Re: Shadow TCP stacks
moved to misc@; it's still not on-topic, but this message may be somewhat interesting On Fri, Oct 10, 2014 at 07:31:50PM -0400, Ian Grant wrote: I want to try to implement some form of concealed port knocking in OpenBSD, along the lines of Martin Kirsch: https://gnunet.org/sites/default/files/ma_kirsch_2014_0.pdf Looking through the abstract and introduction, that's just port knocking. As the paper points out, Port knocking is a well-known technique to hide TCP servers from port scanners. (The thesis does aim at security against a global eavesdropper, which is not traditionally a goal of port knocking; and the implementation does try hard to work with existing software, which is nice. I don't think port knocking is actually useful - see below - but this does look like a competent execution of its concept.) The application is electronic democracy. I want to demonstrate how it is possible to do secure comms. over untrusted networks and hardware. But it *isn't* possible to do secure comms from/to compromised hardware; that is what compromised means. Note that the thesis above merely aims at cryptographic port knocking; a global adversary can still just read the unencrypted traffic. The thesis also requires a pre-shared key; if you have a PSK, why not use real crypto (e.g. a VPN) instead? Also, note that securely pre-sharing keys is a pain even in a small group of friends; there is no way you can scale that to every human in the world. I hope to be able do this by carrying out a global referendum. See http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html A very quick read shows that you want to do, roughly, electronic voting. A number of proposals exists to achieve secure (or verifiable) electronic voting; I believe you should be able to find fairly accessible introductions to the cryptographic scheme proposed by Ron Rivest (of RSA fame). No proposal that I'm aware of even contemplates using compromised hardware, though, and all proposals assume a functioning census. My plan is to use a virtual interface which magically shows behind the physical interface when connections are made with the right ISN key in the SYN packet. If the ISN is not one of the 'knocks' then the connection sees the ordinary physical interface. Then I want to make a connection between applications and the TCP stack so that the knocks can be determined only by data from within the VPN. Then the knocks will vary non-deterministically. To bootstrap into the VPN a machine will need a direct trusted connection to another machine which is already in the VPN, and which can send it the initial knock key sequence which will allow it to handshake into the VPN, and thereafter have a connection. The VPN will be tunneled over TCP and/or IP datagram connections. Within the VPN the routing and representation of data within real TCP network packets will also vary non-deterministically according to data passed over the VPN. The VPN will be used for trusted core protocols for authentication, key-exchange and verification. So it need not carry such high volumes of traffic The bulk of data will be carried over the exposed network. If anyone here has a better idea, or any other useful advice (even if it's this has already been done! or It won't work, but please explain exactly why.) or pointers: I am new to this game: I have never seriously looked at network protocol driver code in OpenBSD or any other OS. This is way too large; start with something *much* smaller. Very smart people have been working on the kind of things you're thinking about for decades; you're not going to solve this in a weekend, or in just a hundred lifetimes. Some things that you may find interesting: - http://curvecp.org/: djb's encrypt the whole internet scheme. One useful first contribution might be to get the efficiency measurements that http://curvecp.org/efficiency.html promises; this is not easy. - Tor is the most realistic choice for internet anonymity at the moment; there are plenty of issues with it, but it's something. Consider setting up a tor node; do not set up an exit node without consulting an appropriate legal professional. - the global poor are getting more and more access to mobile (dumb-)phones; consider things like http://en.wikipedia.org/wiki/M-Pesa. It has been very hard for the open source world to do much of anything in this area, since (a) it's desperately uncool and (b) telecom companies are hesitant to allow any arbitrary code on their devices. Nonetheless, some (extremely ambitious) projects might be worthwhile: + try turning Karsten Nohl's research into something like Cydia, a platform for rooting SIM cards and installing custom applications on them. Again, consult a legal professional; this is definitely not legal everywhere. + create an e-voting application and bring it to market with the telecom operators'
New OpenSSL advisory
Just a notice: there is a new OpenSSL advisory, at https://www.openssl.org/news/secadv_20140605.txt. Reproduced below for your convenience. (No word on the degree to which LibreSSL is vulnerable.) === OpenSSL Security Advisory [05 Jun 2014] SSL/TLS MITM vulnerability (CVE-2014-0224) === An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSL on 1st May 2014 via JPCERT/CC. The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi. DTLS recursion flaw (CVE-2014-0221) By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. This issue was reported to OpenSSL on 9th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Jüri Aedla for reporting this issue. This issue was reported to OpenSSL on 23rd April 2014 via HP ZDI. The fix was developed by Stephen Henson of the OpenSSL core team. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) = A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. The fix was developed by Matt Caswell of the OpenSSL development team. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) === A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. Anonymous ECDH denial of service (CVE-2014-3470) OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. OpenSSL 0.9.8 users should upgrade to 0.9.8za OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this issue. This issue was reported to OpenSSL on 28th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Other issues OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack Reported by Yuval Yarom and Naomi Benger. This issue was previously fixed in OpenSSL 1.0.1g. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20140605.txt Note: the online version of the advisory may be updated with
Re: pdksh vi-like bindings
On Sun, Apr 20, 2014 at 01:30:14PM +, Артур Истомин wrote: On Sat, Apr 19, 2014 at 11:29:44PM +0200, joasia et damien wrote: - Wiadomość oryginalna - On Fri, Apr 18, 2014 at 08:54:06AM +0200, joasia et damien wrote: Is there any way to change vi-bindings in pdksh? I don't think so, but note that you can fairly easily run some other shell on OpenBSD (pkg_add -i bash; ensure bash is in /etc/shells; chsh.) Joachim Thanks for your answer. I am currently using zsh but I am quite tired with searching its long man pages. I consider pdksh much easier, that's why I was considering switching to pdksh Off-top. You received e-mail from Joachim personally? Because I didn't receive it from e-mail list. Yes, I send a direct mail. Please don't publicize those. (Not that it matters in this case - I was just trying to keep list chatter down. But netiquette is quite clear on this being a no-no.) Joachim
Re: Insight needed on new encryption feature for ssh-keygen and ssh: ssh-keygen --protect and a linux data protection service
On Mon, Apr 14, 2014 at 12:28:15AM -0700, alexander taylor wrote: The problem I'm trying to solve is that casual users [...] may not bother creating passphrases for their private ssh keys. [...] [T]hese keys could be cryptographically protected under the user's Windows/Linux logon password [...] For example, Chrome on linux uses any available keychain program to encrypt saved passwords under the user's logon credential, if a keychain program is available, and uses the Data Protection API on Windows. More on Windows DPAPI: http://msdn.microsoft.com/en-us/library/ms995355.aspx My idea is to add a --protect (e.g.) option to ssh-keygen that encrypts the private key with the user's logon credential (windows or linux password) instead of prompting for a passphrase. For Windows, it can protect the file using Windows DPAPI, but for Linux I would need to create a similar data protection service. This data protection service is also something I want to create, with ssh-keygen being the main motivation. The linux data protection service would generate a master key for the user, protected on disk by encryption under the user's password, captured by a PAM module. The same PAM module decrypts and re-encrypts the master key when the user changes her password. Then, the data protection service allows ssh-keygen to encrypt the private key using the user's master key, available only when logged on. Now, ssh can use the same service to decrypt the key if the user is logged on (another feature I'd need to add). If the user is not logged on, the private key is unusable. Using eCryptfs, hard-drive encryption, or simply making a passphrase and keeping it in a keyring solve the same problem, but require more effort by the user. More details on my research: https://docs.google.com/document/d/1mibuwHRJpzCFYuQJZ30Cgw6nBjyp6qod19tZnw-Rzv8/edit?usp=sharing (I'm on the train, and unable to access the Google Doc. Sorry.) I'm a bit unclear on what exact attack scenario you're trying to solve. If you just want to ensure that a key is readable only while the user is logged in, you could just give the user sudo access to scripts like #!/bin/sh # Write to secure storage set -eu umask 077 mkdir -p /var/secure/storage/`id -ru` cat - /var/secure_storage/`id -ru`/`basename $1` #!/bin/sh # Read from secure storage cat /var/secure_storage/`id -ru`/`basename $1` (and/or write a suid program for a more convenient interface). However, I'm not clear on what that would accomplish - ssh already enforces that the key has mode 700, so that it is only readable by the user. I don't see how adding crypto, PAM or login tracking to the above system really helps. If you just want to ensure the key cannot be simply copied, you might want to investigate running ssh-keygen as a different user (e.g. joachim-ssh-keygen); IIRC, this already works - but it's a bit painful to set it up. Joachim
Re: How to deal with DDoS ?
On Mon, Feb 20, 2012 at 05:57:05PM +0100, Roger S. wrote: I am facing regular and consequent DDoS, and I would like to know how the OpenBSD community deal with these. Hints and inputs welcome. The obvious first : my input pipes are not filled, there is plenty of bandwith available for my regular users. (...) Methodology is more or less always the same : - massive UDP flood : 2 Gbps / 150 Kpps - dropped directly on the router, not a problem - moderate ICMP flood : 10 Mbps / 12 Kpps - moderate IP fragments flood : 380 Mbps / 57 Kpps - moderate TCP RST flood : 10 Mbps / 30 Kpps - massive TCP SYN flood : 640 Mbps / 2 Mpps - yup, that hurts So, UDP never ever reaches my OpenBSD box. The SYN are made with a very vicious method : each used IP send exactly one SYN, but there are millions of them (traffic probably spoofed, but can not use uRPF as we have asymmetric traffic and routes). I tried to set limit states with 1M entries, and it was quickly filled (tried 5M but the box collapses way before that). So in the end, the state table collapses and no traffic can pass, even for regular users with already established connections. I ran some experiments in a lab trying to reproduce this, with a box roughly identical to what I have in production (but much weaker, of course). The box collapses at 600 Kpps SYN (100% interrupts), but handles everything very gently (less than 50% interrupts and no packet loss) if the first rule evaluated is block drop in quick from ! whitelisted_users. So it seems that my bottleneck is PF here, not the hardware. A consequence of this saturation : both my main firewall and my backup claims MASTER ownership of the CARP (split brain syndrome). CARP works just fine when I add the block rule, though. Some configuration details : - OS : OpenBSD 5.0/amd64 box, using GENERIC.MP - CPU : Intel X3460 CPU (4 cores, 2.80GHz) - RAM : 4GB - NIC : 2x Intel 82576 (2 ports each) Each network card has the following setup : one port to the LAN, one port to the WAN. Each pair (LAN1/LAN2 and WAN1/WAN2) is trunked using LACP. Already bumped net.inet.ip.ifq.maxlen, as all NICs are supported. My benchmarks did highlight two interesting things : amd64 has better performance than i386 (roughly 5-10% less interrupts, with same rules and traffic), but the difference between GENERIC and GENERIC.MP is insignificant. My current idea is to hack a daemon to track established connections (extracting them ` la netstat), and inject my block rule in an anchor (` la relayd) when needed (watching some stats from pf, with its ioctl interface). Pros: regular users the firewall saw before the attack can still use the service. Cons: no new users are allowed until the removal of the rule, obviously. Better than nothing, but I welcome any other hints :) One other solution may be to add boxes. I tried a carpnodes cluster, but at 600 Kpps I got a split brain with both nodes claiming MASTER for each carpnode. Maybe if I configure ALTQ it could help this ? As I have more boxes, I could deal with the performance impact of ALTQ. I am willing to test any patch/suggestion you may have, of course. Even just hints about kernel code, as I am currently messing with PF code myself. I did compile a profiled kernel, I must now check the results but that will be another story. Just the most obvious idea, since you mention that this sort-of-works if you put block drop in quick from !whitelisted_users: does it handle this load if you turn off pf, or only include one or two trivial rules? It certainly suggests that you may be well-served by optimizing your pf.conf... (also, you've probably found the synproxy directive? If not, try that too.) Also, state tracking is apparently faster than stateless pf for normal firewalls. I'd double-check if this is still true in your case, though; if nothing else, stateless pf makes a CARP'ed setup easier. I'm pretty sure you can muck with the rules without dropping existing connections. (pf essentially does does this packet match a known state? If not, look at pf.conf.) This is almost certainly easier than your proposed daemon. A final, rather hackish, idea that probably does need a bit of programming: greylisting for SYNs. Legitimate users will send you a second SYN, so you could do something like (this has not even been syntax-checked!) block drop log in quick from !syn_seen no state flags S/SA and then add every logged IP to syn_seen. Obviously, this will slow down access to the service for legitimate users, which may or may not be acceptable. Joachim -- PotD: www/squid,ntlm - WWW and FTP proxy cache and accelerator http://www.joachimschipper.nl/
Re: /etc/netstart diff
On Thu, Feb 16, 2012 at 11:49:03AM +0100, Markus wrote: occasionally I'm in the situation where having multiple configurations for a single network interface are handy to have. Most seamlessly, [multiple wifi networks] could be handled by using an arbitrary extension to the hostname.if files, separated by and additional dot (e.g. hostname.athn0.home, hostname.em0.bak20120223). Below a diff to /etc/netstart is attached, that strips the suffix including the dot from hostname.if.suffix (if it is present) and otherwise allows such files to be used. I tried to change the code of netstart as minimally as possible. An interesting side-effect is the ease with which wifi cell changes can now be handled by ifstated. I'd suppose that this must scratch the itch of other users, too. However as this is only a rough guess, I'm curious to hear some opinions on it. I'm sorry, but how does this work? It reads as if netstart now recognizes /etc/hostname.athn0.home as an alternative to /etc/hostname.athn0, but how does it figure out whether to use /etc/hostname.athn0.home or /etc/hostname.athn0.work? What's the advantage over symlinking /etc/hostname.athn0 appropriately, if you want to use netstart? Maybe I just don't get it. @@ -104,7 +112,7 @@ else alias= fi - cmd=ifconfig $if $af $alias $name + cmd=ifconfig 4raw $if4 $af $alias $name ^ ^ case $dt in dest) cmd=$cmd $dtaddr Those should be `, obviously. Joachim -- PotD: graphics/libkexiv2 - kde wrapper around exiv2 http://www.joachimschipper.nl/
Re: a GOOD idea to harden OpenSSH!
On Tue, Apr 19, 2011 at 11:56:51AM +0200, Peter N. M. Hansteen wrote: Alexander Schrijver alexander.schrij...@gmail.com writes: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. (...) industrial-scale password guessing (...) If you allow password logins at all, there are worse ideas than running john (or similar) to flush out the bad ones occasionally. If you're going to check password quality, use security/passwdqc (by the same author as John the Ripper, based on the same code) - it will actually prevent people from setting bad passwords, and using it to check plaintext passwords is much more efficient than running john. (Of course, it doesn't work on passwords already set, so *one* john runs makes sense.) Joachim -- PotD: devel/p5-YAML - YAML ain't a markup language http://www.joachimschipper.nl/
Re: syslog and interfaces
On Tue, Apr 19, 2011 at 09:08:52AM +, Julien Dyie wrote: Hi, after the reading of syslog.conf (5) and syslogd (8), I can't find how to disable syslog's listening on specifical interfaces. syslogd always opens a UDP port, but it silently drops all traffic unless you pass the -u option. Yes, this is a bit confusing. Joachim -- PotD: x11/fvwm2,-main,i18n - multiple virtual desktop window manager, with icons http://www.joachimschipper.nl/
Re: [OT] DNS reverse lookup from ip to CNAME
On Mon, Apr 18, 2011 at 04:26:12PM +0200, Raimo Niskanen wrote: On Mon, Apr 18, 2011 at 12:10:31PM +0200, Alessandro Baggi wrote: Hi list. I'm making a program that maps some ip address to a specified dns. My problem is relative to CNAME record. : Supposing that I have 209.85.148.104 ip, is possible (only knowing the ip) go back to the CNAME record www.google.it? It is as far as I know impossible. A PTR record points to the canonical name. One host can have several IP addresses but every IP address can hence only have one canonical name. A CNAME record is supposed to resolve to a canonical name, but often enough there is one or more extra indirections before you reach it. There can be CNAME records in any domain so you can not find all resolving to a given canonical name unless searching the _whole_ DNS. Yes, DNS doesn't (need or) support this. I'm pretty sure that there are some databases of IP - name mappings, though, presumably compiled by finding valid hostnames and looking up their IPs. Joachim -- PotD: net/transmission,-qt - lightweight BitTorrent client with Qt interface http://www.joachimschipper.nl/
Re: Is VPN initiation by traffic possible?
On Wed, Apr 13, 2011 at 09:19:19AM +, nemir nemirius wrote: Hi, One of my clients is a major bank. We need to exchange data a few times a day at different intervals, and they're insisting that we initiate the VPN on demand with relevent traffic. It works from their end. Tunnel is down, they send a ping, first packet is dropped as the tunnel is brought up, subsequent traffic reaches its destination. Is it possible? Can you who me how? OpenBSD won't do this for you. Can't you wrap whatever sends the data in a script that sets up and tears down the relevant tunnel? (You *could* write a daemon to listen on a tun/tap-style device, dynamically manage the tunnel and forward traffic. But that's quite a bit of work.) Joachim -- TFMotD: CPANPLUS::Module::Fake (3p) - class for creating fake module objects http://www.joachimschipper.nl/
Re: Anyone using IPcomp and/or PPP-deflate?
On Thu, Mar 31, 2011 at 05:42:21PM -0700, Matthew Dempsky wrote: Does anyone use IPcomp and/or PPP-deflate? Would anyone be sad to see these go? They seem pretty busted right now (e.g., no userspace support for enabling IPcomp, and sys/net/zlib.c is broken on 64-bit arches), and there's some doubt as to whether they're even worth the effort to fix. I'm not sure if you were aware of http://seclists.org/fulldisclosure/2011/Apr/0? In any case, it might be worth looking into. (A casual reading suggests that OpenBSD may use lots of memory to handle compressed-in-compressed packets.) Joachim -- PotD: www/p5-HTML-Template-JIT - just-in-time compiler for HTML::Template http://www.joachimschipper.nl/
Re: HOW to set “security.OCSP.require” in Google Chrome/Chromium?
On Thu, Mar 24, 2011 at 07:58:50AM -0700, johhny_at_poland77 wrote: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion Users of Mozilla Firefox that are concerned about this issue should enable security.OCSP.require in the about:config dialog. How can i enable this feature in Google Chrome/Chromium? You also posted http://www.mail-archive.com/debian-user@lists.debian.org/msg595454.html and probably posted http://superuser.com/questions/261746/security-ocsp-require-in-google-chrome, http://superuser.com/questions/261420/security-ocsp-require-in-google-chrome and the questions that were merged into these. Don't be rude, and do ask the proper people. I don't think there is currently a way to do what you want, but you could file a bug with chrome/chromium. Make sure it's a useful one, though. Finally, note that what you're trying to do is pretty useless - the CA system has plenty of other holes. Make sure to understand them before kicking up a fuss about a blog post that I'm sure the chrome/chromium security people have read too. Joachim
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. You can't do that with pf, since it doesn't look at the content of packets. For some of these protocols, you can easily send traffic to a proxy on the firewall machine; this can, for instance, be used to make sure that everything going over port 80 is HTTP. See ftp-proxy(8). I know of no such solution for imaps, though. If you're just worried about people running BitTorrent/Skype, install something like net/snort or net/bro and send angry mail to everyone who shows up in the logs. On the other hand, if you believe that restricting traffic to specific protocols makes it impossible to get arbitrary data out of your network, look at e.g. net/iodine (tunnel IPv4 over DNS). Joachim -- PotD: net/powerdns,-ldap - ldap module for powerdns http://www.joachimschipper.nl/
Re: full disk encryption google chrome on OpenBSD!
On Fri, Mar 18, 2011 at 03:50:12PM +0100, Stefan Wollny wrote: Marco Peereboom wrote: On Fri, Mar 18, 2011 at 07:02:58AM -0700, johhny_at_poland77 wrote: So our point is, if there is a good method to encrypt the full disk [like with dm-crypt/AES/under Linux], and we could have an up-to-date google chrome browser on OpenBSD, then it could be a very very good operating system for daily use! Dear community! Can someone please post small and compact [pointed] howtos, how to install an OpenBSD with full disk encryption, and how can we install google chrome on it? You might want to start here: http://www.geektechnique.org/projectlab/796/how-to-build-a-fully-encrypted-na s-on-openbsd.html I think bioctl(8), in particular the EXAMPLES section, is better - vnd is the old way, go with softraid. Joachim -- PotD: geo/jeoip - Java interface to GeoIP database http://www.joachimschipper.nl/
Re: mount_ffs: -o mand: option not supported for havp
On Sat, Mar 12, 2011 at 07:39:12AM +0100, Antoine Jacoutot wrote: On Sat, 12 Mar 2011, Indunil Jayasooriya wrote: # /usr/local/sbin/havp Starting HAVP Version: 0.91 *Mandatory locking disabled! KEEPBACK settings not used! * then, I tried to mount in this way. then, I got the below error. Yes, mandatory locking is not supported on *BSD and havp has been compiled with --disable-locking. And it's not an error but just a warning. then, what about this? KEEPBACK settings not used! It it also normal? and I also want to know, which method is recommended? havp as a parent proxy ( i am currently running) or squid as a parent proxy? Hope to hear from you. What don't you go and ask on the havp mailling lists. The second post at http://havp.hege.li/forum/viewtopic.php?p=962 seems to answer the KEEPBACK question (but do check the actual manual); and there are a lot of HAVP-Squid and Squid-HAVP-Squid HOWTO's, and the manul probably says something about that as well. The OP should just read the docs and search the web, not bother yet another list. Joachim -- PotD: devel/luabitop - library for bitwise operations in lua http://www.joachimschipper.nl/
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: I use privoxy. In the user.action file i have a redirect rule and a few websites: { +redirect{s@http://@https://@} } .twitter.com .facebook.com Ok! it's working great, e.g.: if i visit any *twitter.com URL it gets redirected to HTTPS! But: with wireshark i can see some OCSP packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] Question: What are these packets? Why aren't there in HTTPS? Is my redirection method with privoxy is secure? The keys to legitimate certificates may fall in the hands of bad guys (e.g. when they hack a HTTPS server). This would allow the bad guys to redirect your HTTPS connections to their own machines without you seeing any warnings until the stolen certificates are no longer valid (which should allow them something like a year to steal your credit card). In order to prevent this, your computer asks a special server whether the certificate has been revoked. This is done over the OCSP protocol (there are other solutions); the connection is not encrypted, but the OCSP server's responses are digitally signed. So yes, your setup seems to work just fine (or as well as SSL does in the first place). The HTTPS Everywhere Firefox extension would be a less hacky solution, though. Joachim -- PotD: biology/bioperl - perl tools for bioinformatics http://www.joachimschipper.nl/
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 09, 2011 at 03:03:22PM -0430, Andres Perera wrote: On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper joac...@joachimschipper.nl wrote: On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: I use privoxy. In the user.action file i have a redirect rule and a few websites: { +redirect{s@http://@https://@} } .twitter.com .facebook.com (...) your setup seems to work just fine (or as well as SSL does in the first place). The HTTPS Everywhere Firefox extension would be a less hacky solution, though. i'm curious as to why do you say that. afaik, https everywhere also works by rewriting the uri, just like privoxy or squid would, while not being limited to one browser, not being unable to log actions, not being unable to scale for a whole site instead of a single system, etc. I dislike transparently messing with connections. If you use HTTPS Everywhere, it's still your browser talking to Facebook/Twitter/whatever. Additionally, if Facebook ever sets its session cookes on, say, facebookapi.com instead of facebook.com, the extension is likely to receive an upgrade. But yes, this is somewhat subjective; I'll try to make that clearer next time. Joachim -- TFMotD: perlrequick (1) - Perl regular expressions quick start http://www.joachimschipper.nl/
Re: opensmtp
On Tue, Mar 08, 2011 at 04:38:41PM +0100, Jordi Espasa Clofent wrote: 2011-03-08 10:31, Earin Gregor skrev: I just wanted to know how the current development of opensmtp is going? Is it ready for prime time or still considered as to early in development? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ [With apologies to Jordi for the double-send.] That's not an answer, is it? I believe there has been no official it's ready to go announcement, but some people are actually running it in production. Joachim
Re: Nmap and pf
On Mon, Mar 07, 2011 at 10:54:09AM +0100, Henrik Engmark wrote: Is there a way, good or bad, to relax pf enough to let nmap do its OS detection? I am on 4.8. You can always disable pf (pfctl -d). I'd also expect any sensible configuration without scrub or (implicit) keep state to work, but I didn't check that. E.g. you could try set skip on lo0 pass block in on ! lo0 proto tcp to port 6000:6010 pass user root no state pass icmp no state Joachim -- PotD: devel/p5-Sort-Key - sort perl arrays http://www.joachimschipper.nl/
Re: obtaining openbsd.pbr from windows 7
On Mon, Mar 07, 2011 at 05:22:10AM -0500, marc wrote: Dear all, I was reading through the docs on how to boot openbsd with the windows 7 boot loader so I learned I have to execute: dd if=/dev/sd0a of=openbsd.pbr bs=512 count=1 ^ The raw device won't be busy while the filesystem is mounted, so use /dev/rsd0a (as the FAQ suggests!) Joachim -- TFMotD: lockspool (1) - lock user's system mailbox http://www.joachimschipper.nl/
Re: Nmap and pf
On Mon, Mar 07, 2011 at 11:34:50AM +0100, Daniel Gracia wrote: El 07/03/2011 10:54, Henrik Engmark escribiC3: Is there a way, good or bad, to relax pf enough to let nmap do its OS detection? I am on 4.8. Way too vague question; you should at least describe the scenario. I'm pretty certain he's just read /usr/ports/net/nmap/pkg/MESSAGE: --- CAUTION!!! Using nmap with `-O' flag under OpenBSD machine with pf enabled might hang nmap. It's caused by properly working pf which will filter out all weird ip header flags sent by nmap. --- But yes, if my earlier message isn't sufficient some clarification would be welcome. Joachim -- TFMotD: Pod::Find (3p) - find POD documents in directory trees http://www.joachimschipper.nl/
Re: obtaining openbsd.pbr from windows 7
On Mon, Mar 07, 2011 at 01:04:56PM -0500, marc wrote: Hi Janne, Thanks a lot for your answer. I did read this section (actually subsection 'Windows 7') so I'm afraid I'm the only one getting it wrong... I had the impression that the command: C:\Windows\system32 bcdedit /set {0154a872-3d41-11de-bd67-a7060316bbb1} path \openbsd.pbr requires that the openbsd.pbr file is at located at the root of c:\. Am I wrong? I have no idea what you think you've been told, but: a) do NOT post private mail publicly - it's rude; b) follow the FAQ, including the 'r' in /dev/rsd0a - it works. Joachim -- PotD: editors/vim-spell,nl - Dutch spell-check files for Vim http://www.joachimschipper.nl/
Re: How to partition magneto-optical disks with sectors of 2048 bytes?
On Sun, Mar 06, 2011 at 04:14:33PM +0100, Jens A. Griepentrog wrote: On 03/06/11 02:25, Matthew Dempsky wrote: [...] Jens A. Griepentrog griep...@wias-berlin.de wrote: What went wrong? The procedure works for usual hard disks and memory sticks with sectors of 512 bytes. I would be grateful for any hint. (As a final aim I would like to have some bootable magneto-optical disk with root partition a: and two more partitions d: and e: ...) When you say The procedure works for usual hard disks and memory sticks [...], do you mean it works on this same system when attached to the same ahc(4) controller? E.g., if you replace this sd0 with a standard SCSI disk, will the same set of fdisk/disklabel/newfs commands work correctly? Thanks, Matthew, I just checked this again with some 16-year old SCSI disk to give a rigorous proof of my above statement: ... ahc0 at pci6 dev 2 function 0 vendor Adaptec, unknown product 0x0082 rev 0x02: apic 7 int 21 (irq 3) scsibus0 at ahc0: 8 targets, initiator 7 sd0 at scsibus0 targ 4 lun 0: QUANTUM, FIREBALL1080S, 1Q09 SCSI2 0/direct fixed sd0: 1042MB, 512 bytes/sec, 2134305 sec total ... a e offset: [64] ^^ That was 32 in your earlier example. Did you try some appropriately-large offsets? (AFAIK, that shouldn't help, but maybe the first sectors are magical or maybe the disk barfs on unaligned access?) Joachim
Re: Minimally painful mail client for rich (spit!) messages
On Thu, Feb 24, 2011 at 10:11:22AM +0100, Jan Stary wrote: On Feb 09 17:56:59, Ingo Schwarze wrote: text/html; /usr/bin/lynx -stdin -force_html -dump ; copiousoutput On Feb 09 10:59:54, Marco Peereboom wrote: text/html; /usr/local/bin/links -dump '%s'; copiousoutput; description=HTML Text; na metemplate=%s.html On Feb 09 23:12:27, Igor Zinovik wrote: text/html ; lynx -force_html -assume_charset=koi8-r -assume_unrec_charset=utf8 -dump %s ; copiousoutput; nametemplate=%s.html I have been using (variations of) these for years in my ~/.mailcap, which made mutt(1) launch lynx(1) on the html attachments. Since I upgraded to OpenBSD 4.8-current (GENERIC) #448: Fri Oct 22 09:43:05 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC with mutt-1.5.21p0, it no longer works. (Should I take this to ports?) Trying to view a HTML attachment from the attachment menu results in the attachment being displayed by mutt's internal viewer. I stripped my ~/.mailcap to the minimum suggested by http://www.mutt.org/doc/manual/manual-5.html#ss5.3 text/html; lynx %s ; nametemplate=%s.html and even that does not work. It seems like my ~/.mailcap is ignored. (Copying to /etc/mailcap doesn't seem to make any difference.) Does anyone have a hint of what could be causing this? text/html is usually in Mutt's auto_view list; auto_view stuff is automatically piped through any viewer with copiousoutput set, whereas non-copiousoutput entries are only used if you explicitly open it ('v' - select item - 'm'). E.g. from my mailcap: # Process HTML with firefox or w3m text/html; firefox -a firefox -remote 'openurl(%s)' ; test=[ ! -z $DISPLAY ] pgrep -xu `id -u` firefox-bin text/html; firefox %s ; test=[ ! -z $DISPLAY ] text/html; w3m %s ; nametemplate=%s.html text/html; w3m -dump %s ; copiousoutput ; nametemplate=%s.html When viewing HTML mail, it uses w3m -dump (auto_view, copiousoutput). When opening ('m') HTML stuff, it uses: * a running Firefox, if mutt is running under X and a running Firefox is available; * otherwise, a new Firefox, if mutt is running under X; * otherwise, w3m. Joachim -- TFMotD: mkdep (1) - construct Makefile dependency list http://www.joachimschipper.nl/
Re: Tracking What it's changing in current
On Mon, Feb 21, 2011 at 02:31:20PM -0500, Ted Unangst wrote: On Mon, Feb 21, 2011 at 10:08 AM, Luis Useche use...@gmail.com wrote: I would love this feature in OpenBSD src list. Is it possible to use the activitymail script on the OpenBSD CVS repo? seems like a serious waste of bandwidth. If you care about seeing the diffs often enough that checking things out in cvsweb is a hassle, just start mirroring the cvs repo yourself. I think it would be useful, and I'd expect source-changes to have so few subscribers that the extra bandwidth use would be dwarfed by any of the usual misc@ nonsense threads. I'd be happy to be proven wrong, though, and you should, of course, feel free to ignore me. Joachim -- PotD: databases/ruby-kirbybase - small, plain-text, DBMS written in Ruby http://www.joachimschipper.nl/
Re: /etc/hosts comments update
On Tue, Feb 22, 2011 at 03:04:25PM +0100, Pete Vickers wrote: Now that the IPv4 address space if fully allocated, perhaps it's time to update the comments in /etc/hosts ? Here is my attempt at a reasonably concise update: # Assignments from RFC5735 (supersedes RFC1918) # # Allocated for use as the Internet host loopback address: # 127.0.0.0/8 # # Allocated for communication between hosts on a single link. Hosts obtain # these addresses by auto-configuration (in the absence of DHCP): # 169.254.0.0/16 # # Addresses within these blocks do not legitimately appear on the public Internet # and can be used without any coordination with IANA or an Internet registry: # 10.0.0.0/8 private networks # 172.16.0.0/12 private networks # 192.168.0.0/16 private networks # 192.0.2.0/24documentation/examples # 198.51.100.0/24 documentation/examples # 203.0.113.0/24 documentation/examples # 198.18.0.0/15 benchmark interconnect testing # # Full assignments details are available here: # http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt # More contentiously, this is an IPv6 counterpart: Note that I interpret the aim of these comments as an aide-memoire, rather than a tutorial on IP addressing schemes, so it's intentionally brief. I think your IPv4 text unwisely suggests that using e.g. 192.0.2.0/24 for your own stuff is okay. That's true only until you put a device with an appropriate list of unroutable IPs on your network, etc. Also, if you're going to be exhaustive, you missed at least multicast. Why do you feel this is useful? Joachim -- PotD: net/powerdns,-mysql - mysql database access module for powerdns http://www.joachimschipper.nl/
Re: Weird behaviour of pf
On Sun, Feb 20, 2011 at 10:23:32PM +0100, Peter [prive] wrote: Trying to find the problem I did the following: I added 1 rule as the first rule. pass out quick log (user) proto tcp to port 54321 Can you post a minimal pf.conf that exhibits this problem? It looks like you have other rules as well, possibly including some configuration that may be relevant. Joachim
Re: security of hibernate (was: hibernate function)
On Fri, Feb 18, 2011 at 04:54:57PM -0500, Ted Unangst wrote: On Fri, Feb 18, 2011 at 3:35 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Not really much difference between encrypting memory that's written to disk and memory that's just left in memory. Yes, but when hibernating you can be pretty sure that e.g. disk cache and video memory are actually empty. You do have a good point, but there are just more potential problems with ACPI sleep. Or am I babbling nonsense? I'll admit to not knowing much about ACPI... Joachim -- TFMotD: ec (4) - 3Com EtherLink II (3c503) Ethernet device http://www.joachimschipper.nl/
Re: [OT] significance of application level bandwidth throttling
On Sat, Feb 19, 2011 at 10:08:50PM +0800, Ana Zgombic wrote: Hi Misc, i'm trying to collect firsthand experience on implementing application level bandwidth throttling. background: i'm looking at playing with thttpd and i want to remove the bandwidth throttling code since it looks insignificant to me. insignificant because at this day and age, there's pf and most routers can do some sort of QoS or rate limiting or similar things. am i on the right track here? am i asking the right questions? thank you for your patience. I don't think bandwidth throttling is all that useful (request throttling is another matter), but what are you really trying to do? I'm sure that tinyhttpd runs on stuff that doesn't run pf, so it makes sense to keep that code around. Joachim -- PotD: textproc/p5-XML-Twig - perl module for parsing huge XML documents http://www.joachimschipper.nl/
Re: hibernate function
On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Joachim -- PotD: converters/wv2 - library functions to access Microsoft Word/Excel files http://www.joachimschipper.nl/
Re: security of hibernate (was: hibernate function)
On Fri, Feb 18, 2011 at 05:17:57PM +, Kevin Chadwick wrote: On Fri, 18 Feb 2011 16:17:25 +0100 Joachim Schipper wrote: On Fri, Feb 18, 2011 at 10:51:27AM -0600, Orestes Leal R. wrote: does it exists? Not yet. Hibernate offers more integrity of user data but it's a lot less secure, discounting the boot virus's like the one mentioned on P. Hansteen's site that may? be hindered by power removal. (Anyone heard more about those or how that one worked.) Actually, if one could specify an encryption password for the memory written to disk, a stolen hibernating system would be less dangerous than a running/ACPI-sleeping system because it's suddenly impossible to get interesting data from the system memory. Interesting data like the keys in ssh-agent or a softraid decryption key. Read e.g. http://citp.princeton.edu/pub/coldboot.pdf for a very readable introduction to rip-your-memory-out-of-your-machine attacks (figure 4 is particularly nice); in particular, note that such attacks are quite feasible. Despite the common with physical access, all bets are off wisdom, physical attacks can actually be defended against quite well - *if* the system is turned off when they are carried out and never turned on again. Joachim -- PotD: net/fping - quickly ping N hosts w/o flooding the network http://www.joachimschipper.nl/
Re: Booting and radeon problems on ThinkPad SL510
On Fri, Feb 18, 2011 at 06:41:26PM +0100, Pascal Stumpf wrote: I am too experiencing the booting problems described a few days ago for the SL410. With the MP kernel, booting would sometines just stop at mtrr: Pentium Pro MTRR support, forcing a hard reset of the machine. Other times it just works fine, not following any apparent pattern. How can I provide more info to debug this? My SL510 works if I disable acpitz*. The debugging-only diff at the end of this message can help show that this is indeed the issue (by default, it doesn't do much; use boot -d and 'write acpitz_skip_first_setperfs 10' (if it's N = 0, skip the first N acpitz_cpu_setperf() calls; negative values drop you into ddb at acpitz_cpu_setperf() calls, which allows you to get a backtrace.) That said, I don't have the time or expertise to fix this myself, and I guess it's rather hard to fix it without the hardware... The second problem has already been reported multiple times. (Hardware acceleration not working on some Radeon chips.) The corresponding PR is user/6549, the symptoms are exactly as described there. Sorry, I can't help you with that - I have an Intel card. Joachim Index: acpitz.c === RCS file: /usr/cvs/src/src/sys/dev/acpi/acpitz.c,v retrieving revision 1.39 diff -u -p -r1.39 acpitz.c --- acpitz.c27 Jul 2010 04:28:36 - 1.39 +++ acpitz.c4 Oct 2010 08:37:30 - @@ -88,6 +88,7 @@ void (*acpitz_cpu_setperf)(int); intacpitz_perflevel = -1; extern void(*cpu_setperf)(int); extern int perflevel; +intacpitz_skip_first_setperfs = 0; #define PERFSTEP 10 #define ACPITZ_TRIPS (1L 0) @@ -376,8 +377,21 @@ acpitz_refresh(void *arg) /* Perform CPU setperf */ if (acpitz_cpu_setperf nperf != acpitz_perflevel) { - acpitz_perflevel = nperf; - acpitz_cpu_setperf(nperf); + if (acpitz_skip_first_setperfs 0) { + /* Enter ddb here - and hopefully continue */ + Debugger(); + } else if (acpitz_skip_first_setperfs 0) { + acpitz_skip_first_setperfs--; + printf(%s: skipping %d more setperf() calls\n, + DEVNAME(sc), acpitz_skip_first_setperfs); + } else { + acpitz_perflevel = nperf; + printf(%s: acpitz_cpu_setperf at %p called: acpitz_cpu_setperf(%d)\n, + DEVNAME(sc), (void *) acpitz_cpu_setperf, nperf); + acpitz_cpu_setperf(nperf); + printf(%s: acpitz_cpu_setperf ok\n, + DEVNAME(sc)); + } } } sc-sc_lasttmp = sc-sc_tmp;
Re: By default, should `lynx your external IP` work?
On Wed, Feb 09, 2011 at 10:31:05AM +0100, Ezequiel Garzsn wrote: On Fri, Feb 4, 2011 at 10:35 PM, Benny Lofgren bl-li...@lofgren.biz wrote: On 2011-02-04 21.12, Ezequiel Garzsn wrote: Hello! [F]rom my fresh OpenBSD VPS, which I assume has had a default installation (...) I tried lynx external IP *from my VPS*, and it didn't work, even though it did work from my desktop PC: [likewise for ping] Is this normal behavior by default? I know both things work from other OSes, so I'm wondering if this has something to do with OpenBSD's added security measures. No, this is not normal behaviour. Your VPS provider have some explaining to do. (And by the way, making things not work is hardly ever an added security measure - it's just a plain inconvenience. And inconvenienced people tend to be more prone to do something stupid while trying to work around their inconvenience than people whos stuff just work as expected...) The explanation I received is that the VPS is behind a NAT. Does it make sense now? Thanks again. Not really, no. I don't think this will hurt you, but if it does, good luck debugging this issue on a sane setup... Joachim -- PotD: books/JVMS - Sun's official Java VM Specification, 2nd Ed. http://www.joachimschipper.nl/
Re: installing symux, can't load libraries
On Tue, Feb 01, 2011 at 05:51:01PM +, Kevin Chadwick wrote: /usr/local/libexec/symux: can't load library 'libfontconfig.so.6.0' OK, I figured this out: I must have accidentally gotten the wrong xbase47.tgz fileset. problem solved. For the archives: You also get a missing library error if symux is run as a non root user and can't write it's pid file in /var/run That seems unlikely, are you sure? Joachim -- PotD: devel/p5-Set-Scalar - module for containing a set of scalars http://www.joachimschipper.nl/
Re: simple pf match question
On Mon, Jan 31, 2011 at 05:10:04PM +, Jason McIntyre wrote: On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. firstly, what is the reason for the no state of packets passed by default (i.e. without matching a rule)? I imagine: the least surprising no pf default behaviour is passing all packets (given net.inet.ip.forwarding=1); this should hold even if you're in some odd asymmetric routing setup where pf's state-tracking would not work. Joachim -- PotD: security/scrypt - command-line encryption using scrypt key derivation function http://www.joachimschipper.nl/
Re: test for installed status of package, ports questions
On Mon, Jan 31, 2011 at 01:29:40PM -0600, tra...@subspacefield.org wrote: I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? I tried pkg_info and the exit code is zero even if the package isn't installed. Try pkg_info | grep -q; or make pkg_info write to a file for faster processing. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). What's up with that? xbase is now mandatory for packages, even no_x11 ones. Too many packages require some graphics library or other. (If you really want to minimize space, you can manually pick the required libraries out of xbase. But that's unlikely to be worth the trouble.) Joachim -- PotD: net/openvpn_bsdauth - BSD Auth helper program for OpenVPN http://www.joachimschipper.nl/
Re: NO-IP not updating!
On Wed, Jan 26, 2011 at 10:56:02AM +0100, Leslie Jensen wrote: Upon installation of noip I ran the command noip2 -C to configure it. I want noip to run a script every 30 minutes that sends a mail to me at the end of the updating of the address. So I choose the settings accordingly when configuring noip. I've put the following in my /etc/rc.local -- # Add your local startup actions here. /usr/local/sbin/noip2 echo '.' -- When the machine is booted I get the mail, but I do not get the updates every 30 minutes as I should. Top shows the process 6013 _noip 20 428K 916K idle select0:00 0.00% noip2 Everything looks fine, but note that you didn't get noip from ports (so it may be incompatible with OpenBSD). Try posting your configuration, running noip in debug mode (if it has one), or switching to net/ddclient. Joachim -- TFMotD: div (3) - return quotient and remainder from division http://www.joachimschipper.nl/
Re: qemu -nographic
On Sat, Jan 08, 2011 at 09:50:36PM +0100, Pieter Verberne wrote: On Sat, 8 Jan 2011 21:03:56 +0100, Henning Brauer wrote: * Pieter Verberne pieterverbe...@xs4all.nl [2011-01-08 17:23]: I'm not sure if it is a good idea (or even possible) but I'm trying to run OpenBSD as guest in qmemu on a Soerkis and OpenBSD as host. Anyway, where I want it for :-) I want to run a public accessible Samba server. (for... fun) I don't really trust it running on Soekris together with all the other services and wanted to 'jail' it in some way. I read Samba is very hard (if possible) to chroot, so I thought about running it in a qemu virtual machine wich AFAIK, acts like a jail. (No, I don't have another computer available) Trusting qemu to separate guests is rather... optimistic. I'd give chrooting SAMBA another go. It's not entirely impossible, I'd wager. Joachim -- TFMotD: menu (3) - curses extension for programming menus http://www.joachimschipper.nl/
Re: pf and DNS
On Fri, Jan 07, 2011 at 05:50:25AM -0500, Eric Furman wrote: On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote: Many websites these days Akamize or do whatever that gives them a different IP address everytime you access it. Don't use stupid shit like Akamize. Problem solved. Stop making people laugh at you. That's not really up to the OP - he's talking about websites using content delivery networks like Akamai, which tend to play games with DNS (to point people at nearby servers, for instance). The OP has very little control over these sites... Joachim -- TFMotD: gpioctl (8) - control GPIO devices http://www.joachimschipper.nl/
Re: softraid metadata change 4.7 - 4.8
On Tue, Jan 04, 2011 at 02:34:08PM +, Rodolfo Gouveia wrote: I have a machine with 4.7 softraid CRYPTO. On the upgrade48.html it's recommended to rebuild the softraid volume to use some of the upcoming features. Thing is I can't rebuild a CRYPTO softraid volume. # bioctl -v softraid0 Volume Status Size Device softraid0 0 Online 5371066880 sd2 CRYPTO 0 Online 5371066880 0:0.0 noencl sd1h 'unknown serial' # bioctl -v -R /dev/sd1h sd2 bioctl: BIOCSETSTATE: Invalid argument # dmesg | tail -n1 softraid0: discipline does not support rebuild I believe rebuild means dump and restore here. Joachim -- PotD: x11/xfce4/xfce4-taskmanager - Xfce4 task manager and system monitor http://www.joachimschipper.nl/
Re: Is it possible: IPsec tunnel with no static addresses?
On Fri, Dec 31, 2010 at 04:19:53PM -0600, Matt Evans wrote: A friend and I are both on dynamic IP residential broadband connections. We both use OpenBSD boxes as edge devices. We were wondering if it were possible to create an ipsec tunnel between us, even though we both have dynamic public IPs. The documentation I've read seems to suggest that at least _somebody_ must have a static IP. I can understand that at some point, needing the public IPs is necessary for setting up the tunnel, but is it possible that dyndns or some other dynamic mechansim can be used to find the public IPs as needed? Isn't it the case that IPsec can mutually authenticate peers based on keys, and fixed public IPs aren't required as part of peer authentication? Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. Joachim -- PotD: textproc/groff - gnu clone of nroff http://www.joachimschipper.nl/
Re: Does anybody know a PeerGuardian like app?
On Wed, Dec 29, 2010 at 08:04:14AM -0800, S Mathias wrote: Are there any programs blocking ip, and has frequently updated lists, like the peerguardian on windows? sorry for the question, but i looking for this kind of application :O Five minutes' research shows that PeerGuardian is mainly used to block access to/from IP addresses believed to belong to anti-piracy groups. http://en.wikipedia.org/wiki/PeerGuardian mentions that certain programs, including apparently net/ktorrent, can use these lists directly. Otherwise, the format looks simple enough - write a ten-line program in your language of choice and stuff the addresses into a pf table. Let's be honest, though: public blacklists won't be terribly effective in hiding the fact that you're pirating stuff. Joachim -- TFMotD: times (3) - process times http://www.joachimschipper.nl/
Re: huge first daily insecurities
On Tue, Dec 28, 2010 at 01:51:19PM +0900, Joel Rees wrote: Just want to check on whether the situation with my sort-of new install of 4.8 is normal, and if my guess as to how to approach it is correct. I didn't have time last night to go through and tweak everything I know to tweak, and just let it run overnight anyway. So the first daily insecurities is over a megabyte of text. Yes, that's to be expected. Can I mostly scan through [suid and device repots] and just let it go if I don't see anything obvious? (Not that I'm confident I'd know what I'm looking for, ...) I suppose, if I were ambitious, I could remove all the devices I know this old iBook will never have, but that's not even recommended general practice, is it? The bulk of the mail is a lot (40 or more?) of diffs with /dev/null for stuff that I don't have in /etc and /var. Wasted about three hours this morning working on a program to split all the diffs out into files before it occured to me that almost everything in here is here because it isn't there, and then I looked in /var/backups and found the examples. /etc/security (which is run from /etc/daily) is useful, but very simple-minded. In particular, if you install or upgrade, it will spew lots of noise. I recommend skimming it quickly, it's almost never a good use of your time to read it closely. (/etc/security *is* quite useful in case of a compromise, or if you messed with a configuration file and forgot that you did so, etc.) Don't cripple your system by removing default configuration files, it'll only end in tears. And you'll have to re-do it after each upgrade anyway. In general, don't tweak unless you *know* why you need/want to. Also, I'm wondering whether it would be more useful to send in the dmesg before or after I get /etc cleaned up. Or maybe you have enough iBook G4 12 inch dmesg-es for 4.8? Nothing special, really. AFAIK, dmesgs are always appreciated. Joachim -- PotD: devel/ruby-ffi-inliner - embed C code in your ruby script http://www.joachimschipper.nl/
Re: removing unneeded package dependencies
On Mon, Dec 27, 2010 at 10:08:09AM -0500, Frank Bax wrote: On 12/27/10 09:35, Dmitrij D. Czarkoff wrote: I use a custom script to remove automaticly installed dependencies to the manually installed packages I deleted. If you had used -D dependencies when you manually deleted a package; the dependencies would also be deleted (unless they are required for another package). That switch deletes all packages that *depend on* the package being deleted; the OP is asking for the reverse relation. Ask espie@, I'm pretty sure it's on the list. Joachim -- PotD: databases/p5-Class-DBI-Plugin-Type - determine type information for columns http://www.joachimschipper.nl/
Re: pop3 server looping?
On Mon, Dec 27, 2010 at 10:34:31AM -0500, Frank Bax wrote: I see this message in /var/log/daemon about every 10 minutes or so (starting about an hour ago); what does this mean? Dec 27 10:30:01 bax inetd[28318]: pop3/tcp server failing (looping), service terminated It means you'll want to 'grep pop3 /etc/inetd.conf' and probably 'grep popa3d /var/log/messages'. That should get you an idea of the problem. Joachim -- PotD: converters/libdvd - descramble scrambled DVDs using ACSS http://www.joachimschipper.nl/
Re: Executing from crontab only does the job when I logged on.
On Mon, Dec 27, 2010 at 01:41:07PM -0600, Orestes Leal R. wrote: Martin Schrvder mar...@oneiros.de wrote: 2010/12/27 Orestes Leal R. l...@cubacatering.avianet.cu: the 2 programs work ok, but the do not execute from crontab when I logged out from console,ssh. but when I logged on into an ssh session or console session then execute. Programs started by cron will have a different env(1) than those started from interactive sessions; most notabily $PATH will be different. Is there any restriction on accesing networks sockets from cron? There are no such restrictions that do not also restrict programs started from the shell by/as the same user. Joachim -- PotD: databases/pgfouine - PostgreSQL log analyzer http://www.joachimschipper.nl/
Re: wd0 read timeouts - how to proceed?
On Fri, Dec 24, 2010 at 11:00:48AM +0100, Webcharge wrote: Must be the holiday season *sigh* my OpenBSD server is suddenly giving the occassional read-timeout on the /var slice of the main harddisk: There is a second harddisk installed, with OpenBSD formatted slices, but of different proportions. This (larger) disk is unused, so data / layout may be wiped, so it seems like smart idea to copy the data at least (I do have offsite backups of essential data but not a spare system in the rack at this very moment) Can I just copy /var (wd0g) to /var2 (wd1i) and remount or should I proceed otherwise or would copy/remounting /var simply not work on a live system? If the system is quiet, you can try 'sync; sync; dd ...; fsck', but something like 'tar cpf - | tar xpf -' is more likely to get you a somewhat consistent view. Change /etc/fstab and reboot (you *can* try mounting the new /var over the old one, but you'll want to play with fstat -n to see which processes are still accessing the old /var.) Of course, this isn't guaranteed to work. In particular, if something is actually writing to /var, your view won't be consistent. Even more in particular, don't try this with running databases. Joachim
Re: [OT] Mail Archive Management
On Sun, Dec 19, 2010 at 08:07:45AM -0500, Josh Smith wrote: Dear Misc@, I have a largeish ( around 10 gb) mail archive stored in a mbox file and it's starting to get a bit unwieldy to maintain, it's difficult to search through and etc. With that in mind I was wondering what others on the list might be doing to maintain their mail archives? Would I be better off maintaining this in a maildir? If so what are my options for conversion? Weather or not I keep it in mbox format or convert it to something else - what sort of tools are out there to break it up into multiple archives by year or perhaps sender? Maildir would help with access, at least. There are lots of options for conversion, including your mail client (I *know* mutt can do this.) Have you considered http://sup.rubyforge.org/? I've heard mixed things about it (it's still in beta, and it does have bugs), but it's supposed to handle large volumes of mail well. Similarly, IMAP has a SEARCH extension. Most IMAP servers will keep indices for you, but getting the mail client to issue the proper commands (instead of searching locally) may take some doc-reading. Joachim -- PotD: databases/p5-DBIx-DBSchema - database-independent schema objects http://www.joachimschipper.nl/
Old IPSEC bug
I'm sure most of you are already aware, but http://news.ycombinator.com/item?id=2014004 suggests that Jason fixed a potentially-dangerous bug in the IPSEC code in the NETSEC timeframe (src/sys/netinet/ip_esp.c r1.75). Joachim
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: Joel Wiramu Pauling j...@aenertia.net wrote: Marti Martinez ma...@ece.arizona.edu wrote: Ted Unangst ted.unan...@gmail.com wrote: At some point you're going to realize that the javascript that decrypts your mail has to come from someplace. A better alternative would be a PGP browser addon (...) [See] firegpg firegpg is the only way I can get friends and family to communicate with me securely. I don't even know what the interface looks like, but it does work (apparently). It's unmaintained. I would also be surprised if the server can't get at your plaintext (e.g. with Javascript, or even Java/Flash). You may want to look at http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and the comments (in particular, my http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-6239). Summary: it doesn't work, and can't work unless you add a plugin with *many* restrictions. Joachim -- PotD: devel/ivy - dependency manager for Java http://www.joachimschipper.nl/
Re: Strange behavior from poll() when interrupted by signal
On Sun, Dec 12, 2010 at 01:00:17PM -0600, Yarin wrote: As the documentation explains, when poll() is interrupted by a signal, it should return -1/EINTR. However, I'm getting a return indicating that all of the polling descriptors are ready, but when I check their flags out, none of them are ready. (Note that the same code behaves as expected on Linux) Here's a snippet of code that I wrote to deal smoothly this behavior: (specifically, the last line) pollfd wait_fd[2]; wait_fd[0].fd = sock_fd; wait_fd[0].events = POLLOUT; wait_fd[1].fd = abort_fd; wait_fd[1].events = POLLIN; int rfds; do rfds = poll(wait_fd, 2, NULL); while((rfds 0 errno == EINTR) || (rfds 0 !wait_fd[0].revents !wait_fd[1].revents)); This is not valid - poll takes an int argument here. NULL is interpreted as 0 (return immediately) on most platforms, which means you're busy-waiting. And that poll() will usually return 0 (timeout reached). This matches your observations, as far as I can tell. I *think* you meant: while ((rfds = poll(wait_fd, 2, INFTIM)) == -1 errno == EINTR); if (rfds == -1) err(1, Poll failed); Note that poll cannot return 0 here. Joachim -- TFMotD: poll (2) - synchronous I/O multiplexing http://www.joachimschipper.nl/
Re: remove users from group
On Sun, Dec 12, 2010 at 03:44:18PM +0400, OpenBSD Geek wrote: To remove users from example group users, i usually do it by editing the file /etc/group, and remove it manually. Is there a way from command line to remove some users from a specific group ? I want to do a script like that : list=1 2 3 4 5 6 for i in $list do usermod -G wheel, staff username$i done This will add username[1-6] to group wheel and staff, but how can i do like this script to remove them in staff group without editing the file /etc/group ? Do some light scripting with an appropriate utility, e.g. userinfo(8). Joachim -- PotD: lang/expect,no_tk - sophisticated scripter based on Tcl/Tk http://www.joachimschipper.nl/
Re: OT - gmail alternatives
On Thu, Dec 09, 2010 at 10:41:32PM +0100, roberth wrote: Brad Tilley b...@16systems.com wrote: Adam M. Dutko wrote: How do[es Lavabit] deal with legal jurisdiction? Technically the government can still subpoena and they'd have to turn over the documents in the persons account, including backups. Use GPG so all the ISP could do is hand over the encrypted bits. You hold the key. gpg doesn't touch the headers, so Alice is still tied to Bob and might be fkd nevertheless. So use Mixmaster or Tor+$FREE_WEBMAIL (in either case, with GPG). Joachim -- PotD: misc/xkcd-viewer - XKCD comic viewer http://www.joachimschipper.nl/
Re: How to open PDF that requires Adobe 9
On Sat, Dec 04, 2010 at 06:28:04PM -0700, Clint Pachl wrote: When I open [the UPS developer's guide] with xpdf(1) I get a [message] to download the the latest Adobe crapware to view it. This is cheating, but have you tried throwing it into Google docs? Joachim
Re: installation sets not found on CD
On Mon, Nov 29, 2010 at 06:52:38PM -0800, Scott Stanley wrote: Someone gave me a bunch of HP Proliant DL360 G3 servers, so I promptly went to install 4.8 i386 on one to see if it was worth keeping. (I'm just playing around at home with these) Installer makes it all the way to installation set(s) location, then kernel says: ASC/ASCQ: ASC 0X20 ASCQ 0X00 cd0(atapiscsi0:0:0): Check condition (error 0x70) on opcode 0x20 SENSE KEY: Illegal Request ASC/ASCQ: ASC 0X20 ASCQ 0X00 followed by installer saying: No filesystems found on cd0 This fellow had the same issue, and there was no resolution that I could see. http://www.mail-archive.com/misc@openbsd.org/msg50451.html My attempt was done using an official i386 disc that has installed 4.8 on 2 other systems, so I know the disc is good. OR, is there a possibility that the disc is marginal and the drive is picky enough to complain? I tried this on 3 or 4 of the systems and got the same error. Is there any more information I can provide for clues to help? Can't you install via PXE? It's possible that the CD drive is broken or unsupported (although I wouldn't expect the latter to be the case), but that shouldn't prevent you from installing OpenBSD. And a full system may make diagnosis easier... Joachim
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On Tue, Nov 23, 2010 at 01:38:04PM +0100, carlopmart wrote: I will to know your opinion about using virtual firewalls in virtual infraestructures like vmware, kvm ,xen, etc (...) [What about] security? Let me add one more reason to the ones already offered: there are *many* side-channel attacks that can cross VM barriers. In other words, don't do any sort of crypto (SSH, IPsec...) on virtualized machines, unless you trust every VM on the same physical box. I'm not online at the moment, but look at e.g. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds by Ristenpart, Tromer, Shacham and Savage for this kind of attack on Amazon's VMs. There are many others. Joachim -- TFMotD: ipsec.conf (5) - IPsec configuration file http://www.joachimschipper.nl/
Re: ldap auth
On Wed, Nov 24, 2010 at 01:03:00AM +0200, Kapetanakis Giannis wrote: I've recently tested login_ldap and ypldap on OpenBSD 4.8 as a test case for an authpf gateway for ldap users. Apart from these solution and having in mind that PAM is not (and probably never will be) an option, what would you suggest as the right place for someone to try to develop ldap authentication on OpenBSD (without ypldap or maintaining users in passwd)? I'm looking for hints on the starting place, since I'm not familiar with these low level functions, to make the system get user info (uid, gid, home etc) from ldap. Is bsd_auth(3) or authenticate(3) where I should first look? I don't think I understand what you mean - what do you want to improve relative to login_ldap and ypldap? Joachim -- TFMotD: vsbic (4/MVME68k) - MVME327A SCSI and floppy controller http://www.joachimschipper.nl/
Re: choice for a ftpd
On Sat, Nov 06, 2010 at 01:22:43PM +0100, Jean-Francois wrote: I think of installing as a ftp daemon vsftpd or pure-ftpd since both seems to be simple and secure. Would you recommend one or the other in terms of security or scalability ? vsftpd wins for security. You may also want to consider ftpd from base. Joachim -- TFMotD: MD5Init, MD5Update, MD5Pad, MD5Final, MD5Transform, MD5End, MD5File, MD5FileChunk, MD5Data (3) - calculate the RSA Data Security, Inc., ``MD5'' message digest http://www.joachimschipper.nl/
Re: net.inet.tcp sysctl's
On Sat, Nov 06, 2010 at 02:13:46PM +0100, Jan Stary wrote: For some time now, I have been using the following sysctl's mentioned in FAQ 6.6.4, which sped up my network traffic considerably: net.inet.tcp.recvspace net.inet.tcp.sendspace net.inet.udp.recvspace net.inet.udp.sendspace Now that I have reinstalled with current/amd64, the tcp ones seem to have disappeared (while the udp ones are still there). Am I missing something? TCP is now tuned automatically. Joachim -- TFMotD: MAKEDEV (8) - create system and device special files http://www.joachimschipper.nl/
Re: net.inet.tcp sysctl's
On Sat, Nov 06, 2010 at 04:29:22PM +0100, Jan Stary wrote: On Nov 06 15:47:54, Claudio Jeker wrote: On Sat, Nov 06, 2010 at 02:13:46PM +0100, Jan Stary wrote: For some time now, I have been using (...) net.inet.tcp.recvspace net.inet.tcp.sendspace net.inet.udp.recvspace net.inet.udp.sendspace (...) the tcp ones seem to have disappeared (...) (...) The TCP ones are gone (...). The automatic TCP windowscaling in -current makes the global tcp.recvspace and tcp.sendspace superfluous. Nice. Shouldn't faq 6.6.4 be deleted then? The FAQ follows the latest release, not -current. Joachim
Re: sendmail relay defaults
On Tue, Nov 02, 2010 at 12:53:15PM +0800, Edwin Eyan Moragas wrote: as i understand, sendmail is initially configured to send emails locally (ie, users on the same host). i'm setting up PHP on chrooted apache. mini_sendmail-chroot is already installed. i don't have any shells copied to the chroot bin directory (/var/www/bin). i was able to send mail from PHP using mini_sendmail-chroot after changing sendmail_flags to the one recommended by rc.conf. the setup is a web server out in the open internet. i'm using openbsd 4.6. You're aware that 4.6 is unsupported as of today, right? Fortunately, upgrades are easy. two questions: 1) i want to make sure that sendmail won't relay email from any other host. is this setup enough? Yes. 2) what do i need to do to have multiple domain names allowed by sendmail to send from this host? eg, the websites i have are domain1.com, domain2.net. i think i can set the From field of the email from PHP code. Sendmail-wise, nothing. If the domains in question have an SPF record, you do have to update that. Similarly, if you want to *receive* mail for multiple domains, you'll have to update your sendmail configuration. Joachim -- TFMotD: DSA_generate_key (3) - generate DSA key pair http://www.joachimschipper.nl/
Re: Packet Loss on Wireless (RAL and WI)
On Tue, Nov 02, 2010 at 02:23:23AM +1300, Jammer wrote: I'm experiencing problems setting up an OpenBSD box as a firewall/Wireless Access Point(...) Firstly my setup: * I've tried this using OpenBSD v4.1, v4.6 and a 4.8 snapshot from 29/10/20 all with similar results. Just install 4.8 or -current. * I've tried various different wireless cards based on either the Prism (wi0) or Ralink 2561 (ral0) chipsets. There are a lots of caveats about Host AP mode in wi(4) (from -current): (...) Host APIn this mode the driver acts as an access point (base station) for other cards. Only cards based on the Intersil chipsets support this mode. Furthermore, this mode is not supported on USB devices. (...) HARDWARE Cards supported by the wi driver come in a variety of packages, though the most common are of the PCMCIA type. In many cases, the PCI version of a wireless card is simply a PCMCIA card bundled with a PCI adapter. (...) USB support is still experimental and the device may stop functioning during normal use. Resetting the device by configuring the interface down and back up again will normally reactivate it. (...) CAVEATS Not all 3.3V wi PCMCIA cards work. IBSS creation does not currently work with Symbol cards. The host-based access point mode on the Intersil PRISM cards has bugs when used with firmware versions prior to 0.8.3 and is completely unusable with firmware versions prior to 0.8.0 and 1.4.0-1.4.2. Software WEP is currently only supported in Host AP and BSS modes. Furthermore, software WEP is currently incapable of decrypting fragmented frames. Lucent-based cards using firmware 8.10 and above fragment encrypted frames sent at 11Mbps. To work around this, Lucent clients with this firmware revision connecting to a Host AP server should use a 2Mbps connection or upgrade their firmware to version 8.72. Host AP mode doesn't support WDS or power saving. Clients attempting to use power saving mode may experience significant packet loss (disabling power saving on the client will fix this). Support for USB devices is buggy. Host AP mode and AP scanning are not currently supported with USB devices. From ral(4): (...) CAVEATS (...) Host AP mode doesn't support power saving. Clients attempting to use power saving mode may experience significant packet loss (disabling power saving on the client will fix this). Some PCI ral adapters seem to strictly require a system supporting PCI 2.2 or greater and will likely not work in systems based on older revisions of the PCI specification. Check the board's PCI version before purchasing the card. I've never set up an AP myself, but it's not clear that you are aware of these possible issues from your message. * I've used 4 different machines, admittedly all low horsepower machines, from 400MHz PII to 1.2GHz Athlon * I've tried configuring the interface in both ibss and hostap mode. I'm aware of the caveat regarding hostap mode and power saving mode in the client and have ensured that the clients (various WinXP times 2, and Brother wireless enabled printer) have this disabled but the packet loss occurs in both ad-hoc and hostap modes anyway. On each occasion I get anywhere up to 75% packet loss or long periods of several tens of seconds where the wireless link is down. Often the clients are completely unable to associate with the access point/peer and the link is most unstable. I have tried this with the two machines side by side and at a distance of 10m but even with a link of only a few feet I still get packet loss. I've tested by pinging both ends both individually, and simultaneously, and the packet loss occurs in both directions. At the same time, I can use the same wireless cards in a Windows XP machine and get zero packet loss and a completely stable link in an ad-hoc network so I'm sure that the hardware is OK and the wireless radio does work. I'm afraid I don't have my dmesg handy (...) *Always* include a dmesg if you're having hardware issues. Joachim -- PotD: x11/lupe - real-time magnifying glass for X11 http://www.joachimschipper.nl/
Re: something weird with perl in CVS?
On Sat, Oct 30, 2010 at 02:44:50PM -0700, Philip Guenther wrote: On Sat, Oct 30, 2010 at 10:34 AM, Maurice Janssen maur...@z74.net wrote: (...) I extracted the src.tar.gz from the 4.8 CDROM and synchronized the src tree to -stable through CVS. I expected to see about 5 files being changed, but to my surprise a lot (all?) files in src/gnu/usr.bin/perl/ were also updated. [Huh?] There was a late change in the keyword substitution mode for those files. That's a per-file mode (note that it's *not* per-revision per-mode) and there are no email messages generated for them, just as no messages generated for imports. Not that this is relevant here, but messages *are* generated for imports; see e.g. http://mid.gmane.org/201009101113.o8abdk74012...@cvs.openbsd.org. Joachim -- TFMotD: pthread_cond_init (3) - create a condition variable http://www.joachimschipper.nl/
Re: password-less console-only access and ssh remote access?
On Tue, Oct 26, 2010 at 04:24:04AM -0700, Russell wrote: On 10/22/2010 09:43 AM, Joachim Schipper wrote: On Thu, Oct 21, 2010 at 07:46:50PM +0200, Bret S. Lambert wrote: On Thu, Oct 21, 2010 at 05:38:54PM +, Jay K wrote: My ideal setup would be: 1) no passwords (* in /etc/passwd or via vipw) 2) only ssh [keys] for remote access (...) 3) except console, where anyone should be able to login without any password (...) [Set] PasswordAuthentication to no in your sshd_config file, and hand out (...) simple passwords (...) Well, except when someone runs login(1) from an SSH'ed shell... I'm pretty sure you can just add a line along the lines of ttyC0 //bin/ksh vt220 on to /etc/ttys, if you insist. Don't I wish, as I have a box I would like to do this on(main function in life is a 3270 emulator). but getty sets a few enviroment variables that ksh wants, best I could figure out was to make a getty-like stub that would set the env and excve ksh. one of the many thing on my to-do-when-I-have-time list I will never get around to. I think you mean login(1), see the ENVIRONMENT section. ksh actually starts just fine without any environment variables (env -i ksh), so I don't see the problem. Of course you'll want to set some ASAP. Joachim
Re: password-less console-only access and ssh remote access?
On Thu, Oct 21, 2010 at 07:46:50PM +0200, Bret S. Lambert wrote: On Thu, Oct 21, 2010 at 05:38:54PM +, Jay K wrote: My ideal setup would be: 1) no passwords (* in /etc/passwd or via vipw) 2) only ssh for remote access i.e. no password-based security, only something better 3) except console, where anyone should be able to login without any password (granted, I only have two users, root and jay) You can get almost the same thing by setting PasswordAuthentication to no in your sshd_config file, and hand out (...) simple passwords (...) Well, except when someone runs login(1) from an SSH'ed shell... I'm pretty sure you can just add a line along the lines of ttyC0 //bin/ksh vt220 on to /etc/ttys, if you insist. Joachim -- TFMotD: qdiv (3) - return quotient and remainder from division http://www.joachimschipper.nl/
Re: CVS ls Disabled on Mirrors?
On Thu, Oct 21, 2010 at 02:02:26PM -0400, Adam M. Dutko wrote: I recently tried to list contents of some of the CVS servers without doing a checkout to see if it would be feasible to write a small script to identify hot spots in the development tree based on recent commits. I believe this functionality is disabled due to security or resource usage concerns. The anoncvs.shar file shows most anon servers should chroot, drop privileges, and use read only mounts. I imagine it's the read only mount that's the sticking point. This can probably be accomplished using a local copy or a cloned server using cvssync. I just wanted to make sure I wasn't missing something with regard to why ls/dir doesn't seem to work. Thanks. You already have a good answer, but allow me to point out that you shouldn't pester the mirrors for this anyway. Just get a copy with cvsync and run everything locally. Joachim -- TFMotD: madvise, posix_madvise (2) - give advice about use of memory http://www.joachimschipper.nl/
Re: Auto Logout Idle Users
On Thu, Oct 14, 2010 at 03:28:20PM -0400, Brad Tilley wrote: Brad Tilley wrote: I created (...) /etc/profile to force sh and ksh to logout users after a certain period of idleness: $ cat /etc/profile # Force sh and ksh to logout idle users after 15 minutes # Prevent normal users from disabling this setting readonly TMOUT=900 export TMOUT That works great. I've tried to do the same to (...) csh. Replying to myself. I can't seem to make csh auto logout inactive users. So I did this: rm /bin/csh cp /bin/ksh /bin/csh Any good reason to not do this? Allow me to echo the general wtf?! sentiment. You do realize that the following hack works even for ksh, right? $ export TMOUT=10 $ readonly TMOUT $ exec env -i HOME=$HOME PATH=$PATH ... /bin/ksh I suspect that a less-than-unbreakable solution might be enough for PCI compliance; in that case, look at sysutils/idled or pester the devio.us guys for their logout daemon. Joachim -- getenv, putenv, setenv, unsetenv (3) - environment variable functions http://www.joachimschipper.nl/
Re: Force passwordcheck in login.conf
On Wed, Oct 13, 2010 at 09:09:29AM +, Leif Blixt wrote: Brad Tilley brad at 16systems.com writes: I was experimenting with a program to meet PCI DSS 1.2 password length and content/complexity requirements and integrating it with login.conf for users who have shell access to OpenBSD systems. It seems to work as expected, but I wanted to run my configuration by misc. I appended the following two lines to the end of both default and staff in login.conf. Look OK? :passwordcheck=/path/to/program:\ :passwordtries=0: I understand that it would be easy (and redundant) to use minpasswordlen to meet the length requirement, but it's easy to check that in the program itself. Brad We are currently being reviewed for PCI DSS compliance, and the big problems we have right now with the combination of PCI DSS and OpenBSD is the following PCI DSS requirements: 8.5.12 Password history check - you may not use the last 4 passwords. 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts automatically. 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 minutes. How have you addressed these requirements? I'm starting to think we need a RADIUS solution, which seems a bit redundant working with OpenBSD... Locking out accounts is actually fairly easy to do if you wrap /usr/libexec/auth/login_whatever. Read the AUTHENTICATION section of login.conf(5). Joachim
Re: ACPI on ASUS Eee PC 1201pn with 4.8
On Thu, Oct 07, 2010 at 03:44:38AM +0200, Guillaume Duali wrote: On 01/10/2010 17:27, Guillaume Duali wrote: On my laptop, I install the latest iso file downloaded here : ftp://ftp.fr.openbsd.org/pub/OpenBSD/snapshots/i386/install48.iso And with it, the acpi is bugged. If I do a classic boot, the machine shutdown after 10 seconds saying : Oct 1 16:38:15 laptop /bsd: acpitz0: Critical temperature 255C (5282K), shutting down If I do a boot disabling the acpi (thanks to pea), then my machine work fine, but the battery is not correctly managed : # apm Battery state: unknown, 0% remaining, 0 minutes life estimate A/C adapter state: not known Performance adjustment mode: manual (1663 MHz) If I start apmd -A, nothing appends and in /var/log/message, I can see : Oct 1 17:23:46 laptop apmd: cannot open device file `/dev/apmctl': Operation not supported by device I suppose that is due to acpi is disabled. My version of OpenBSD is : Oct 1 16:44:30 laptop /bsd: OpenBSD 4.8-current (GENERIC.MP) #402: Wed Sep 29 23:51:39 MDT 2010 I made a acpidump : http://otasc.org/openbsd/acpidump.tgz Here is my /var/log/messages file : http://otasc.org/openbsd/messages Here is my (strange) dmesg : # dmesg garbage On some machines, the dmesg buffer is not cleared at boot, which makes it possible to see (part of) the dmesg from the previous boot - very useful if the previous boot crashed. In this case, OpenBSD mistakenly believes your dmesg buffer to be valid. Don't worry about it. OpenBSD 4.8-current (GENERIC.MP) #402: Wed Sep 29 23:51:39 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU N450 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,A CPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR ,PDCM,MOVBE real mem = 2146594816 (2047MB) avail mem = 2101448704 (2004MB) User Kernel Config UKC disable acpi 473 acpi0 disabled UKC quit Continuing... mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/09/10, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.6 @ 0xf0740 (30 entries) bios0: vendor American Megatrends Inc. version 0401 date 04/09/2010 bios0: ASUSTeK Computer INC. 1201PN acpi at bios0 function 0x0 not configured ... root on sd0a swap on sd0b dump on sd0b Note : With OpenBSD 4.7, the apm work fine execpt the suspend to ram is not working. Well, suspend not working is to be expected with 4.7. Thanks a lot for your help :) And tell me if you want some other tracs or tests. Hi there, someone have a idea ? I can open an SSH connexion to my laptop for a dev if you want to try something... 4.8 is pretty to go out, so it will be nice if we can say Yeah ASUS EEe 1201pn works with ! :-) I have no idea how to solve this, but note that you can just disable acpitz instead of acpi - you probably won't be able to get CPU temperature from hw.sensors and I don't know if the machine still shuts down if it gets too hot, but you can still suspend etc. Joachim -- TFMotD: CORE (3p) - Pseudo-namespace for Perl's core routines http://www.joachimschipper.nl/
Re: ACPI on ASUS Eee PC 1201pn with 4.8
On Thu, Oct 07, 2010 at 10:27:43AM +0200, Guillaume Duali wrote: On Thu, 7 Oct 2010 06:02:10 +0200, Tomas Bodzar tomas.bod...@gmail.com wrote: 4.8 is closed for a quite long time. Support can start only in current so 4.9 is nearest possible release which will support your HW ;-) Ho ok ^^ So, what must I do ? Wait that 4.8 go out officially and try with -current 4.9 when it will be available ? -current, as you can get from CVS today, is already past 4.8 and will become 4.9 at some point. Joachim -- TFMotD: form_post (3) - write or erase forms from associated subwindows http://www.joachimschipper.nl/
Re: Wireless Network GUI
On Thu, Oct 07, 2010 at 01:34:50PM +0200, g.du...@otasc.org wrote: If I understand you think to combine C and Python ? Do you think is good to code the tool in C, with only shell interface, and add the graphical front-end in Python ? In this case Python will call on each click the C binary with parameter, like : ./assistant --list-wireless-network It's a good idea [G! keyboard shortcut :p] So, it's a good idea if we work together on this project if you are ok ? You *are* aware that you can combine Python and C code fairly easily, right? There is no real need to shell out for every command... Joachim -- TFMotD: perlartistic (1) - the Perl Artistic License http://www.joachimschipper.nl/
Re: Error establishing ppp connection with UMTS modem mini-pci card
On Fri, Oct 01, 2010 at 09:31:18AM +0200, Claer wrote: On Thu, Sep 30 2010 at 45:10, Tilo Stritzky wrote: On 30/09/10 00:40 Claer wrote: I have a minipci umts modem that is reconized fine by OpenBSD (4.7-stable) but I'm unable to find the good pppd configuration to establish the configuration to my ISP. [...] The content of /etc/ppp/chat/orange : ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT NO DIALTONE AT OK AT+CGDCONT=1,IP,orange.fr [no pin] OK ATDT*99***1# 'CONNECT' '\c' 'TIMEOUT' '5' In the /var/log/messages I can see these lines : Aug 24 02:51:14 fw pppd[14700]: pppd 2.3.5 started by root, uid 0 Aug 24 02:52:00 fw pppd[14700]: Connect script failed Any help appreciated :) Your connect script failed. Now find out why. Or get cu(1) and try to run your chat sequence manually, see where it breaks. Thanks for the help. The script was missing '' ATZ at the start. Now I'm blocked one step further. pppd seems to be unable to negociate the IP address. As yuo suggested I added debug info to syslog in order to see what was wrong with the daemon. Here are the new /etc/ppp/peers/orange and the new log trace : /dev/cuaU0 384000 noauth noipdefault defaultroute novj #nodeflate nobsdcomp debug kdebug 1 user orange connect /usr/sbin/chat -v -f /etc/ppp/chat/orange pppd[27737]: sent [LCP ConfReq id=0x1 magic 0xb40e0b28 pcomp accomp] pppd[27737]: rcvd [LCP ConfReq id=0x0 asyncmap 0x0 auth chap 05 magic 0xd6e2d43d pcomp accomp] pppd[27737]: sent [LCP ConfAck id=0x0 asyncmap 0x0 auth chap 05 magic 0xd6e2d43d pcomp accomp] pppd[27737]: rcvd [LCP ConfAck id=0x1 magic 0xb40e0b28 pcomp accomp] pppd[27737]: rcvd [LCP DiscReq id=0x1 magic=0xd6e2d43d] pppd[27737]: rcvd [CHAP Challenge id=0x1 62bca7bd3427414f92ef743e467a1c6f, name = UMTS_CHAP_SRVR] pppd[27737]: sent [CHAP Response id=0x1 f147286df7016f99df1d717114376ff5, name = orange] pppd[27737]: rcvd [CHAP Success id=0x1 ] pppd[27737]: sent [IPCP ConfReq id=0x1 addr 0.0.0.0] pppd[27737]: sent [CCP ConfReq id=0x1 deflate 15 deflate(old#) 15] pppd[27737]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0c 1a 04 78 00 18 04 78 00] pppd[27737]: rcvd [IPCP ConfNak id=0x1 ms-dns 10.11.12.13 ms-dns 10.11.12.14] pppd[27737]: sent [IPCP ConfReq id=0x2 addr 0.0.0.0] pppd[27737]: rcvd [IPCP ConfNak id=0x2 ms-dns 10.11.12.13 ms-dns 10.11.12.14] pppd[27737]: sent [IPCP ConfReq id=0x3 addr 0.0.0.0] pppd[27737]: rcvd [IPCP ConfReq id=0x0] pppd[27737]: sent [IPCP ConfNak id=0x0 addr 0.0.0.0] pppd[27737]: rcvd [IPCP ConfNak id=0x3 addr 90.94.225.164] pppd[27737]: sent [IPCP ConfReq id=0x4 addr 90.94.225.164] pppd[27737]: rcvd [IPCP ConfReq id=0x1] pppd[27737]: sent [IPCP ConfAck id=0x1] pppd[27737]: rcvd [IPCP ConfAck id=0x4 addr 90.94.225.164] pppd[27737]: Could not determine remote IP address pppd[27737]: sent [IPCP TermReq id=0x5 Could not determine remote IP address] pppd[27737]: rcvd [IPCP TermAck id=0x5] pppd[27737]: sent [LCP TermReq id=0x2 No network protocols running] pppd[27737]: rcvd [LCP TermAck id=0x2] pppd[27737]: Connection terminated. Many providers don't care about their own IP address. Add something like :192.168.103.1 ipcp-accept-remote to /etc/ppp/peers/orange to assign the other side a default IP address, but to allow it to override the IP address you assigned in case it ever does start caring. Obviously, you cannot talk to another 192.168.103.1 hereafter, so configure the IP address appropriately. Joachim -- TFMotD: magic (5) - file command's magic pattern file http://www.joachimschipper.nl/
Re: How to use /dev/srandom
On Fri, Oct 01, 2010 at 10:45:30AM +0200, Massimo Lusetti wrote: On Wed, 29 Sep 2010 Theo de Raadt dera...@cvs.openbsd.org wrote: [Ted Unangst wrote: -- Joachim Schipper] [/dev/arandom] is more efficient. There is almost always enough entropy for arandom, and if there isn't, you would have a hard time detecting that. There is always enough. The generator will keep moving, until it has ^^^ Like 64K will be enough for everyone ? ;) ... please put it in theo.c No, as in always enough. (A)RC4 is a pseudorandom generator/stream cipher, which means[1] that it turns a small chunk of random data into an infinite[2] stream of (pseudo-)random data. And if we're going to add stuff to theo.c, I'd be more partial to oh, but linux people told you it was the best., a few message upthread. Joachim [1] Well, the mathematical object it's instantiating has this property (by definition). We hope that (A)RC4 does too; so far, nobody has been able to break (A)RC4 (with modern countermeasures like discarding the first part of the output.) [2] For all practical purposes, at least. Like any algorithm with finite state, (A)RC4 will eventually enter a (long!) cycle. Note that /dev/arandom is also re-seeded with fresh entropy, so you could indeed consider it infinite. -- TFMotD: arithmetic (6) - quiz on simple arithmetic http://www.joachimschipper.nl/
Re: smtpd and spamd, with antivirus
On Fri, Oct 01, 2010 at 08:42:04AM -0400, Michael W. Lucas wrote: I have to build a new mail relay host, and would like to use spamd and smtpd on OpenBSD. I'm required to provide antivirus scanning of mail contents, however. Has anyone attached any antivirus software to this combination? I'm well aware that spamd stops a vast amount of viruses, but I'm not the one writing the requirements. Thanks for any hints, While smtpd is not production-ready, so this may not be the best idea, you can easily integrate pretty much anything with procmail/maildrop; smtp has a deliver to mda option to integrate with either. Joachim -- TFMotD: mblen (3) - get number of bytes in a multibyte character http://www.joachimschipper.nl/
Re: How to use /dev/srandom
On Wed, Sep 29, 2010 at 09:57:53AM -0400, Simon Perreault wrote: I'm trying to use /dev/srandom, but I can't get even a single byte out of it. $ hexdump -n 1 /dev/srandom It just hangs there, sleeping. If I use /dev/urandom instead, it returns immediately, as expected: $ hexdump -n 1 /dev/urandom 000 0069 001 I tried on various routers that have been forwarding packets since forever. I waited a long time for the read to succeed. I tried on OpenBSD 4.3 and 4.6. Am I doing something wrong? Using hexdump(1), apparently - dd if=/dev/srandom bs=1 count=1 | hexdump works just fine. You may want to sendbug this one. Joachim -- TFMotD: string2key (8) - map a password into a key http://www.joachimschipper.nl/
Re: How to use /dev/srandom
On Wed, Sep 29, 2010 at 09:39:06AM -0600, Theo de Raadt wrote: On Wed, Sep 29, 2010 at 9:57 AM, Simon Perreault simon.perrea...@viagenie.ca wrote: I'm trying to use /dev/srandom, but I can't get even a single byte out of it. Independent of other problems, I don't think you should be using srandom. We should just take that interface away, people see it and then they want to use it, but it doesn't work the way they want. Taking it away would first require an extensive audit of the ports tree -- to make sure that the applications in there don't end up choosing something even *worse* than srandom... And isn't srandom sometimes (very rarely!) appropriate? E.g. for generating encryption keys? Joachim
Re: Linux or OpenBSD
On Mon, Sep 27, 2010 at 04:33:03PM +0200, Martin Schrvder wrote: 2010/9/27 Brad Tilley b...@16systems.com: The absence of reports doesn't prove that the flaws don't exist (and no, I'm not sitting on a 0day for OpenBSD :). I agree. I only meant that history shows Linux has these and OpenBSD has not (or very few in comparison). That does not mean OpenBSD is perfect No. History only shows that many more have been found and published in Linux than in OpenBSD. True, but considering some of the haha Theo suck on this commentary I recall from the rare case where OpenBSD *did* have an issue, this does not necessarily reflect a total lack of effort. Joachim -- TFMotD: ftime (3) - get date and time http://www.joachimschipper.nl/
Re: Moving authpf servers
On Mon, Sep 27, 2010 at 07:46:56AM -0700, Pauline Merton wrote: I will be moving users from an openbsd 3.7 to openbsd 4.7 server. Do I just copy over /etc/passwd and /etc/shadow? No, that function is handled by /etc/master.passwd on OpenBSD. Copy that file (and /etc/groups, if appropriate) and run vipw (or cap_mkdb). vipw will regenerate the appropriate files for you - just make an innocuous change like adding or subtracting a * in a password field.) Joachim -- PotD: net/libnet/1.1 - raw IP packet construction library http://www.joachimschipper.nl/
Re: help configuring Huawei E182E
Date: Sat, 25 Sep 2010 21:35:29 +0200 From: Joachim Schipper joac...@joachimschipper.nl To: misc@openbsd.org Subject: Re: help configuring Huawei E182E Message-ID: 20100925193529.gb22...@polymnia.joachimschipper.nl Mail-Followup-To: misc@openbsd.org References: b678c347d7c941b7b12f5e90cf58e9bf@mailroot2.namespro.ca MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: b678c347d7c941b7b12f5e90cf58e9bf@mailroot2.namespro.ca X-GnuPG-key: 8D6B3BAC X-GnuPG-fingerprint: 262B 1966 E79E FC2A FEA2 9BD1 845E B82C 8D6B 3BAC User-Agent: Mutt/1.5.20 (2010-08-04) On Sat, Sep 25, 2010 at 07:34:59AM -0500, Anony (chicken) Mous wrote: I'm having difficulty [configuring] the Huawei E182E wireless dongle (...) with Telus mobility in Canada, I'm using 4.8-current, I have copied the verizon ppp.conf example from umsm(4) manpage only changing phone, authname, authkey without any success? Technical specification: http://tinyurl.com/2g3hszd My ppp.conf and error message from dialing ppp: http://pastebin.com/KvwcF48U Thank you all greatly for any help. Some hints: 1. You can use cu -l ttyU0 to communicate with the device, this is useful for debugging/trying what works. Note that the 'AT' stuff is called the Hayes command set and quite Googleable. 2. Find out how to see the messages from your device. If you use pppd(8), call chat with the -V option and look at /etc/ppp/connect-errors; I'm sure ppp(8), which you're using, has similar options. 3. The following configuration (somewhat) Works For Me with XS4ALL in the Netherlands, using a HUAWEI E180. (For anyone finding this via Google: This is *not* XS4ALL's mobile internet, which uses a more modern device; this is the temporary mobile internet they provide you when you request an ADSL connection.) You may be able to use it as a basis. If your device doesn't have a pin set, you may need to remove everything between AT+CPIN? and +CPIN\sREADY-AT+CPIN=-OK (inclusive). Joachim P.S. Please send all information inline next time - it's small, but makes it possible to answer your questions e.g. on the train. /etc/ppp/peers/xs4all: # Use USB device cuaU0 # Taken from the Windows settings 460800 # Leave hardware flow control and compression enabled #nocrtscts #noccp #nobsdcomp #novj # Connection settings noipdefault noauth defaultroute user xum28 # XS4ALL doesn't care about their own IP, but let them override our idea if # they ever begin caring. :192.168.255.1 ipcp-accept-remote # XXX -v seems useless? connect chat -V -f /etc/ppp/chatscript-xs4all /etc/ppp/chatscript-xs4all: # 10s timeout should be enough - it's directly connected! TIMEOUT 10 # Report if it works REPORT CONNECT # Abort on various errors ABORT BUSY ABORT 'NO CARRIER' ABORT ERROR # Initialize '' ATZ # Has the PIN been entered? OK AT+CPIN? # If the PIN has already been entered, we get '+CPIN: READY' and continue; if # not, we send the PIN (AT+CPIN=), wait for OK, and continue. # # The next part configures the device: 3 means use whatever is available, # apparently. # # FInally, we wait a bit. If we don't, everything *appears* to work, but we get # NO CARRIER. It appears to be necessary to set TIMEOUT higher than the time we # wait (i.e. the number of \d sequences). +CPIN:\sREADY-AT+CPIN=-OK AT+cgdcont=3,IP,umts.xs4all.nl '' \d\d\d\d\d # Dial the standard code OK ATD*99# # Start connection and pass control back to pppd CONNECT \d\c
Re: pf for routers?
On Wed, Sep 22, 2010 at 02:04:39PM -0600, Beavis wrote: Greetings List, I would like to ask if someone has done routing via pf(4) (non-NAT rules). My idea is to be able to route packets from one interface to the other. say from tun0 to rl0. I've been googling a lot and most of the rules im seeing have something to do with NAT routes. any help would be awesomely appreciated. What is the problem you are trying to solve, and what have you tried so far? And why pf(4) instead of route(8)? Joachim
Re: 2-3 General Question
On Tue, Sep 21, 2010 at 10:03:54PM -0400, LOL wrote: Does openBSD have a tools that search packages ? The only way I found it's by installing ports tree but I think it's a bit stupid to have all the tree just to a search. Does openBSD has a boot manager like Grub or Boot0 for FreeBSD ? [Adding to the earlier answers.] You can search packages using the ports tree (optionally with sqlports), but you can also go to http://openports.se/. OpenBSD has its own bootloader, but almost all major bootloaders can be made to (chain-)load it, if you want to dual-boot. Joachim -- TFMotD: Archive::Tar (3p) - module for manipulations of tar archives http://www.joachimschipper.nl/
Re: Safety of lo
On Wed, Sep 15, 2010 at 08:21:57PM -0300, Hugo Osvaldo Barrera wrote: On Wed, Sep 15, 2010 at 17:02, Joachim Schipper In the specific case of Subversion, it's easy enough to invoke it directly from SSH (...) I know, I've used svn+ssh for some time. The issue is I have several repositories, and several externals inside each. This has two disadvantages: 1) I need to set up a new ssh tunnel for each transaction. These take a small while, but add up. 2) For some reason, after several connections are opened, new one don't open. They're NOT rejected, just no response from the server. I can't even ssh into the machine from *this machine*, but I can from a different one. I tried the MaxStartups and MaxSessions in sshd_config, but that didn't help. Reason (2) is really lame, and I should have fixed that, but since it's not the issue, I decided to give the single-tunnel idea. Are you aware of the new Control* SSH options? They work really well, especially with stupid programs like Subversion that like to open tons of connections. Try putting something like the following in ~/.ssh/config: Host * ControlPath ~/.ssh/.mux...@%h:%p ControlPersist 3m Host svn HostName svn.example.org IdentityFile ~/.ssh/id_rsa.svn ControlMaster auto Joachim
Re: Safety of lo
On Wed, Sep 15, 2010 at 12:34:48PM -0300, Hugo Osvaldo Barrera wrote: I'm planning on having a few servers (including SVN) listening on 127.0.0.1 on machine A, and then tunneling into that machine from machine B to use those services. However, how safe is lo this sort of tunnel? Is there a way for other (non root) users of machine A to sniff what goes about though lo? To make my question clearer: I know that the tunnel itself cannot be read from outside, but my concern is the last piece of link; can the loopback network interface be accessed by other users? Is it safe, in a shared environment, to transmit sensitive data though it? Transmitting data over lo on a machine with other users does not expose you to any (new) attacks. Do note, however, that other users can likely access the service you run as well. Joachim -- TFMotD: ep (4) - 3Com EtherLink III and Fast EtherLink III 10/100 Ethernet device http://www.joachimschipper.nl/
Re: OpenSSHd
On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote: I'm trying to set up a box such that normal users are chroot'd to their home directories, and can only use sftp. Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? A chroot jail where the new root isn't owned by the root user is effectively impossible to secure. Set the home directories to /home/user/files and chroot to /home/user, or somesuch. Joachim -- TFMotD: autoconf (4/Alpha) - diagnostics from the autoconfiguration code http://www.joachimschipper.nl/
Re: How MAC address is incorporated in packets
On Mon, Aug 30, 2010 at 10:07:06AM +0200, Jean-Francois wrote: Might you please indicate how in the construction of an IP packet the mac address in incorporated into it. Is the job of the OS or of the IF ? If the OS is responsible for it, how is it processed and is it possible to change the physical address in the packets sent for an address of our choice ? I think you're looking for lladdr option to ifconfig. As to the rest of your question, see any decent textbook. Or start at http://en.wikipedia.org/wiki/Ethernet#Ethernet_frames. Joachim -- PotD: x11/mrxvt - multi-tabbed terminal emulator
Re: pf support
On Thu, Aug 26, 2010 at 01:26:25PM +0200, Johan Linnir wrote: We need help/support with setting up a couple of pf firewalls with carp etc. and are of course willing to pay for it if we find the right resource. Please reply off list if you're interested or can recommend a company/person whom you think can help us. I presume you are aware of http://www.openbsd.org/support.html? There are two listings in Sweden, some developers, etc. Joachim -- TFMotD: genassym.sh (8) - emit an assym.h file
Re: rssh
On Wed, Aug 25, 2010 at 01:00:36PM -0400, Juan Miscaro wrote: Hi gang, I have found Linux info [1] on restricting users to file transfers (sftp, scp, rsync, etc) using rssh. Is this recommended from OpenSSH developers? Is there a native way of doing this (in OpenBSD, in Linux)? [1] http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html That information is long since outdated; look at Match, ChrootDirectory and ForceCommand internal-sftp in sshd_config(5). Reading the man page is a good idea anyway. Joachim
Re: [OT] securely sharing documents on OpenBSD?
On Tue, Aug 17, 2010 at 12:27:04PM +0200, Matt wrote: Quite possibly more of a 'which software' question: I am looking for a way to have two parties share documents securely through an OpenBSD server. User A can not look into directory B but is allowed in dir C, that sort of thing. Sharing occurs through untrusted / changing networks. Obviously a simple SFTP structure seems to cut it, but would require all users (different platforms) to install sftp clients. Is there anything else (preferably in ports) that could do this better / prettier ? SFTP is a really good idea, and supported by most graphical FTP clients. An FTP server will also work, but FTP-over-SSL is not quite universally supported. Otherwise, a simple website should work? I'm sure someone's written software for that (if all else fails, I'm pretty certain that Horde includes such functionality, but it's massively overkill.) If you're willing to drop the through an OpenBSD server part, I've heard very good things about Dropbox. (Note that there is no native OpenBSD client; but the web interface should work, though.) Joachim -- TFMotD: Net::NNTP (3p) - NNTP Client class
Re: Web hosting, restrict user to access only his folder
On Sat, Aug 14, 2010 at 12:04:56AM +0400, open...@e-solutions.re wrote: Hi, I installed OpenBSD 4.7 for web hosting (test). So i have 3 websites for 3 users (1 site per user) : www.first.xx (user : firstxx) www.2nd.xx (user : 2ndxx) www.third.xx (user : thirdxx) All web pages are stored in /var/www/domains/ So in /var/www/domains we have 3 folders : www.first.xx folder (owner : firstxx ; chmod 755) www.2nd.xx folder (owner : 2ndxx ; chmod 755) www.third.xx folder (owner : thirdxx ; chmod 755) i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot configured). My problem, user can see content of others. For example, 2ndxx can update his folder but he can see also the content of firstxx folder. How can i restrict that ? Look into suexec, something other than Apache, or one of PHP's built-in mechanisms. Note that suexec is slow, Apache is standard for a reason, and PHP's security record is pretty bad. Joachim
Re: which monitoring do you use (on OpenBSD)
On Tue, Aug 10, 2010 at 07:00:37PM +0200, Martin Schrvder wrote: 2010/8/10 Iqigo Ortiz de Urbina inigoortizdeurb...@gmail.com: Mainstream open source monitoring is pretty much about munin, cacti, nagios, zabbix. You can make any of these run on openbsd, AFAIK. A munin port would be highly appreciated. :-) net/munin has been present since 4.7. Joachim -- TFMotD: ssm (4/SPARC64) - Scalable Shared Memory
Re: How much disk space should be maintained for /usr/obj
On Fri, Aug 06, 2010 at 12:18:06PM -0500, Ahlsen-Girard, Edward F CTR USAF AFSOC AFSOC/A6OK wrote: Nick Holland wrote: On 08/06/10 18:38, Aaron Lewis wrote: How much space should i put for a separated partition, mounted on /usr/obj, is 4 GiB more or less ? 4GB is significantly bigger than any platform I've seen needs. 2GB is sufficient for just about everything now (that's from memory, not actually looking in the last week or two). However, odds are, you have 4GB to spare, so go ahead, use it. IIRC, 2GB was not sufficient when I tried to build Java on i386. 2GB is not necessarily enough for monster ports like OpenOffice, but /usr/obj is for building the system... Joachim -- TFMotD: yacc (1) - an LALR(1) parser generator
Re: addon to website faq
On Fri, Aug 06, 2010 at 06:19:07PM +0100, Kevin Chadwick wrote: On Fri, 06 Aug 2010 12:14:09 -0400 Nick Holland n...@holland-consulting.net wrote: I'm also a bit dubious about anything which involves qemu as a solution, as I've seen too many people immediately jump on using qemu when much easier and simpler ways of doing the same thing exist (i.e., use another computer). Kernel Virtual Machine maybe a more reliable/leaner option but even that did/does? have a problem since 4.6 requiring mpbios be disabled with boot -c. You don't want to rely on KVM - that'd mean that people need to get their Linux machine updated and setup before they can install OpenBSD. *Most* people who want to run OpenBSD on a server will have a local install lying around... Joachim
Re: cwm ssh autocompletion, SSH on non-standard port
On Fri, Jul 23, 2010 at 10:43:36AM -0400, Michael W. Lucas wrote: Hi, I'm running 4.7 GENERIC.MP#0 amd64 with the cwm window manager. Read the man pages and searched, but no answer to this. My employer runs SSH on a specific non-standard port. (Yes, I know, but that's the rule and it's my paycheck.) I've noticed that cwm's ssh autocompletion doesn't include known_hosts entries on nonstandard ports. Presumably, this is because the hostname is in square brackets and cwm can't parse it. Is there a way to make cwm's ssh autocompletion work when SSH is used on an off port? Or is this just the penalty I pay for living with this policy? Thanks for any suggestions, Can't you just use the machine name, and then put something like Host *.myemployer.com Port 222 in ~/.ssh/config? Joachim
Re: Why is status not set to ^T by stty?
On Sun, Jun 27, 2010 at 02:13:01PM +0930, Damon McMahon wrote: Greetings, I need someone to hit me with a clue-stick here. I was trying to get a status of ping(1) using ^T but it appeared not to be sending a SIGINFO command. Reading through the man pages I see that stty(1) defines this behaviour, and sure enough... # stty -a speed 9600 baud; 24 rows; 80 columns; lflags: icanon isig iexten echo echoe -echok echoke -echonl echoctl -echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo -extproc -xcase iflags: -istrip icrnl -inlcr -igncr -iuclc ixon -ixoff ixany imaxbel -ignbrk brkint -inpck -ignpar -parmrk oflags: opost onlcr -ocrnl -onocr -onlret -olcuc oxtabs -onoeot cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -mdmbuf cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = undef; eol2 = undef; erase = ^?; intr = ^C; kill = ^U; lnext = ^V; min = 1; quit = ^\; reprint = ^R; start = ^Q; status = undef; stop = ^S; susp = ^Z; time = 0; werase = ^W; Yep, status is not bound to ^T My question is where in the boot or logon process is stty(1) executed, or more to the point, why is my system not configured with the default behaviour? What makes you think this would be the default behaviour? (I really don't know - but it works the same for me...) Joachim
Re: Phoronix Test Suite
On Wed, Jun 23, 2010 at 12:36:38PM +0200, Ektor Wetterstrvm wrote: I know http://bulk.fefe.de/scalability/ is wrong / outdated / non-scientific / whatever... But what about this? Phoronix has more credibility imho... http://www.phoronix.com/scan.php?page=articleitem=linux_bsd_opensolarisnum=1 Rather uncritical, really. Their PostMark benchmark gives a 386x performance advantage (Fedora 12/OpenBSD) and they don't think to investigate what is happening there (ext4 is apparently good at these tests)? A similar thing comes up in the Sudokut benchmark - Fedora takes nearly five times as long as Debian? Really? Joachim
Re: 1 out of 3 hunks failed--saving rejects to kerberosV/src/lib/krb5/crypto.c.rej
On Mon, Jun 21, 2010 at 03:03:08PM +0200, Tony Berth wrote: did the following: after navigating to: http://openbsd.org/anoncvs.html#starting applied: # *cd /usr; cvs checkout -P -rOPENBSD_4_7 src* using *cvsroot=anon...@anoncvs.fr.openbsd.org:/cvs* That gets you -stable. Don't apply patches to that; just rebuild the system from it (http://openbsd.org/faq/faq5.html#Bld). Joachim
Re: Is there any crypt device that support both linux and OpenBSD?
On Sun, Jun 20, 2010 at 01:54:21PM +0800, Aaron Lewis wrote: Aaron Lewis wrote: I'm looking for some crypt methods that will encrypt the whole disk, rather than saving it to a single file. And i need it to be supported both Linux and OpenBSD, is it possible? in most cases something that encrypts a whole disk or partition is kernel / FS level (...) almost every OS has a separate disk encryption method (...) Understood , FS need kernel driver , which made it hard to port my encrypted disk to other OS. So .. if i use a single file , i'm just worrying that if my file size keep growing , will there be a problem ? If you can just unencrypt and re-encrypt whenever necessary, use gnupg (with the --symmetric option if you don't want to deal with keys) or somesuch. Do be careful about temporary files, but this can be made quite convenient (consider e.g. http://www.vim.org/scripts/script.php?script_id=661). Otherwise, you may consider the old and crufty security/cfs port; it may be cross-platform. Joachim
Re: disk geometry issues when trying to set up encrypted partition
On Thu, Jun 17, 2010 at 01:35:29PM +0200, Robert wrote: Joachim Schipper wrote: Easy enough, just create a softraid CRYPTO volume on top of a softraid RAID-0 volume. Do keep good backups, including of the key you use. I remember that I asked something similar a year ago and the answer was rather don't do it - is this still valid? (creating a softraid crypto on top of softraid 0/1) http://marc.info/?l=openbsd-miscm=125139976027774 It may well be. Good catch. Joachim
Re: disk geometry issues when trying to set up encrypted partition
On Wed, Jun 16, 2010 at 08:43:29PM +0100, Harry Palmer wrote: Beginning my effort to encrypt a 300GB drive in a 64bit Ultrasparc, I followed these initial steps: 1. used disklabel to create a single slice a on the drive 2. made a file system with newfs (is it necessary to have so many backup superblocks?) Why don't you just use softraid(8)? No need for a filesystem, and this particular use-case (encrypted disk) is in the EXAMPLES section of the man page. 3. mounted sd2a on /home/cy and touched it with an empty file /home/cy/cryptfile 4. zeroed out the file (and efectively the drive) with dd if=/dev/zero of=/home/cy/cryptfile bs=512 Again, why don't you work with the disk directly? Doing dd if=/dev/zero of=/dev/rsd0a conv=notrunc would work fine. (notrunc is useful to wipe the last bytes if you use a different blocksize - 512 is the default, but on the low side.) Now I have: # disklabel sd2a and: # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 1007M 44.8M912M 5%/ /dev/sd0k 247G2.0K235G 0%/home /dev/sd0d 3.9G6.0K3.7G 0%/tmp /dev/sd0f 2.0G559M1.3G29%/usr /dev/sd0g 1007M162M795M17%/usr/X11R6 /dev/sd0h 5.9G212K5.6G 0%/usr/local /dev/sd0j 2.0G2.0K1.9G 0%/usr/obj /dev/sd0i 2.0G2.0K1.9G 0%/usr/src /dev/sd0e 7.9G7.7M7.5G 0%/var /dev/sd2a 275G275G -13.7G 105%/home/cy I have no understanding of this. I've never seen a df output that tells me I'm using 13GB more space than the drive is capable of holding. This is perfectly fine. newfs reserves, by default, 5% of all available space for use by the root user only. This is useful in two ways: it means root can squeeze a bit more data on the filesystem, and it prevents the performance degradation that comes with completely filling up a (ffs) filesystem. What you are seeing is that the *entire* disk has been used, including reserved space. Joachim
Re: disk geometry issues when trying to set up encrypted partition
On Thu, Jun 17, 2010 at 09:43:46AM +0100, Harry Palmer wrote: Have you considered softraid crypto? Thanks for this independent advice. Looks like it works at the block device level which must be better. I must say that while the official openbsd documentation I've seen is second to none, there seems to be relatively little information out there on data encryption (compared to the biblical tombs on the subject in the linux world). I tend to look through practiacal examples and tutorials when I try something new, and the one I found for this was three years old. The OpenBSD culture is not one of HOWTOs. You'll have to read the man pages and FAQ to get the information, I'm afraid. What I'm trying to acheive is to stripe a few of these 300GB disks together and encrypt the resulting large volume. Easy enough, just create a softraid CRYPTO volume on top of a softraid RAID-0 volume. Do keep good backups, including of the key you use. Joachim