Re: leaving linux - questions about capabilities

2014-12-30 Thread Rusty 

On 12/29/14 08:17, Christopher Barry wrote:

Greetings All,

I've used OpenBSD in the past to build redundant routers and firewalls
and it was fantastic, but it's been quite a few years since I've played
with it. I've also never used it as my default workstation. Yet.

I've always used Debian GNU/Linux on my workstations in the past,
but with jessie/sid (and practically all other linux distros) the
direction the linux userspace has taken is a serious turn for the worst
IMO. I am simply philosophically at odds with systemd, and I would like
to stop relying on linux altogether if possible. My problem is I have
specific needs, and it's not clear if I can meet them running OpenBSD.
I'm hoping I can, and someone can share their experiences with making a
similar setup work.

Firstly, I'm running an i7 960 with a PCI-e ATI Radeon 7850 in a three
monitor configuration (2 direct DVI and 1 active HDMI-to-DVI dongle)
using the OpenSource Radeon linux driver @1920x1200 on each monitor.
I'm using enlightenment 17.6 as my window manager. I use and rely on
blender  a /lot/ with hardware accelerated
OpenGL, and having three monitors is important for my graphics work.

Is anyone running OpenBSD with three monitors? With blender, hw-accel
OpenGL, and/or E1{7,8,9}?


Your thoughts, knowledge, and possibly links to more info would be
very greatly appreciated.

Thank You.

--
-C


As this is a "getting to know you" thread.

I use OpenBSD in a "desktop" role.
snapshots on an Intel i5 with a radeon 6950, two screens(my card chokes 
on the third screen but I think that is hardware)


I like the "one dimensional desktop" style setup, that is, spectrwm and 
lots of xterms. For what its worth spectrwm has the best multiscreen 
support I have seen


I don't use blender every day, but I do find it handy from time to time 
(for me 3d printing stuff) The maintainer tends to keep it nicly up to 
date, which I appreciate as it looks like it is a bitch and a half to build.


I update the snapshots every couple weeks when I want to try what ever 
new stuff comes out of the pipe(*cough*, and libc bumps, *cough*).


One thing I would recommend is to look at login.conf(5) and set the 
memory limits to something gratuitous, many of the "desktop" 
applications like to use a lot of memory.


And as far as overall experience, I think obsd is a little "slower" than 
linux(whatever that means) but the simplicity and correctness of the 
system(obsd was the first/only system where I feel I understand how the 
whole thing works) means I enjoy using it quite a bit more.


So good luck, and I hope it works out for you as well as it did for me.

Re: ssl handshake errors with python

2014-11-05 Thread Rusty 

On 11/05/14 20:04, Joel Sing wrote:

On Thu, 6 Nov 2014, Ted Unangst wrote:

I see errors trying to download some https URLs using python, but the
base ftp client isn't affected. 5.6 release and current. One example is
https://www.duosecurity.com/feed.

athens:/tmp> python2.7
Python 2.7.8 (default, Oct  6 2014, 13:51:42)
[GCC 4.2.1 20070719 ] on openbsd5
Type "help", "copyright", "credits" or "license" for more information.


import urllib
urllib.urlopen('https://www.duosecurity.com/feed')


Traceback (most recent call last):
   File "", line 1, in 
   File "/usr/local/lib/python2.7/urllib.py", line 87, in urlopen
 return opener.open(url)
   File "/usr/local/lib/python2.7/urllib.py", line 208, in open
 return getattr(self, name)(url)
   File "/usr/local/lib/python2.7/urllib.py", line 437, in open_https
 h.endheaders(data)
   File "/usr/local/lib/python2.7/httplib.py", line 991, in endheaders
 self._send_output(message_body)
   File "/usr/local/lib/python2.7/httplib.py", line 844, in _send_output
 self.send(msg)
   File "/usr/local/lib/python2.7/httplib.py", line 806, in send
 self.connect()
   File "/usr/local/lib/python2.7/httplib.py", line 1198, in connect
 self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
   File "/usr/local/lib/python2.7/ssl.py", line 392, in wrap_socket
 ciphers=ciphers)
   File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
 self.do_handshake()
   File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake
 self._sslobj.do_handshake()
IOError: [Errno socket error] [Errno 1] _ssl.c:510: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


The server requires SNI, which libtls/ftp(1) does. If you make s_client do SNI
it works:

$ openssl s_client -connect www.duosecurity.com:443 \
   -servername www.duosecurity.com

So you'd need to make Python handle SNI if you want to talk to it... FWIW the
site is hosted on Amazon Cloudfront, so you'll probably see the same with any
other site that uses it.


athens:/tmp> ftp https://www.duosecurity.com/feed
Trying 54.192.22.134...
Requesting https://www.duosecurity.com/feed
118278 bytes received in 0.17 seconds (673.14 KB/s)


hmm. not documented at all.
I am not sure if this actually explains anything but it throws a few 
names and acronyms around that can be used for further information.


--- /usr/share/man/man1/openssl.1   Fri Oct 31 17:43:53 2014
+++ openssl.1   Wed Nov  5 23:33:46 2014
@@ -6617,6 +6617,7 @@
 .Op Fl psk_identity Ar identity
 .Op Fl quiet
 .Op Fl reconnect
+.Op Fl servername Ar host
 .Op Fl showcerts
 .Op Fl ssl3
 .Op Fl starttls Ar protocol
@@ -6773,6 +6774,8 @@
 .It Fl reconnect
 Reconnects to the same server 5 times using the same session ID; this can
 be used as a test that session caching is working.
+.It Fl servername Ar host
+Use specified host name as the Server Name Indicater (SNI)
 .It Fl showcerts
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.

Re: enumerate sndio devices

2014-10-31 Thread Rusty 

On 10/30/14 06:12, Remco wrote:

In article <5451b32e.7060...@outband.net> you wrote:

I feel as if i am overlooking somthing obvious, but..

Is there a way to list sndio endpoints?



Unless someone has a better idea, I think you need to look at your dmesg.
Look for lines "audioN at whatever". The audioN device should correspond
to a (r)snd/N sndio device. AFAICT the rsnd/N devices are always
accessible if a corresponding audioN device is available. The snd/N
devices are made available by sndiod.

If you have multiple audio devices I think it's necessary to specify them
in /etc/rc.conf.local in order to make them available through sndiod.
e.g. sndiod_flags="-f rsnd/0 -f rsnd/1"


Specifically I was trying to attach a scope(probably one of the ffplay
visualizations) to the main output. however I could not figure out what
endpoints exist.




I don't know if this is what you want, if I connect my USB camera I'm able
to get a visualisation by tapping my finger on the camera while running:
ffplay -f sndio snd/1


Big thanks for all the help.

It was just a silly idea that I had after reading sndiod(1)

"I bet I can get the spectrogram in ffplay to show my system sound"

I knew it should be easy, unfortunately I was unable to figure out what 
to read to get ffplay to display what I wanted.


So, while the question was stupid and the answers were simple, that was 
exactly what I needed to start doing more than just passively using sndio.


Salutes

enumerate sndio devices

2014-10-29 Thread Rusty 

I feel as if i am overlooking somthing obvious, but..

Is there a way to list sndio endpoints?

Specifically I was trying to attach a scope(probably one of the ffplay 
visualizations) to the main output. however I could not figure out what 
endpoints exist.

edge router lite promt-less boot

2014-09-26 Thread Rusty 

Good morning misc/

I purchased a couple of ubequitys edgerouter lite boxes.

And while the ubequity os is "ok" (better than most small home routers 
anyhow) I quickly started missing my obsd, this is why I bought them 
after all.


I am fine netbooting for the time being. however are there any hints to 
skip the prompt for the root device?


you know the one asking for
root device:

I would also welcome any hints on updating a diskless set.
My current method is based roughly on the install script.

detar sets preserving permissions(excepting etc??.tgz)
reboot into arches bsd.rd to rebuild device nodes
reboot and run sysmerge to merge etc??.tgz


full serial boot log:

Looking for valid bootloader image
Jumping to start of image at address 0xbfc8


U-Boot 1.1.1 (UBNT Build ID: 4493936-g009d77b) (Build time: Sep 20 2012 
- 15:48:51)


BIST check passed.
UBNT_E100 r1:2, r2:14, serial #: DC9FDB803A4D
Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  512 MB
Clearing DRAM... done
Flash:  4 MB
Net:   octeth0, octeth1, octeth2

USB:   (port 0) scanning bus for devices... 1 USB Devices found
   scanning bus for storage devices...
  Device 0: Vendor:  Prod.: USB DISK 2.0 Rev: PMAP
Type: Removable Hard Disk
Capacity: 3700.6 MB = 3.6 GB (7579008 x 512)
 0
Interface 0 has 3 ports (RGMII)
Using octeth0 device
TFTP from server 192.168.16.5; our IP address is 192.168.16.16
Filename 'bsd.sp.octeon'.
Load address: 0x9f0
Loading: octeth0: Up 1000 Mbps Full duplex (port  0)
### 


  [76/276]
done
Bytes transferred = 3734226 (38fad2 hex), 9855 Kbytes/sec
ELF file is 64 bit
Allocating memory for ELF segment: addr: 0x8100 (adjusted 
to: 0x100), size 0x3bfc70

Allocated memory for ELF segment: addr: 0x8100, size 0x3bfc70
Processing PHDR 0
  Loading 334bf8 bytes at 8100
  Clearing 8b078 bytes at 81334bf8
## Loading Linux kernel with entry point: 0x8100 ...
Bootloader: Done loading app on coremask: 0x1
Total DRAM Size 0x2000
Bank 0 = 0x013C   ->  0x0FFF
mem_layout[0] page 0x04F0 -> 0x3FFF
boot_desc->argv[1] = root=/dev/cnmac0
Initial setup done, switching console.
boot_desc->desc_ver:7
boot_desc->desc_size:400
boot_desc->stack_top:0
boot_desc->heap_start:0
boot_desc->heap_end:0
boot_desc->argc:2
boot_desc->flags:0x5
boot_desc->core_mask:0x1
boot_desc->dram_size:512
boot_desc->phy_mem_desc_addr:0
boot_desc->debugger_flag_addr:0xa44
boot_desc->eclock:5
boot_desc->boot_info_addr:0x1001f0
boot_info->ver_major:1
boot_info->ver_minor:2
boot_info->stack_top:0
boot_info->heap_start:0
boot_info->heap_end:0
boot_info->boot_desc_addr:0
boot_info->exception_base_addr:0x1000
boot_info->stack_size:0
boot_info->flags:0x5
boot_info->core_mask:0x1
boot_info->dram_size:512
boot_info->phys_mem_desc_addr:0x24108
boot_info->debugger_flags_addr:0
boot_info->eclock:5
boot_info->dclock:26600
boot_info->board_type:20002
boot_info->board_rev_major:2
boot_info->board_rev_minor:14
boot_info->mac_addr_count:3
boot_info->cf_common_addr:0
boot_info->cf_attr_addr:0
boot_info->led_display_addr:0
boot_info->dfaclock:0
boot_info->config_flags:0x8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2014 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 5.6 (GENERIC) #3: Thu Aug 14 15:00:46 CEST 2014
r...@erl.jasper.la:/usr/src/sys/arch/octeon/compile/GENERIC
real mem = 247709696 (236MB)
avail mem = 245399552 (234MB)
warning: no entropy supplied by boot loader
mainbus0 at root
cpu0 at mainbus0: Cavium OCTEON CPU rev 0.1 500 MHz, Software FP emulation
cpu0: cache L1-I 32KB 8192 way D 16KB 4096 way, L2 128KB 32768 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
octcf at iobus0 base 0x1d000800 irq 0 not configured
pcibus at iobus0 irq 0 not configured
cn30xxgmx0 at iobus0 base 0x118000800 irq 48
cnmac0 at cn30xxgmx0: RGMII, address dc:9f:db:80:3a:4d
atphy0 at cnmac0 phy 7: F1 10/100/1000 PHY, rev. 2
cnmac1 at cn30xxgmx0: RGMII, address dc:9f:db:80:3a:4e
atphy1 at cnmac1 phy 6: F1 10/100/1000 PHY, rev. 2
cnmac2 at cn30xxgmx0: RGMII, address dc:9f:db:80:3a:4f
atphy2 at cnmac2 phy 5: F1 10/100/1000 PHY, rev. 2
octrng0 at iobus0 base 0x14000 irq 0
octhci at iobus0 irq 56 not configured
octrng0 at iobus0 base 0x14000 irq 0 


   [0/276]
octhci at iobus0 irq 56 not configured
uar: ns16550, no working fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550, no working fifo
/dev/ksyms: Symbol table not valid.
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root device: cnmac0
nfs_boot: using interface cnmac0, with revarp & bootparams
nfs_boot: client_addr=192.168.16.16
nfs_boot: server_addr=192.168.16.5 hostname=erl1
root on doan:/export/diskless/host/erl

Advice requested on security issues

2008-01-04 Thread Rusty Gadd 
I am seeking advice on the security aspects of the configuration of my home
system. I have 2 PC's, connected to the internet via a firewalled NAT
router. The main PC is an i386 P4 used for general computing, the second is
an older i386 P3 which I intend to dedicate to internet banking for maximum
security. I have installed OpenBSD on the P3 with just the xfce4 window
manager and the Mozilla Firefox browser. Both PC's have separate printers.

1: The P3 will only ever connect to bank websites, which I have to assume
are 'clean' (I might be able to disable scripting for some sites). However
malware may conceivably infect the main PC. Am I right in assuming I need to
run PF within OBSD on the P3 to protect against possible intrusion across
the LAN? Would this be enough? Also even within this minimal installation,
are there services which I could/should disable?

2: Space for the P3 is limited and I would like to remove its printer and
print bank statements across the LAN on the main PC (running Linux, or maybe
FreeBSD in future) using CUPS. Does this introduce security risks?

Any helpful comments would be much appreciated.

Russell

Re: Kuro5hin: OpenBSD Founder Theo deRaadt Has Conflict of Interest With AMD

2007-08-05 Thread Rusty 
Thanks for your comments. I have added your response to the story.


--R


On Sun, 2007-08-05 at 15:06 -0600, Theo de Raadt wrote:
> > OpenBSD Founder Theo deRaadt Has Conflict of Interest With AMD
> >By David Marcus, 2007-08-05 03:41:29
> >Section: Technology, Topic:
> > 
> >I formerly had a great deal of respect, bordering on admiration, for
> > Theo deRaadt's refusals to compromise his open source principles, even in
> > the face of stiff opposition. Although he has occasionally gone
> > over-the-top, recommended some frankly very dubious changes to OpenBSD,
> > and is regularly arrogant (which is even more annoying because he's so
> > often right!), he's always remained consistent in his devotion to the
> > cause of GNU/Free Software.
> > 
> > http://www.kuro5hin.org/story/2007/8/2/15233/84896
> 
> Too bad the author of that article is totally lying.  Neither I or the
> project have no donation relationship with AMD.
> 
> The only donations the project ever got from AMD were three prototype
> AMD64 machines.
> 
> Two were given to us before the AMD64 had even shipped to the public,
> so that they could benefit from us running on AMD64 cpus.  They were
> desktop machines with Athlon HX processors at 1.6GHz.  One is in
> Sweden, the other in Calgary.  One nice thing about those machines is
> that the BIOS does no self tests, and therefore boots really really
> fast.
> 
> The third machine was a quad-cpu Opteron machine the size of a fridge,
> but that was quite a bit later, and it was surplus to us.  I think
> these were called "Melody" machines, or a name similar to that.
> 
> I am sure that we've had more hardware donations from Intel.  I am
> also sure we've had WAY MORE donations from VIA/Centaur, even yet.
> 
> I'd love to know that there have been more donations from AMD.  If
> there had been, perhaps we could spend them on a hackathon in the
> future.
> 
> It's amazing how people these days can just invent commentary out of
> their ass, and have thousands of people read it and change their bias.
> It's slander, that's exactly what it is, and I ask that the editors
> take that article down and force some sort of apologize for it.