:31 +0100, Michael wrote: Hi, when using softraid crypto with OpenBSD 4.6-current I never get more than ~10-11 MB/s disk writing speed even though the disk (WD Raptor 73 GB) itself, without crypto, can do way more. Uh...that sounds wear to me. I just copy 70 Gb from a USB SATA HD to the local partitions under a softraid crypto device and I get 14-16 Mb/s all the time. Of course I don't expect more from a USB device So why don't you write to the softraid device from /dev/zero, isolating yourself from assumptions about USB or whatever? one sees the same sort of bottleneck using e.g. bonnie as michael demonstrates using his ftp transfer. asking michael to change how he demonstrates this bottleneck is not productive. if you're so keen on doing it your way you should take the 5-10 minutes to test it and post your results.
partitioning wifi networks: multiple APs and access control
am looking to partition some wifi networks into multiple segments and am looking for both hardware and software advice. the goal is to have > 2 wifi networks in the same physical location that are split as follows: - guest AP for visitors and friends - business AP for coworkers - appliance AP for remote appliances - not people, so login needs to be automated and use existing wifi encryption/authentication methods here are some questions that come to mind: - what is the best facility to log wifi usage to syslog on an openbsd host? have used hostapd in the past, it's pretty sweet but not practical for guest users or wireless appliances - are there any recommended appliance wifi routers that will play nice with openbsd? i am looking for higher end hardware, not commodity junk that will save me money but cost me maintenance time later. i think i heard something about APs that can handle multiple nwids on multiple channels, this may be heresy - which particular wifi interfaces are suggested for hostap mode over others? i haven't used hostap mode for several years since i had problems with needing to periodically (~monthly) take the hostap interface up and down - how should i avoid band over-occupancy issues to ensure decent throughput on my networks? feedback appreciated in advance. cheers, jake
Re: anyone, low power rack-mount server for home usage?
Stijn wrote: Didier Wiroth wrote: Hello, I would like to buy/build a low power 19" rack-mount server for home usage that will run openbsd. The server should be used for (secure hardware) file storage (some kind of hardware raid would be nice), nfs server, dhcp & dns caching I was wondering if some of you are using this type of low power hardware at home? Can you recommend such a rack-mount device? Can you recommend a european online reseller? Thank you very very much for your advices! Kind regards, Didier You can find more information on the vendor's home page: http://www.lex.com.tw/ these machines look real nice. a shame i didn't find this site a year ago are there any other manufacturers of fanless embedded systems like this out there? cheers, jake
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Otto Moerbeek wrote: On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote: Theo wrote: For the record, this particular problem was resolved in OpenBSD a while back, in 2008. Nice, but: "Since 2.6.23, it has been possible to prevent applications from mapping low pages (to prevent null pointer dereferencing in the kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the minimum address allowed for such mappings." 2.6.23 released: Tue, 9 Oct 2007 Ref: http://lkml.org/lkml/2007/10/9/241 http://james-morris.livejournal.com/26303.html -- JS Optional prevention is not worth a lot. not exactly on topic but Pope Benedict XVI would likely agree with otto. see, even the pope doesn't like linus.
Re: Encrypting /home on OpenBSD Laptops
Brad Tilley wrote: I wrote some notes on how I normally encrypt /home on OpenBSD laptops. I was hoping misc could read it and bash it around some. I'd like to know if I'm doing something wrong. No jokes about Beck's ass please :) http://16systems.com/openbsd_laptop_encryption.txt Thanks, Brad don't bother encrypting just /home, do everything except the root partition. you can do this using softraid crypto as follows: - dump your existing partitions to another disk connected to the machine e.g. a usb drive - wipe the original disk - do a fresh install from a recent i386 or amd64 snapshot and break to shell instead of following the usual install option - follow the content of the softraid manpage to setup an encrypted disk, using fdisk and disklabel to prepare the disk yourself i.e. (assumes base disk name is sd0) fdisk -iy sd0, disklabel -E sd0, make a smallish 100-150 MB 4.4BSD partition for root and the rest of the disk set as a single partition of type RAID e.g. /dev/sd0a is root and /dev/sd0b is softraid, write disklabel, bioctl -c C -r 32768 -l /dev/sd0b softraid0, enter passphrase, and now you've got a second disk according to bsd.rd, sd1. not sure if you need to partition sd1 in the shell or in the installation script, you can figure it out - before rebooting make sure that your /etc/fstab lists the crypto partitions (everything except root) as being on sd1 - when you reboot, the boot process will 'fail' and dump you to shell since sd1 is not unlocked as part of the boot process - at a shell do the following to get your disk rollin: bioctl -c C -l /dev/sd0b softraid0, enter passphrase, issue 'fsck -fp && exit' if you had a dirty shutdown otherwise just type exit - normal boot resumes and you've got your machine running with everything but root encrypted do note that i used tedu's suggestion of increasing the round count when making the crypto partition above. the steps listed above are almost complete but should be ***tested on a spare disk before doing this with a production system***. cheers, jake
Re: Secure way to delete data in hard disc
Noah Pugsley wrote: Can I interest you in a pair of steganograpanties? Or for cooler weather, steganograpantaloons? are you suggesting there are messages hidden in pictures of beck's ass? the russians will be very upset. you should have taken thermite to those disks... Marco Peereboom wrote: They'll use it as torture material during the next krieg. On Wed, Oct 28, 2009 at 04:48:28PM -0600, Bob Beck wrote: What, you have pictures of my ass too? Obviously I must make something to write a random pattern over my entire ass so that It won't be recognized if some germans steal it.
Re: bioctl crypto passphrase file?
elias r. wrote: Is there way to get the passphrase for softraid-crypto out of a file? greetings! do think about this: it seems to defeat the entire purpose of disk crypto to have the passphrase stored in a file, unless i'm missing something. having a 2nd factor for authentication, e.g. a token with rolling code, is another story. cheers, jake
Re: OT: Iphone with OpenBSD
Alvaro Mantilla Gimenez wrote: I just found this page: http://linuxoniphone.blogspot.com/2008/06/why-iphone-linux.html I don't have any idea about how/where to start. Maybe Theo can put some light here...I think my developer skills are far to be good enough but, hey...I would like to try !! getting openbsd working on an iphone would be a pretty serious undertaking and would require a lot of man hours that aren't currently available. you have to remember that the project is mostly driven by donated developer time. if you have >100K USD and are committed you might be able to make it happen. there would have to be a lot of reverse engineering on drivers and there is no reason to expect apple wouldn't change the chipsets across versions to make minute optimizations on cost. assuming you could get all this code written there are many man hours that go into keeping the arch working properly on an ongoing basis. there is no doubt this would be sweet but you have to be realistic when considering the amount of work it would take to make this happen. there are >10 mln iphones in circulation so there is no shortage of machines Regards, Alvaro beowuff escribis: Reading the article posted on undeadly.org: http://www.informit.com/articles/article.aspx?p=1393496 I was thinking it would be cool to have an Iphone running OpenBSD... Imagine that: the most secure phone in the planet :-P Man, I have an old 1st gen iPhone just sitting there... I would so put OpenBSD on it. Unfortunately, I wouldn't know where to begin :(
Re: Defending OpenBSD Performance
this thread is fucking stupid. consider that the majority of machines are horribly underutilized, even in large organizations where some of the machines are under heavy load. the reason that everyone here is so dismissive of benchmarks is that they do not translate to real world results. people hyperventilate all day about how software X runs Y% faster under various OSes but i rarely if ever see a concrete expression of this e.g. i switched from openbsd to linux and was able to offer the same level of service with half the machines. part of the reason that one doesn't normally see concrete examples is that there is far more to the 'performance' of a machine than just benchmarks. - how does the cost of administration scale with machine count? - with what frequency will OS-related issues cause a catastrophic failure in a production environment? - is it easy to upgrade the machines? - if i don't regularly patch the machines will they get rooted? once you start thinking about the answers to these questions you might see how irrelevant most of this discussion has been to date. cheers, jake
supported travel printer and scanner
i am looking for a travel printer and scanner (two separate devices) that are supported by openbsd, specifically amd64. i am aware that this info is listed on the site but a suggestion from an actual user is what i'm after prior to purchasing. main things i'm after are - durability - reliability - compact and low weight any extra information about which software you use to get the devices working would be great. cheers, jake
Re: :Microsoft" VPN
stan wrote: OUr company was bought out a while back, and the new oweres are changing pretty much everryhting. This includes changing external access from a Cisco VPN to a "Microsoft" VPN. Can anyone here give me a pinter to where I can get information on this? What I want to be able to do is use my OpenBSD firwall at home to VPN on to work. if they end up using that crappy L2TP vpn that windows machines can do 'out of the box', you're up shit creek afaik. search the archives for l2tp to see some of the unpleasantness.
supported travel printer and scanner
i am looking for a travel printer and scanner (two separate devices) that are supported by openbsd, specifically amd64. i am aware that this info is listed on the site but a suggestion from an actual user is what i'm after prior to purchasing. main things i'm after are - durability - reliability - compact and low weight any extra information about which software you use to get the devices working would be great. cheers, jake
Re: :Microsoft" VPN
Jacob Yocom-Piatt wrote: stan wrote: OUr company was bought out a while back, and the new oweres are changing pretty much everryhting. This includes changing external access from a Cisco VPN to a "Microsoft" VPN. Can anyone here give me a pinter to where I can get information on this? What I want to be able to do is use my OpenBSD firwall at home to VPN on to work. if they end up using that crappy L2TP vpn that windows machines can do 'out of the box', you're up shit creek afaik. search the archives for l2tp to see some of the unpleasantness. correction: last time i checked (2006) you're up shit creek if you want to serve such a solution using openbsd appears the client isn't an issue based on brynet's post
Re: OT rack mount monitor/keyboards
Steve Shockley wrote: stan wrote: I have a few locations where I have installed 1U rack mount KVM/monitor/keyboards, and quite frankly. I'm not happy with any of the ones I have tried. I recognize this is off topic, but the people on this list are pretty hard to please. Given that I was wondering if anyone would like to recomend anything that they have used for these, and been happy with? A few people mentioned serial connections, but that doesn't really answer your question, since you'd still need a KVM. You'd also need computers that properly do serial console. The 1U KVM consoles I've used range from adequate to suck. My best suggestion is KVM/IP (Avocent, etc.), serial as others have mentioned, or ILO/DRAC. That way you don't have to stand next to the servers. best thing i've seen is the adder vnc-capable kvm switch, have one in production. it still requires e.g. a laptop to work so it's not quite as self-contained as a 1U standalone kvm interface. that you can access it on remote makes it even better than an actual kvm setup imo. cheers, jake
Re: encryption
somebody wrote: blah blah blah do your homework
Re: man pages conflict or clarification for mount_vnd, newfs and man 5 disklabel
leon zadorin wrote: who are obviously much more talented and accomplished than i. it is my life's work to make mountains out of minutae, bear witness to my steaming pile of awesomeness.> stop posting this on tech@ plz, it's *too* awesome.
Re: man pages conflict or clarification for mount_vnd, newfs and man 5 disklabel
please stop jargonizing in an attempt to make yourself sound smart, it is painfully academic. your behavior reminds me of grad school misfits i have worked with who are convinced that being a pompous jerk is equivalent to being successful. have some manners and don't send your retarded messages to so many lists. getting *4* of your emails each time you send one makes a solid case for you being the smartest person on-list to date.
Re: Porting HammerFS
Christiano Farina Haesbaert wrote: Pointing out my mistake(s) and explaining why is enough. there is no such thing as enough: misery is openly traded on the exchange of m...@openbsd.org. i become miserable from reading emails like this and make you miserable in turn. as gerald pointed out most of us are really interested in the misery derivatives, mostly spot laughs and front month chuckles.
Re: reason for libexec?
Michal wrote: As far as I'm aware ADD is on the autistic spectrum, and it is generally believed that a lot of people in IT are on the spectrum, especially those in the more technical areas, so in a way, your probably sort of right...in a way. Though, have you been tested for Asperger Syndrome? have you been tested for retardation? i don't think they have an overpriced medication for that yet so you'll just have to hold your breath. i'm sure you can pay a doctor enough so you can get the 'retard' designation and get some meds once they roll them out. hopefully that means your ability to send retarded emails will be moderated. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Theo de Raadt Sent: 15 July 2009 17:31 To: Daniel Barowy Cc: misc@openbsd.org Subject: Re: reason for libexec? On Wed, 15 Jul 2009, Theo de Raadt wrote: It is stuff that isn't on root's path. Ok-- it turns out I am even more naive than I previously thought. I can see that /usr/libexec is not in root's path on my machine (maybe that's why the 'usr' part is in there?). But why not? Becuase it is stuff that isn't SUPPOSED TO BE on root's path. Does everyone on this list have ADD?
Re: A thesis at Naval Postgraduate School that discusses OpenBSD
Ed Ahlsen-Girard wrote: Seven years old, but the abstract looks nice: http://cisr.nps.navy.mil/pubabstracts/02abstract_smith.html [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of eagirard.13040DEFANGED-vcf] gave this a read and expect that some devs may have seen it back in the day. on page 116 of the .pdf there was a listing of the top ~20 openbsd os functions by mccabe complexity and ~15 of those functions were nfs ones. probably not surprising to anyone who has worked on that code.
Re: About the OpenBSD repository
Marco Peereboom wrote: I used git twice. Once I lost hours worth of work and the second time it munged instead of merged the code. No thanks. If it works for you great, now stop evangelizing some retarded versioning system that will never, ever, ever, ever, ever be used in OpenBSD. since it is *clear* that other vcs besides cvs will not be used, everyone should stop posting to this thread. this is an exercise in idiocy.
Re: apc ups daemon
Diana Eichert wrote: Remember real hardware hackers eat serial for breakfast. :-) diana lol! this made my morning diana. cheers, jake
OT Re: Kylin
Duncan Patton a Campbell wrote: the chinese government really feels so vulnerable against U.S.? i mean, they say it like "the WWIII will begin soon and we need to defend us on the cyberspace with our super-secure OS" They're prob'ly as worried about their own hacks as anyone elses, but given they've built their own chip it's pretty clear they take the problems with iNtel rom/microcode seriously enough. Remember the foo-rah when Sony came up with it's own 64bit chip? All that bs about Sadman buying up a gross of playstations 'cause they're not trojaned with externally modifiable microcode ? seriously, the OS cannot be anything worth writing home to momma about. that they choose to run the OS on special cpus is notable since nobody really knows what the bios hackers put into their special sauce. intel and amd are originally 'western' companies so i wouldn't trust their work product as far i could throw it if i were the chinese. speaking of which i don't trust the security of products manufactured in china and that's most hardware afaik. i have speculated before that some hardware manufacturers intentionally leave exploitable problems in their products on purpose so the machines can be penetrated. it would not surprise me at all if this were the case.
Re: Disk enryption or storing data in safe
Cem Kayali wrote: Thanks for reply... Well, i checked that before, but also heard that 'when a system with a mounted, encrypted virtual filesystem is shutdown uncleanly, the encrypted virtual filesystem's structures get damaged and, since OpenBSD's fsck command will not currently acknowledge vnd filesystems, these damaged structures can not be repaired' That was why i asked whether it is stable or whether there are alternate ways. read the manpage for softraid and bioctl, it works similar to cgd: bioctl -c C -l softraid0. note that you can encrypt everything besides the root partition when installing from bsd.rd on the common architectures e.g. amd64. svnd crypto is ancient. you can indeed fsck a filesystem on an encrypted svnd and it will take forever. if you have a large amount (>100 GB) of data to protect you may want to consider using something other than FFS as your file system due to the fsck time e.g. something with journaling or zero fsck time. Thanks. Christian Ruesch, 05/08/09 14:32: Hello, take a look at: mount_vnd(8). Kind regards Christian On Fri, May 08, 2009 at 02:10:13PM +0300, Cem Kayali wrote: Hello! I've just registered to the list and i hope this is the right list to ask a question about OpenBSD. I would like to ask whether OpenBSD has stable implementation of storing data in encrypted format, similar to FreeBSD geli and especially similar to NetBSD cgd... I have searched through Google and some maling lists and have found OpenBSD tutorials about creating an image and then, writing data into that image using svnd approach but same tutorials also say there is a problem with this if OpenBSD starts fsck while booting. Is there currently alternative or better way? Or what would you suggest to protect data? Thank you in advance. Cem
Re: OT: 10GbE Physical Network Taps
openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert wrote: On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a "Bad Idea" (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. note that he wants "to collect raw throughput statistics" and doesn't explicitly say dump all the traffic to disk. if he wanted to dump the entire pipe to disk it would require > 10 COTS machines and load balancing. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. i'd be more worried about the NBA, those dudes are huge and are known to roll with guns in sweatpants. jc is just trying to find a way to get traffic statistics, likely in relation to his earlier 'remotely connected disk' discussion. move along, nothing to see here. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking.
Re: svnd is incredible slow... somebody else notice that?
Sebastian Rother wrote: On Sun, 26 Apr 2009 11:37:24 -0500 Marco Peereboom wrote: You are retarded and unable to figure out what is going on. Spouting horeshit as usual. Seriously just go away. From one retard to another: Go and fix the retarded pf code or whatever except of talking in such a way to somebody else. Or go and watch some horse porn.. seams you love horse shit anyway. :-) Sebastian i read on the intarnetz that there are chipper shredders that can grind a whole human body, albeit slowly. perhaps you could run some benchmarks on the process and send them to the engineers who build the shredders so they can make them faster. the engineers have a strong preference for first-hand data and you seem more than willing to 'get right in there' and 'git er done', being all about deliverables and all. i think you might even solve this svnd crypto problem at the same time, two birds with one shredder as they say.
Re: svnd is incredible slow... somebody else notice that?
Marco Peereboom wrote: You are right about how awful all this stuff is. Man it seems like you should use an os that suits your goals a little better. I have heard that Linux offers awesome performance. based on the manner in which you routinely complain and provide zero deliverables, i must say that marco's suggestion is spot on. please join the ranks of all the rest of the feature-hungry talentless morons and just give up. if you have not figured out that you are a member of this group already you need to flash your brain bios so there is some hope of working around the parts that are obviously not working right. if you send another whining email about things that have already been discussed on this list i worry that you will break the misc@openbsd.org mailserver. don't be that guy. On Apr 24, 2009, at 17:12, sebastian.rot...@jpberlin.de wrote: I notice it for a while now that SVND is incredible slow related to WRITE SPEED. Also I do see a lot of "biowait" with top related to newfs for example. vnconfig -cK -S saltfile /dev/sd0d /dev/svnd1c disklabel -E svnd1 -> a a -> r -> w -> q newfs /dev/rsvnd1a If you've serval houndret GBs that gonna take a lng time. Also you can not restore a backup quickly because of the uberproor write performance (it feels like being slower then PIO 3..). On the other hand softraid can not handle partitions. At least it wont do it... bioctl -c C -l /dev/sd0d softraid0 Heyho "invalid metadata format".. So what other choices does a OpenBSD user have to encrypt a HDD? Also: Did nobody else notice that? Don't others use these functions? :-) And as a side note to softraid: Also it might be clever to add MORE then 1 softraid device. Some people might have more then 1 HDD... :-) Kind regards, Sebastian
kd85 outstanding balances
i and plenty others donate funds and time to the openbsd project. i cannot speak on others' behalf but i find this entire matter very shady. the possibility that someone has embezzled funds due to the openbsd project is deeply offensive to me. issues -- in order to have any kind of reasonable resolution it is necessary to restrict the core discussion to the quantitative issues. here is what i see as the key issues: - a very large and long-standing A/R balance of kd85 with computer shop of calgary (CSC) for CDs; it seems clear that wim claims there was some special deal that means he doesn't owe what theo and/or CSC invoiced him for the CDs - questionable allocations of 'openbsd donation funds' by kd85 to events, causes, etc, that are not strictly related to openbsd; this issue was addressed by bob in the email about itojun's funeral where wim seemed disinclined to follow bob and theo's instructions despite repeating those instructions - beyond allocation issues with the 'openbsd donation funds' there may be a more serious discrepancy at hand, as per ingo's email; the extent of this MITM situation with donations is unknown without input from donors the additional matter of openbsd merchandise (shirts, etc) being sold by wim in europe and none of that money making it back to the project is shocking but it appears that was part of the agreement. resolution here is what i see as the potential avenues for resolution of each issue. note that this needn't be done in public even though the current tack is to do just this: - A/R balance - both kd85 and CSC prepare their documents and isolate the problem to differences on various purchases, invoices, etc, to give a total amount in dispute and a history of its accumulation. theo and others have previously privately and now publicly lambasted wim for not paying up according to expectations. based on the private and public comments not having any demonstrable effect, the matter should be pursued by lawyers in belgium and CSC should seek a settlement against kd85 which would likely result in fines, liens on property or jail time, among other things. there is a complicating factor here, which is that since theo does not have a majority interest in CSC he cannot dictate whether to pursue the matter legally, that is up to the owners of CSC. anytime one considers taking someone to court, a cost benefit analysis must be done since legal costs can get very large very quickly and you may be attempting to get 'blood from a stone', wasting your money. i am speculating that the CSC owners don't want to run the ball this direction for just the reason i cite above. - questionable allocations - this is a tough one since wim is the only one with the records and it is unlikely that receipts from all the parties involved could be obtained. - MITM donations - while annoying to do, one could make an appeal for all donors who sent funds to wim or his shop to send receipts / confirmation of their donations to someone associated with the project. once all receipts are obtained they would be added up and compared to both (1) wim's published numbers and (2) CSC / theo / openbsd foundation numbers. based on ingo's email, i suspect this may yield some very interesting results. prior claims both theo and wim have made a number of claims directly, indirectly and not strictly on-list. here is how i perceive each set of claims and their evidence: - theo has made claims that stick pretty closely to the issues i cite above, albeit sans detailed financial data. he is obviously very angry about this since the project could really use the funds in dispute and it has been a long-standing problem. some people feel he should substantiate the argument with numbers and details, but he seems to want to agitate in public and resolve the matter in private. - wim has made a long, relatively detailed response on his website that does include some financial details. however, he does not stick to the basic problems (i.e. A/R balance, donation transparency) and provides a large amount of incomplete information. the numbers give some insight into the problem but things like a balance sheet give approximately zero information for detailed problems like this and only serve to confuse the matter. my experience - sometimes the best staff are the same ones who embezzle from a company because they feel entitled to it, that they're insufficiently compensated, etc, i have seen it happen in my work experience several times. that's not to say that wim is an embezzler but the argument that 'oh, wim is so cool, look how he helped the project' holds zero water when it comes to money. as i have seen myself, what someone has contributed to a project is not a good metric for whether they also have gamed or are gaming the project in a very shady fashion. f
Re: European orders
frantisek holop wrote: hmm, on Wed, Mar 25, 2009 at 03:41:04AM +0100, Floor Terra said that Why doesn''t Wim explain the situation here. Less work isn't it. ;) I don't know. And I don't want to get involved. I'm concerned about Theo, Wim, the project and anybody else who is involved and don't want to make this any worse by spreading unverified statements from anyone. I hope you understand. Theo has made some serious allegations and i hope he has evidence to back it up. -f from theo's email: "I am certain that the resellers will understand the reason why we are here; the middle man has fallen ridiculously far behind in A/R." it seems clear that you either did not read the email i'm citing from or do not understand what was said. if you didn't understand, this is how the 'allegation' is substantiated in terms of accounting: - cds are ordered by EU distributor kd85 from project, likely with a PO from kd85 - project issues invoice (with payment terms, e.g. Net 30) to kd85 and ships cds to EU - kd85 receives shipment - until kd85 pays the project it has an outstanding balance in accounts receivable (A/R) for the project all that needs to be done to substantiate the allegation is to look at the current A/R balance for kd85. one could publish the POs, invoices, receipts and A/R entries to give a full picture of what's going on, but that would be pretty pointless since it's clear that it won't make them more likely to pay. when large sums of money are involved it is not uncommon to acquire legal counsel in the jurisdiction of the debtor and seek a settlement against them, e.g. a lien on their property, fines or jail time.
Re: arp MiTM
irix wrote: Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the " security by default" this sort of email will, even if you have a valid point, likely win you no points with the devs. i see no offer of funding or a demonstration of an attack vector so you are obviously a very serious player. you are being unbelievably rude and are likely a troll so this is the last time i'll ever read your emails. wouldn't be surprised if a lot of other folks did the same.
Re: OT: Free, online backup service provider compatible with BSD
Jason Dixon wrote: On Wed, Feb 11, 2009 at 03:02:51PM -0700, Steve B wrote: Thanks to all for the ideas. Amazon looks like it might be the best for me. They should be around for a while, and at $0.17 that's almost free. While I agree with some that DR and free are not synonymous this is for my home server so it's not as critical as work. Why would you want to backup your home server to Amazon? That makes no sense to me. they run this awesome store where you can buy books and stuff. can you not see why they are the best choice for online backups? sarcasm aside their rates are very competitive.
Re: Reset root password on system with console insecure?
bofh wrote: On Thu, Feb 5, 2009 at 1:38 PM, Pierre Riteau wrote: Or learn to use ed :) My god, ed? He should be editing the file on the hard drive by hand, poking it in with dip switches! so you've never had to edit text files with only programs under /{,s}bin? ed has gotten me out of a number of crunches, don't knock it til you try it.
Re: If you don't understand how to do it properly...
bofh wrote: http://www.theregister.co.uk/2009/01/27/blowfish_poisoning/ hack on the linux kernel? ;)
Re: DCBSDCon 2009 - Two weeks to register
Jason Dixon wrote: We're got less than three weeks to DCBSDCon 2009. The entire lineup has been released and today we announced the "Frack Room", a space dedicated to casual BSD gaming and hacking sessions. Attendees will be able to plug in their laptops and play from their choice of networked games on our LAN server or hang out and collaborate with other BSD hackers. http://blog.dcbsdcon.org/2009/01/introducing-the-frack-room/ Open registration is available through January 31. Onsite registration will be available the morning of February 5 at the "slacker" rate. http://www.dcbsdcon.org/register.html Hope to see you there! jason, i will be attending with a business associate of mine but not as part of the dev contingency. is there anything i need to know before coming? i'll be booking accommodations only a week in advance for various reasons. cheers, jake
Re: Split Horizon DNS issues w/named.conf
Christopher Sean Hilton wrote: Repost with conf file included: I'm trying to track down a split horizon DNS issue. On initial startup everything works great. Internal hosts can resolve names against my complete zone and can resolve names for other internal hosts just fine. External hosts get the abbreviated views that I've setup. But after a period of time named stops responding to external host. Requests to it just time out. I'm running stock named on OpenBSD 4.3. I've attached my named.conf file to this message: take note of the security advisory for 4.3's BIND: http://openbsd.org/errata43.html#004_bind upgrade your grey matter cuz one day it may matter // $OpenBSD: named-dual.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $ // acl clients { 127.0.0.0/8; 192.168.0.0/23; ::1; }; options { version ""; // remove this to allow version queries listen-on{ any; }; listen-on-v6 { any; }; }; logging { category lame-servers { null; }; }; view "internal" { match-clients { clients; }; match-recursive-only yes; // - // Standard zones // zone "." { type hint; file "standard/root.hint"; }; zone "localhost" { type master; file "standard/localhost"; allow-transfer { localhost; }; }; zone "127.in-addr.arpa" { type master; file "standard/loopback"; allow-transfer { localhost; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { type master; file "standard/loopback6.arpa"; allow-transfer { localhost; }; }; // - // Slave zones // zone "example.com" IN { type slave; file "slave/db.example.com"; check-names ignore; masters { 192.168.1.34; }; allow-transfer { localhost; 192.168.1.34; 192.168.0.34; }; }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slave/db.192.168.0"; masters { 192.168.1.34; }; allow-transfer { localhost; 192.168.1.34; 192.168.0.34; }; }; zone "1.168.192.in-addr.arpa" IN { type slave; file "slave/db.192.168.1"; masters { 192.168.1.34; }; allow-transfer { localhost; 192.168.1.34; 192.168.0.34; }; }; }; view "external" { match-clients { "any"; }; recursion no; additional-from-auth no; additional-from-cache no; // - // Master zones zone "example.com" { type master; file "master/db.example.com"; }; }; // Local variables: // mode: fundamental // mode: font-lock // tab-width: 4 // End: -- Chris
Re: Updating AD DNS server
Peter Bako wrote: I'm looking for a script that I can run on my OpenBSD boxes that would allow them to register their DHCP assigned IP addresses with my Windows 2003 DNS server. My windows boxes do this automatically and its convenient to be able to just ping them by name regardless of what IP they have been given, but for my BSD boxes I don't have this. It would be nice to find a script that could be called as part of the boot process with which they could also register their name and IP addresses to the Server 2003 DNS server. if you're willing to let openbsd handle the dns, you can do this http://www.bsdguides.org/guides/openbsd/networking/ad_dynamic_dns_dhcp.php i have this running in a couple places and it works quite nicely. i do not like having a windows machine in charge of something as fundamental as dns.m cheers, jake
Re: Yahoo! mail and OpenBSD greylisting
Girish Venkatachalam wrote: On 09:30:48 Dec 22, Jordi Espasa Clofent wrote: Hi Girish, ?Have you tried to contact with Yahoo! technical staff about it? I know you are serious , so I don't want to kid. I almost got talking to a relatively highly placed individual in yahoo! to take a look at OpenBSD greylisting. But guess what? The typical corporate response: "We do not care about open source. We will steal what we want from it without acknowledging any credit. And we are a big company with a lot of money. So we can continue the way we want." I can forward you the mildly agitating e-mail response I got from the yahoo! top gun. ;) Apropos of yahoo! breaking standards...well what can we do? *nobody* expects the spanish inquisition! give them the comfy chair!
Re: pppoe not reconnecting
Christian Weisgerber wrote: Every few weeks...months, the PPPoE session for my ADSL line goes away (some time during the night) and is not reestablished. The corresponding pppoe interface is down, state "initial", a number of PADIs have been sent, but no further retries seem to be happening. When I become aware of the problem, I only need to do "ifconfig pppoe0 up" and a new session is established immediately. In this part of the world, PPPoE sessions for consumer ADSL lines are dropped after 24h, so there is a daily disconnect, but pppoe reconnects right away. No problem there. Other session drops happen from time to time and look suspiciously like scheduled maintenance work at the ISP. When I've been around to witness this, pppoe has reconnected eventually. However, sometimes pppoe just seems get wedged and stop retrying. Does anybody else see this too? i have seen something similar happen at a number of locations here in chicago: kernel pppoe runs fine for several weeks and then it gets locked up and requires several 'ifconfig pppoe0 {down,up}' cycles or several reboots to get it resurrected. it has occurred with both AT&T/SBC and Earthlink ISPs here. i have fixed IPs on most of the ADSL lines in question but some are dynamic. cheers, jake
Re: package integrity, security and checks. .... where are they ?
Martin Schrvder wrote: 2008/12/17 Marc Espie : We think it's worse to sign packages than not to sign them if you don't have a fairly strict process that ensures you have a correct chain of trust. Agreed. PGP provides that, but I can understand that nobody wants GnuPG in base. :-{ the next best option i can think of is to have the hashes (sha256 and/or others) fetched via ssh from a trusted site, e.g. your nearest anoncvs server. it avoids the gnupg requirement but is still susceptible to mitm on key fingerprints, etc. if you can't trust your local anoncvs server, you've got a problem that may be too big to fix anyhow. note that this may not work so well and i'm only making this suggestion in hopes it could allow for a solution that, afaict, requires less work and maintenance than a full PKI solution. cheers, jake Best Martin
Re: how to bundle multiple internetconnections?
Sebastian Rother wrote: Hi everybody, I currently would like to bundle multiple internet connections to one "virtual" internet connection wich: 1. uses all the download/upload 2. take care about "wich packet goes wich way" by itself. I've 3 internet connections for 3 offices. All offices have a DSL link but the mainoffice (all are close) should be able to use the download/upload speed of the near-by offices too (it's also for redundancy in case the DSL link of the hq breaks). So there's a OpenBSD doing the pppoe for the DSL. Furthermore the 2 other offices provide WLANs. So if I've 1 NIC for the pppoe and 2 for the WLAN stuff would I be able to do what I would like to do? A problem I would see is that the 2 WLANs do provide DHCP (I could use a static configuration for the NIC propably) wich also overwrites my routing and DNS settings (of the Router itself). How could I maybe solve such a problem with OpenBSD and teach the router to use the 2 WIFI links as well (no pure "fail-over" it realy can use the WIFI connections even the DSL link works)? i think you need the openbsd 'handy bundler' add-on http://www.as-seen-on-tv-products.ws/store/handy-bundler-deluxe-p-673.html Thanks for any suggestions and kinds regards, Sebastian
Re: OT, .. but eCommerce?
Michiel van Baak wrote: On 09:33, Fri 12 Dec 08, L. V. Lammert wrote: A friend of mine is trying to get a small cCommece site up on one of our 4.4 servers, .. he is trying to get eCommerce Templates running but is having problems with curl & it looks like others are ahead. This seems that is something from ASP land, so before I try to help him get it working thought I'd ask to see what other folks are using. Basic inventory control & shopping cart is all he needs - does anyone have a recommendation? We have some ppl running oscommerce with mixed feelings. Maybe you can have a look at it to see if it will work for your friend. oscommerce works but is a mixed bag. there are tons of modules you can add with very little work that give very useful features, e.g. automated label printing, but the code quality and maintainability sucks. if you have the patience to tune oscommerce it is very powerful. getting the site to have a proper appearance is the most challenging part with it imo. cheers, jake
Re: USB CD-ROM support
Marco Peereboom wrote: I use one every day. You want to use PXE on blades. i had no problem booting an enclosure full of dell 1855 blades using an external usb cdrom. installed an amd64 snapshot on em. not sure what your problem is... booting PXE is pretty easy so you should try that if the usb cdrom doesn't work. On Mon, Nov 03, 2008 at 07:20:08AM -0500, Bob Hope wrote: When (if ever) will support for installing OpenBSD with a USB CD-ROM be added? I have a few servers I'd like to use OpenBSD on, but they are Blade units and the only method of installing the operating system is through USB CD-ROM. Thanks, Tom
Re: file encrypyion
Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. paulm i am surprised that nobody has pointed you at the manpages for bioctl and softraid. read these and you can see how to use crypto volumes with softraid. AFAICT most of the work done on bioctl and softraid should have made it into 4.4, if not you need to run current to get these features.
Re: Modern operating systems are flawed by design, including OpenBSD.
mak maxie wrote: > http://www.computerworld.com.au/index.php?id=264209080&rid=-219 > > Microsoft Windows is the only operating that supports signed binaries. > _ > [EMAIL PROTECTED] > http://msn.com.hk > > wow, that's a really good point. i think i'm going to switch back to microsoft windows.
Re: dmesg IBM x3650 OpenBSD 4.3
gm_sjo wrote: 2008/10/10 Breen Ouellette <[EMAIL PROTECTED]>: When you have proven yourself even 10% as helpful to the cause of OpenBSD as Theo is, then maybe, just maybe, you are justified in criticizing his tactics. I look forward to that point in time, but until then I really have no reason to side with you, nor should anyone else who is informed on this matter. Dear lord, it's brainwashed minions such as yourself that make me wonder why I continously donate money to the 'cause'. But of course, that's irrelevant, right? breen and many others are not brainwashed, they are fed up with whining naysayers who want to dictate manners via the internet. fucking do something useful instead of complaining about how someone else does it and maybe you'll *earn* some respect.
Re: Patching a SSH 'Weakness'
Ted Unangst wrote: On Fri, Sep 12, 2008 at 4:12 AM, <[EMAIL PROTECTED]> wrote: To all who opposed the suggestion to send one block of data when the key is pressed: my suggestion strictly referred to the login procedure, not to the later data communication. I did not mention this because I thought it was clear from the context of the original poster who has expressively mentioned "passwords". You may want to reconsider the suggestion in this light. That's what ssh already does. when will the uninformed people finally start making silly comments about the perceived problem here? i heard that ssh will be endpoint-surveillance-proof with the next release, thanks to the tinfoil hat diff that is currently being tested. haven't seen it committed yet...
Re: VistaPE PXE booting from a OpenBSD tftp
[EMAIL PROTECTED] wrote: Hello everybody, I currently try to set up a WinPE 2.0 solution ("VistaPE") to replace the old "BartPE" solution I currently do use. Even after using some HowTos I somehow failed to manage to get the VistaPE booting from a OpenBSD Server. The BCD claims that it can't find \Boot\ so I tried to find out if OpenBSDs tftp does rewrite the \ into a / like the tftpd on Linux where you have the possibility to create the file tftpd.remap wich would include a "gr \\ /" in my case. So does anybody booted VistaPE from a OpenBSD tftp-Server already? Does the tftp of OpenBSD remaps such things automaticaly? I found nothing related to this in the manpage. figure out how it works for pxebooting openbsd, then try your hand at vista. reduce to the simplest case and then build up. asking people to do your homework for you makes you look lazy. It would be great if somebody could give me some suggestions how to maybe solve this (or in case somebody uses already WinPE 2.0 with OpenBSD as underlaying server I would be happy about a howto too). Kind regards, Sebastian
Re: DOJ Incompetence and corruption
james dandey wrote: For those that do not know, DOJ is department of justice. Incompetence and corruption cost an innocent man, Irvins, his life. The FBI have been harassing me for 15 years. I have posted many emails to this list with a variety of descriptions of what has happened to me. DOJ investigators purposely try to drive suspects to suicide in cases lacking substantial evidence. It not only occurs in the FBI but across all agencies of the DOJ. Congress urgently needs to look into the problems at the DOJ. A PhD Chemist employed at the FBI's criminal investigation lab claims out right criminal tampering of evidence. I will testify under oath the things done to me over that past 15 years and like Abu Graib it is far worse than most realize. mr. dandey: the terms of your parole specifically forbade you from mislinewrapping in public. you have been issued an additional 50 demerits. if you do not amend your actions i can neither confirm nor deny that the DOJ will extraordinarily render your balls inoperable. from those that already knew
Re: atheros - just curious, ot
Reyk Floeter wrote: On Sun, Jul 27, 2008 at 09:28:10AM -0500, Marco Peereboom wrote: I threw my git saving throw so I was able to avoid looking at it. There is a version in the OpenWRT tree: https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/package/ath9k/src/drivers/net/wireless/ath9k The following thread also carries some information: http://thread.gmane.org/gmane.linux.kernel.wireless.general/18019 Actually, I'm confused. It carries an ISC license with an Atheros copyright. Luis Rodriguez (madwifi/ath5k) and Jouni Malinen (Linux Prism2 HostAP) are working for Atheros now. The code seems to include open source HAL-code, there is no binary blob. The only missing thing is the documentation, but even the existing driver might help to port it to OpenBSD. Actually, the ath9k stuff is very similar to ath5k which is indeed based on my ar5k driver (OpenBSD ath(4))... too bad that Atheros did not decide to use a copyright like Copyright (c) 2008 Atheros Communications Inc. Copyright (c) 2004-2007 Reyk Floeter <[EMAIL PROTECTED]> They neither apologized for all the trouble nor give me any credits for my work. ath9k would not exist without my work on the OpenBSD ar5k driver, it was a door opener, the base of the ath5k port, and Atheros' way into the Linux kernel. It was the reason why Luis Rodriguez got his new job. It might help Atheros to gain market shares again, after they lost so many to more open companies like Ralink Tech. it is really reassuring to see that a company like atheros is doing the right things here: - not releasing proper documentation - then not giving credit for WORK DONE FOR FREE THAT THEY CAN REUSE AT THEIR LEISURE it's a good thing that companies like atheros are so mindful of the people that help expand their user base, especially at no expense to them. whoever makes these garbage decisions at atheros should have their employment terminated.
Re: Hardware recommendation for firewalls (more than 4 NICs)
Martmn Coco wrote: Hi misc, I'm currently looking for hardware alternatives for firewalls that should have more than four NICs. Currently we are buying R200s from Dell, but we have the 4 NIC limitation. We could tell Dell to install a quad port NIC (in addition to the two-port onboard card), but I haven't read good things about the way they work. I've also looked into soekris, but they don't seem to have enough CPU for what we want (this is pure speculation) as we also have intense IPSec traffic on some of these firewalls (I've seen that some of them could have encryption boards added to increase performance, but I don't know if it works for any kind of protocol, or at what rate). In any case, what I would like to have is firewalls with multiple NICs (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at ~50Mbps (internal backbone firewalls). The multiple NICs are to use trunk, pfsync, real network interfaces, etc. i see that people have already made this pointlessly heated, but i'll just put in my 2 cents nicely: unless you're routing ridiculous amounts of traffic, in which case openbsd might not be able to handle the pps count, it is probably best to trunk the four interfaces into the switch, put vlans and/or carp on top of that and not add a slough of extra interfaces. it's not for me to say that you don't need the extra interfaces but trunking and vlans will likely (1) save ports on your switches, (2) make your setup more resilient by having a larger number of interfaces for each link to fail through, (3) simplify the cabling and (4) minimize the number of switches required. btw, commercially available hw encryption accelerators are not very relevant anymore since there is so much idle cpu power in most modern machines. it's usually a better idea just to buy a faster machine or one with a cpu that does its own crypto acceleration, e.g. via C7. cheers, jake Thanks, Martmn.
Re: sshd_config(5) PermitRootLogin yes
Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. so put your own /etc/ssh/sshd_config into your siteXY.tgz install set and stop hard-selling this knob twist that would waste a lot of my and others' time. then your openbsd install can be as secure as you want with minimal effort. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. Also, I think there is a false premise to the argument by Marco and Jacob that disabling remote root login by default does not provide real security, only a false illusion. That sounds like a slippery slope. We all know that security is a process. There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no "LocalSubnets" macro exists in sshd_config(5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security.
Re: sshd_config(5) PermitRootLogin yes
Marco Peereboom wrote: And they got it all wrong. It is all for the perceived sense of security. Not being able to login over ssh right after install sucks. I am that guy that ends up enabling it on all other boxes that use a different default. The machine I install and then deploy to be hostile network connected gets some extra love in that department however crippling every box by default for no gain is counter productive. maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80&content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: "Well the source vendor doesn't disable it by default ..." ~BAS
Re: 4.2 and 4.3 BIND: masters_list does not work with masters option
David Newman wrote: On 7/7/08 4:44 PM, Jacob Yocom-Piatt wrote: afaict as of BIND 9.3.2 use of an acl in the masters option was supported, e.g. acl int_masters { 10.0.0.1; }; ... zone "somedomain.com" { type slave; masters { int_masters; }; file "slave/internal/somedomain.com"; }; but apparently named does not parse this and complains that it is 'unable to find masters list 'int_masters'' any clues as to what is going on here? Perhaps the missing quote marks around the ACL name? This works for me: acl "internal-xfer" { 10.0.0.93; 10.0.0.94; }; acl "trusted" { 10.0.0.0/8; localhost; }; zone "somedomain.com" in { type master; file "master/db.somedomain.com"; allow-query { trusted; }; allow-transfer { internal-xfer; }; }; david, tried this out but no joy. it still gives a similar message when i enclose the acl name in quotes: /etc/named.conf:98: masters "int_masters" not found guess it's time to take a peek at the source and see what's up. cheers, jake
4.2 and 4.3 BIND: masters_list does not work with masters option
afaict as of BIND 9.3.2 use of an acl in the masters option was supported, e.g. acl int_masters { 10.0.0.1; }; ... zone "somedomain.com" { type slave; masters { int_masters; }; file "slave/internal/somedomain.com"; }; but apparently named does not parse this and complains that it is 'unable to find masters list 'int_masters'' any clues as to what is going on here? i'm following the only explicit example i was able to find about this: http://docs.hp.com/en/5992-3347/ch01s03.html cheers, jake
Re: Continuation of OpenBSD's Stop the Blob
Jeffrey 'jf' Lim wrote: On Thu, Jun 26, 2008 at 9:46 PM, Lars Noodin <[EMAIL PROTECTED]> wrote: It seems that OpenBSD's Stop the Blob message is getting more recognition: http://www.fsdaily.com/stop-blob As the article points out, better late than never. Though OpenBSD had been on my list of things to look at for years, it was the Stop-the-Blob campaign that provided for me the final nudge. sorry - the final nudge to do what exactly? Stop the blob? Everybody should listened a long time ago. I suppose it's good that the message has finally come out now from the linux developers, but man... havent they let those blobby fools (and we all know the most famous example) entrench themselves already? it will always be unpopular to have the right opinion at first, especially when it invalidates the work of others. the cattle only go 'm!!' after they've been branded. serves them right. if you build it wrong they will come... hold on, that doesn't sound right... cheers, jake -jf this has been my signature for like the longest time now... --> -- In the meantime, here is your PSA: "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
wireless barcode scanners
does anyone on list know if wireless (e.g. bluetooth) barcode scanners can or do work with openbsd? couldn't find much information about it after searching. the application is inventory tracking, etc, where several users would concurrently scan and have barcodes register with a single machine. if the devices simply spit out the barcodes over bluetooth, i expect there is a way to achieve this. cheers, jake --
Re: OT: Dissertation ideas for my degree
Paul Irofti wrote: On Wed, Jun 18, 2008 at 10:15:54PM +0100, Edd Barrett wrote: Hi, As it seems my last two project ideas for my degree have fallen through, I wonder if anyone here has any ideas for software projects which are: a) Useful b) Conceptually new Ideas need not be OpenBSD based, but it's a bonus if it is. Usually a project consists of a software build and a write up. Do the CLI SIP Phone! I wanted to code that for so long, but the SIP protocol and its friends tend to go so far as time just wasn't enough. But it would be pretty cool to have that. i would absolutely love to see this one go and it would be very useful. maybe script some ssh-ing into it to allow for easy proper call encryption? ;) i have some further feature suggestions that could push it into the 'conceptually new' category. not for public consumption cheers, jake
OT: good remote mgmt KVM switch
have dug about and not found any KVM switches that do either RDP or VNC that are reasonably priced. any suggestions on equipment of this sort would be appreciated. looking for stuff that works easily with openbsd packages, no java stuff if it can be helped. cheers, jake --
Re: Schneier on Security: BlackBerry Giving Encryption Keys to Indian Government
Ed Ahlsen-Girard wrote: Gulp. There are references in the comments along the lines of "big deal, the mail spends a lot of time as unencrypted smtp", but that is not always true: a lot of corporate customers use BB within their own mail systems; we feel free to send things to BB users that we FORBID to be sent outside the company. http://www.schneier.com/blog/archives/2008/05/blackberry_givi.html uh, this should not be posted here since it has little if anything to do with openbsd. if you are serious about email security, use your own tuned mailservers and never trust a 3rd party with the emails. people who think security is as easy as "subscribe to service X and it's all secure" are morons who, imo, deserve to have their data used against them. --
Re: [OT] developers running -current on laptops
Chris wrote: I can see from the recent undeadly posts and pictures that most developers are using laptops and I know you have to run -current to do development work. I was just wondering if these laptops are for development use only or development+personal use? I know -current can break sometimes and am just curious to know if developers risk putting personal stuff on a laptop that is being used for active development. a more general rule for information on computers: if it is important, it should be backed up a good test to see if changes in -current 'break' your system is to boot the new kernel with the old userland to check if it works. this assumes you're going from one snapshot to another, and is by no means a foolproof technique. cheers, jake
Re: S/Key *and* password for SSH login
Stuart Henderson wrote: On 2008-05-18, Mark Shroyer <[EMAIL PROTECTED]> wrote: I've set up a nice secondary authentication mechanism on a Linux server. I use this when I must shell in from, e.g., a computer lab, and I don't have an authorized SSH private key on my workstation. To login without a private key, I must: 1) Enter my account's current S/Key one-time password and 2) Enter my Unix password in sequence. In what way does typing your password in to an untrusted machine improve security? it's 2 factor authentication, duh! i read about that on the intarnetz so it must be a good idea regardless of the 2 factors i choose. ;)
Re: irc
[EMAIL PROTECTED] wrote: Is there an official OpenBSD IRC channel? thank you, and i am sorry but couldnt find info about it in faqs use the archives, this has been discussed.
azalia problem on 4.2-release: loud tone
have a little via c7 machine for my home workstation and the audio chipset is detected as an azalia device azalia0 at pci4 dev 1 function 0 "VIA HD Audio" rev 0x00: irq 5 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: VIA/0x1708 (rev. 5.0), HDA version 1.0 when i play music through xmms, i do hear it but it is pretty much washed out by a loud, constant, irritating tone that is substantially louder than the music itself. AFAICT there is nothing else outputting audio on the machine. advice on how to do any of the following would be appreciated: - determine if something on the machine is generating this sound - stop the sound - fix the driver i took a glance over the commits to azalia.c azalia_codec.c and nothing popped out at me as an obvious fix. cheers, jake
Re: SSD drives: performance gain
David Gwynne wrote: some ssd drives would be very cool to try. id love to play with these: http://www.stec-inc.com/product/zeusiops.php am i right in saying these STEC drives are 10K USD each? yikes robert, thanks for the affirmation, i did see your entry on the openbsd laptops page. ryan, thanks for letting me know the T61 comes with the optional SSD drive. will acquire an X300 to see how it performs. might end up going with the T61 + SSD if the horsepower of the X300 is insufficient. cheers, jake dlg On 15/04/2008, at 9:52 AM, Jacob Yocom-Piatt wrote: am considering acquiring some machines with SSD drives, e.g. thinkpad X300, and was interested to hear about any experiences with openbsd on an SSD drive. the reduction in latency and load times is attractive, but i'd like to hear some about some real world experiences before doling out serious money for the drives. cheers, jake --
Re: Chatting with developers? Is it soo 1996?
Artur Grabowski wrote: "Andris" <[EMAIL PROTECTED]> writes: On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt <[EMAIL PROTECTED]> wrote: I found an old email on the mailing lists, dating back to 1996, when > Theo announced users could connect and chat with the developers on > their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. Is there a way to connect to your phone to just listen? Not talk, just listen. That would be very interesting. apparently that's what the government thinks here in the US too (read CALEA, et al). this is the most obvious indication that something is a good idea. cheers, jake
SSD drives: performance gain
am considering acquiring some machines with SSD drives, e.g. thinkpad X300, and was interested to hear about any experiences with openbsd on an SSD drive. the reduction in latency and load times is attractive, but i'd like to hear some about some real world experiences before doling out serious money for the drives. cheers, jake --