Re: ntpd.conf - add ability to read servers from an include file?
On Jan 29, 2015, at 10:10 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Basically for the sake of automated deployments it would be nice / clean to be able to do : includeservers /path/to/file And then read them all from the file. And the same file would be used as a table in pf.conf for NTP FW rules. One server per line. This would make initial deployments easier to automate (no need to programmatically alter the config file), and then if you need to change your NTP servers post-deployment it is cleaner as well with less chance of human error. i.e. changing pf.conf is riskier than changing ntpd.conf I do not see much value in these nested include mechanisms. Honestly, OpenBSD is now shipping without a ntpd.conf file. You create this file, thus you own it. Having you create a file (ntpd.conf) which points to another file (/etc/serverlist?) you also create, that is kind of crazy. /etc/pf.conf is also on my list for removal as well, so that it becomes more of a user-owned file. The idea here is that you would look at the examples, and then create your own, and upgrades / sysmerge would not touch your file. I believe if we do this right, it will prod people towards creating narrower role-specific configurations for their machines. having simpler config models, and narrow roles would be a good thing. -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: What are the disadvantages of soft updates?
On Jan 23, 2015, at 6:47 PM, Steve Shockley steve.shock...@shockley.net wrote: On 1/22/2015 9:13 AM, Reyk Floeter wrote: What release and what virtualized SCSI controller where you using? I found my old notes, it turns out it was on 4.6 and the crash message was: softdep_setup_freeblocks: got error 5 while accessing filesystem dev = 0x404, block = 1315, fs = /var panic: ffs_blkfree: freeing free frag Stopped at Debugger+0x4: leave I have screenshots of trace and ps I can send if interested, but I'm sure a lot has been fixed in the interim. I can also attempt to reproduce on -current if you want, but even at its worst it'd stay up for a month or two before crashing. I noticed, that with Nix machines and ESXi/SAN setups is that nix is not very forgiving to SAN issues. -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: What are the disadvantages of soft updates?
On Jan 23, 2015, at 12:53 PM, Ingo Schwarze schwa...@usta.de wrote: Hi Predrag, Predrag Punosevac wrote on Fri, Jan 23, 2015 at 03:24:00PM -0500: I was following this discussion with the great interest but without intend to participate in it until today. Namely one of my OpenBSD servers (5.6 sparc64) runs Mollify and last night I received an e-mail from an angry user who could not upload files (the upload will fail or upload the file with file size zero). After running df I noticed that /tmp was 100% full (4GB used) but the size of individual files was only 12Kb. That is unlikely to be due to softdep. The usual reason for a file system to be actually full and seemingly almost empty at the same time is somebody doing the following sequence of operations: - open(2) a file for writing - writing a lot of data until the file system is full - unlink(2) the file - keep the process running that open(2)'ed it - let that process keep the file open and *not* close(2) it Specifically, in /tmp, anybody can do that. I thought for a second and I remember seeing this with HAMMER on DF. The above works with almost any file system. Long story short I checked /etc/fstab and sure enough I had rw,softdep next to each partition including tmp. I removed softdep rebooted the sytem and /tmp usage dropped to 0%. That's not likely to be related to softdep either. Chances are just rebooting would have solved the issue as well - simply because rebooting terminates all running processes, and consequently closes all open files. What you should have done instead was run fstat(1), look for processes having files open in /tmp, use ls(1) -iRa /tmp to find the inode numbers of linked files in /tmp, and kill the processes having files open that were *not* linked until you found the one having the big file open - and then have a friendly talk with the responsible user, if any, or figure out what went wrong in case some daemon process caused the issue. My questions is which partitions should be mounted with softdep option? I'm not an expert on that and hardly ever use softdep, but i'd say on file systems where file create/delete performance is *critically* important, performace has been clearly demonstrated to be insufficient without softdep, and you consider data loss harmless. Is there a way to prune metadata which will save me for problems like the one I encountered last night. I'm not convinced that's a good question to ask. Yours, Ingo This email/post has some very good information in it. Thanks -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: What are the disadvantages of soft updates?
On Jan 28, 2015, at 9:03 PM, Ted Unangst t...@tedunangst.com wrote: On Fri, Jan 23, 2015 at 21:47, Steve Shockley wrote: On 1/22/2015 9:13 AM, Reyk Floeter wrote: What release and what virtualized SCSI controller where you using? I found my old notes, it turns out it was on 4.6 and the crash message was: softdep_setup_freeblocks: got error 5 while accessing filesystem dev = 0x404, block = 1315, fs = /var panic: ffs_blkfree: freeing free frag Stopped at Debugger+0x4: leave error 5 is EIO, input/output error. softdep does not support disks that don't work, to put it bluntly. The original FFS code can cope with disk failure by backing out of the operation, but soft updates reorders things and can't undo what's already been done. bad multi-path routes, or having bad disks in the array. -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: security - pass the hash style attacks?
On Nov 3, 2014, at 4:28 AM, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: Philip Guenther guent...@gmail.com writes: [apologies for the contentless previous message] On Sun, Nov 2, 2014 at 4:43 PM, Philip Guenther guent...@gmail.com wrote: On Sun, Nov 2, 2014 at 4:41 PM, Nex6|Bill n6gh...@yahoo.com wrote: ... what about kerberos? (windows K5 vs Unix K5?) There's a bunch of *really good* papers on Kerberos's design which discuss exactly these sorts of issues and how they are addressed or completely avoided. I remember finding the one cast as a dialog between two system programmers (one named Athena...) as a good intro on this stuff. Yup. First tutorial link on this page: http://web.mit.edu/kerberos/papers.html -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE Here is a pretty good blackhat talk about this: though its windows specific the gist of it is Kerberos is just as broken as NTLM. since enforcement is client side . -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
security - pass the hash style attacks?
I know, that pass the hash is now getting a lot of playtime on windows. and I have heard in a couple of talks that its directly related to SSO part of the OS, and may be part of posix? is OpenBSD, or BSD in general vulnerable to these style attacks? or just the normal unix dump the password /etc/passwd table for offline attacks sorts of stuff? Thoughts -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD 5.6 Released
I see, TCP wrappers has been removed i am assuming using only PF is the practice for stuff people who where using TCP wrappers for and, thanks for the hard work -Nex6 On Nov 1, 2014, at 10:22 AM, Antoine Jacoutot ajacou...@openbsd.org wrote: November 1, 2014. We are pleased to announce the official release of OpenBSD 5.6. This is our 36th release on CD-ROM (and 37th via FTP/HTTP). We remain proud of OpenBSD's record of more than ten years with only two remote holes in the default install. As in our previous releases, 5.6 provides significant improvements, including new features, in nearly all areas of the system: - LibreSSL: o This release forks OpenSSL into LibreSSL, a version of the TLS/crypto stack with goals of modernizing the codebase, improving security, and applying best practice development processes. o No support for legacy MacOS, Netware, OS/2, VMS and Windows platforms, as well as antique compilers. o Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because the hardware is irrelevant, or because they require external non-free libraries to work. o No support for FIPS-140 compliance. o No EBCDIC support. o No support for big-endian i386 and amd64 platforms. o Use standard routines from the C library (malloc, strdup, snprintf...) instead of rolling our own, sometimes badly. o Remove the old OpenSSL PRNG, and rely upon arc4random_buf from libc for all the entropy needs. o Remove the MD2 and SEED algorithms. o Remove J-PAKE, PSK and SRP (mis)features. o Aggressive cleaning of BN memory when no longer used. o No support for Kerberos. o No support for SSLv2. o No support for the questionable DTLS heartbeat extension. o No support for TLS compression. o No support for US-Export SSL ciphers. o Do not use the current time as a random seed in libssl. o Support for ChaCha and Poly1305 algorithm. o Support for Brainpool and ANSSI elliptic curves. o Support for AES-GCM and ChaCha20-Poly1305 AEAD modes. - Improved hardware support, including: o SCSI Multipathing support via mpath(4) and associated path drivers on several architectures. o New qlw(4) driver for QLogic ISP SCSI HBAs. o New qla(4) driver for QLogic ISP2100/2200/2300 Fibre Channel HBAs. o New upd(4) sensor driver for USB Power Devices (UPS). o New brswphy(4) driver for Broadcom BCM53xx 10/100/1000TX Ethernet PHYs. o New uscom(4) driver for simple USB serial adapters. o New axen(4) driver for ASIX Electronics AX88179 10/100/Gigabit USB Ethernet devices. o The inteldrm(4) and radeondrm(4) drivers have improved suspend/resume support. o The userland interface for the agp(4) driver has been removed. o The rtsx(4) driver now supports card readers based on the RTS5227 and RTL8402 chipsets. o The firmware for the run(4) driver has been updated to version 0.33. o The run(4) driver now supports devices based on the RT3900E chipset. o The zyd(4) driver, which was broken for some time, has been fixed. o The bwi(4) driver now works in systems with more than 1GB of RAM. o The re(4) driver now supports devices based on the RTL8168EP/8111EP, RTL8168G/8111G, and RTL8168GU/8111GU chipsets. - Generic network stack improvements: o divert(4) now supports checksum offload. o IPv6 is now turned off on new interfaces by default. Assigning an IPv6 address will enable IPv6 on an interface. o Support for RFC4620 IPv6 Node Information Queries has been removed. o The kernel no longer supports the SO_DONTROUTE socket option. o The getaddrinfo(3) function now supports the AI_ADDRCONFIG flag defined in RFC 3493. o Include router alert option (RAO) in IGMP packets, as required by RFC2236. o ALTQ has been removed. o The hash table for Protocol Control Block (PCB) of TCP and UDP now resize automatically on load. - Installer improvements: o Remove ftp and tape as install methods. o Preserve the disklabel (and next 6 blocks) when installing boot block on 4k-sector disk drives. o Change the Server? question to HTTP Server? to allow unambiguous autoinstall(8) handling. o Allow autoinstall(8) to fetch and install sets from multiple locations. o Many sample configuration files have moved from /etc to /etc/examples. - Routing daemons and other userland network improvements: o When used with the -v flag, tcpdump(8) now shows the actual bad checksum within the IP/protocol header itself and what the good checksum should be. o ftp(1) now allows its User-Agent to be changed via the -U command-line option. o The -r option of ping(8) and traceroute(8) has been removed. o ifconfig(8) can now explicitly assign an IPv6 link-local address
Re: security - pass the hash style attacks?
On Nov 2, 2014, at 4:30 PM, Philip Guenther guent...@gmail.com wrote: On Sun, Nov 2, 2014 at 4:05 PM, Nex6|Bill n6gh...@yahoo.com wrote: I know, that pass the hash is now getting a lot of playtime on windows. and I have heard in a couple of talks that its directly related to SSO part of the OS, and may be part of posix? Nope. It's just a bad (as in, completely broken) design for the NTLM and LanMan authentication protocols. So, any machine/OS thats authenticating to a PtH vulnerable protocol namely Lanman/NTLM would be vulnerable to this no matter the OS. what about kerberos? (windows K5 vs Unix K5?) is OpenBSD, or BSD in general vulnerable to these style attacks? The vulnerability is the authentication protocol/method, independent the operating system. If you used NTLM or LanMan password authentication on OpenBSD, you would be vulnerable. You would also have to be insane. or just the normal unix dump the password /etc/passwd table for offline attacks sorts of stuff? For the authentication methods in base, correct. so, for OpenBSD you would have to get the /etc/passwd for an offline attack on the password hashes and for that they would need a user account to logon to the system. Or to have compromised the system in such a way as they could copy /etc/passwd. other types of attacks would be brut force against SSHD sorts of stuff which could be detected and mitagated. Philip Guenther [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Laptop Support?
I may be changing positions, so may be getting a new laptop. Would like to request one the has good OpenBSD support. What are some models that are well supported? -Nex6
alias's - ksh
Kinda new to OpenBSD, (have a couple of 5.4 installs in VMs); whats the standard for alias's? i added it to the .profile but some googling seems to indicate that that wont work. that you have to export, and do an .kshrc file? so whats the standard? -Nex6
laptop support for HP 8540W
anyone know how well an HP8540W is supported?
Gnome and OpenBSD 5.4
I am trying to get Gnome to work, and its giving me fits. I tryed to follow this link: Tutorial: Install Gnome Desktop and Gnome Display Manager on OpenBSD 4.8 - GabSoftware for the most part, but now instead of boot to gdm or xdm it boots to the console and when I startx. it says file /root/.serverauth does not exist. any ideas? on what i missed? -Nex6
