from:"johnw"

Re: vlan problem

2019-01-29 Thread johnw

Hi, finally, I following to https://wiki.debian.org/NetworkConfiguration,
make both openbsd and debian support vlan, then I can ping/connect both side 
now.
Thanks.

On 2019年1月29日 09:53:07 [GMT+08:00], johnw  wrote:
>Hi, thank you first, and I think I totally misunderstand vlan.
>
>I want create vlan network, because minidlna / wifi.
>
>My openbsd system have 4nics(em0-3), and em2 is connected a wifi 
>rounter(tplink), which already setup as bridge,
>and the wifi client(sony tv/mobile) can request dhcp/ip from openbsd.
>
>And em3 is directly(no switch/pub, just cat6 cable) connected 
>linux/debian system,
>and this debian is kvm/lxc host, and the eth0 is already setup as 
>bridge, (debian/lxc/kvm also can request dhcp/ip from openbsd)
>one of the lxc/guest is minidlna server.
>
>I created bridge0 on openbsd(em2, em3 and vether0), reference of this 
>https://www.openbsd.org/faq/faq6.html#Bridge.
>and setup 10.10.10.1/24 on vether0, so debian(lxc/kvm/minidlna) and 
>wifi(tv) all is the same subnet (10.10.10.0/24).
>and I can see minidlna server on tv/mobile, it work.
>(one thing is I need run mcastproxy on vether0 to make minidlna/tv
>work, 
>both up/down stream on vether0, before 6.4 is not needed, I don't know 
>why)
>
>Now. I want try to setup vlan network like this. (I don't know is it 
>popper way or even impossible)
>em2 --> bridge0
>em3 --> 10.10.10.0/24 (debian/kvm/lvm on this)
>vlan3 --> on top of em3 --> bridge0
>vether0 --> bridge0
>(bridge0,vether0,em2,vlan3) --> 10.10.20.0/24  (wifi/tv/mobile on this)
>
>And I can split (is it good idea?)two subnet, but also can set minidlna
>
>server to use 10.10.20.0/24 (wifi network).
>
>I think, I need to setup debian/bridge to support vlan tagged to
>achieve 
>it, right?
>
>I am wondering, how people setup home network, to serve dlna (all 
>Iot/computer on one subnet)?
>
>Thank you, thanks all.
>
>Zé Loff 於 2019-01-28 16:29 寫到:
>> On Mon, Jan 28, 2019 at 07:57:01PM +0800, johnw wrote:
>>> hi, I want create vlan network, I create two files
>>> 
>>> hostname.vio0
>>> up
>>> 
>>> hostname.vlan0
>>> inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10
>>> 
>>> then reboot
>>> 
>>> I can not ping 10.10.10.1
>>> 
>>> If I create bridge0, and add vio0 and vlan0 to bridge0, then I can 
>>> ping 10.10.10.1
>>> 
>>> Or if I just use vio0 without vlan,
>>> hostname.vio0
>>> inet 10.10.10.101 255.255.255.0 10.10.10.255
>>> I can also ping 10.10.10.1.
>>> 
>>> Why vlan0 not linked vio0(parent) without create bridge?
>>> 
>>> Is this normal? AM I miss understand vlan?
>>> 
>>> (eg: I also tried on real machine with hostname.em0 card, same
>result)
>>> 
>>> Thanks.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC
>> 
>> You don't give any details regarding the physical network (are both
>> machines virtual? are they connected directly? is there a switch 
>> between
>> them?) so we are left guessing.  Given the lack of information, I'll
>> just state some general stuff about VLANs and try to guess what's
>> happening.
>> 
>> Usually, packets run around without a VLAN tag (something that added
>to
>> their header), so everything that leaves vio0 or em0 will go out
>> untagged and usually when the get to an ordinary switch they go out
>on
>> all ports and get picked up by whichever machines are connected to
>it.
>> These machines, unless configured otherwise, will only pick up
>untagged
>> packets.
>> 
>> When you configure a vlan device, you are appending a VLAN tag to
>some
>> of the packages that leave a physical interface.  Crucially, the 
>> packets
>> have to be received by a host that has an interface that is
>"listening"
>> on the same VLAN, i.e., that's expecting tagged packets with the same
>> vnetid.  So unless the receiving end also has a vlan interface, it 
>> won't
>> be expecting tagged packets and will thus ignore them.
>> 
>> My guess is that in your case the other host has 10.10.10.1 on a
>> "normal" interface, instead of a tagged one.  And since it is not
>> expecting tagged packets for that subnet (or at all), it ignores the
>> ping.
>> 
>> To fix this you have two options: either create a vlan device on the
>> other host and configure it with 10.10.10.1 or have a managed switch
>> between both hosts that has a p

Re: vlan problem

2019-01-28 Thread johnw


Hi, thank you first, and I think I totally misunderstand vlan.

I want create vlan network, because minidlna / wifi.

My openbsd system have 4nics(em0-3), and em2 is connected a wifi 
rounter(tplink), which already setup as bridge,

and the wifi client(sony tv/mobile) can request dhcp/ip from openbsd.

And em3 is directly(no switch/pub, just cat6 cable) connected 
linux/debian system,
and this debian is kvm/lxc host, and the eth0 is already setup as 
bridge, (debian/lxc/kvm also can request dhcp/ip from openbsd)

one of the lxc/guest is minidlna server.

I created bridge0 on openbsd(em2, em3 and vether0), reference of this 
https://www.openbsd.org/faq/faq6.html#Bridge.
and setup 10.10.10.1/24 on vether0, so debian(lxc/kvm/minidlna) and 
wifi(tv) all is the same subnet (10.10.10.0/24).

and I can see minidlna server on tv/mobile, it work.
(one thing is I need run mcastproxy on vether0 to make minidlna/tv work, 
both up/down stream on vether0, before 6.4 is not needed, I don't know 
why)


Now. I want try to setup vlan network like this. (I don't know is it 
popper way or even impossible)

em2 --> bridge0
em3 --> 10.10.10.0/24 (debian/kvm/lvm on this)
vlan3 --> on top of em3 --> bridge0
vether0 --> bridge0
(bridge0,vether0,em2,vlan3) --> 10.10.20.0/24  (wifi/tv/mobile on this)

And I can split (is it good idea?)two subnet, but also can set minidlna 
server to use 10.10.20.0/24 (wifi network).


I think, I need to setup debian/bridge to support vlan tagged to achieve 
it, right?


I am wondering, how people setup home network, to serve dlna (all 
Iot/computer on one subnet)?


Thank you, thanks all.

Zé Loff 於 2019-01-28 16:29 寫到:

On Mon, Jan 28, 2019 at 07:57:01PM +0800, johnw wrote:

hi, I want create vlan network, I create two files

hostname.vio0
up

hostname.vlan0
inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10

then reboot

I can not ping 10.10.10.1

If I create bridge0, and add vio0 and vlan0 to bridge0, then I can 
ping 10.10.10.1


Or if I just use vio0 without vlan,
hostname.vio0
inet 10.10.10.101 255.255.255.0 10.10.10.255
I can also ping 10.10.10.1.

Why vlan0 not linked vio0(parent) without create bridge?

Is this normal? AM I miss understand vlan?

(eg: I also tried on real machine with hostname.em0 card, same result)

Thanks.





Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC


You don't give any details regarding the physical network (are both
machines virtual? are they connected directly? is there a switch 
between

them?) so we are left guessing.  Given the lack of information, I'll
just state some general stuff about VLANs and try to guess what's
happening.

Usually, packets run around without a VLAN tag (something that added to
their header), so everything that leaves vio0 or em0 will go out
untagged and usually when the get to an ordinary switch they go out on
all ports and get picked up by whichever machines are connected to it.
These machines, unless configured otherwise, will only pick up untagged
packets.

When you configure a vlan device, you are appending a VLAN tag to some
of the packages that leave a physical interface.  Crucially, the 
packets

have to be received by a host that has an interface that is "listening"
on the same VLAN, i.e., that's expecting tagged packets with the same
vnetid.  So unless the receiving end also has a vlan interface, it 
won't

be expecting tagged packets and will thus ignore them.

My guess is that in your case the other host has 10.10.10.1 on a
"normal" interface, instead of a tagged one.  And since it is not
expecting tagged packets for that subnet (or at all), it ignores the
ping.

To fix this you have two options: either create a vlan device on the
other host and configure it with 10.10.10.1 or have a managed switch
between both hosts that has a port configured to VLAN 10 and that
untags the packets that leave that port.

When you bridge vio0 and vlan0 -- note: for clarity this should be
vlan10 and not vlan0, to match the vnetid. this is not mandatory but
makes the configuration easier to understand -- I am guessing that the
packet leaves the vio0 interface untagged, and that's why it gets 
picked

up on the other end.

Also, note that there is no requirement for a managed switch, unmanaged
switches will gladly pass tagged packets around.  However, unlike
managed switches, they won't forward them to specific ports and/or
untag them.


--
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

Re: vlan problem

2019-01-28 Thread johnw

My system is:

OpenBSD 6.4-current (GENERIC.MP) #639: Sun Jan 27 14:27:05 MST 2019 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Thanks.

On 2019年1月28日 19:57:01 [GMT+08:00], johnw  wrote:
>hi, I want create vlan network, I create two files
>
>hostname.vio0
>up
>
>hostname.vlan0
>inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10
>
>then reboot
>
>I can not ping 10.10.10.1
>
>If I create bridge0, and add vio0 and vlan0 to bridge0, then I can ping
>10.10.10.1
>
>Or if I just use vio0 without vlan,
>hostname.vio0
>inet 10.10.10.101 255.255.255.0 10.10.10.255
>I can also ping 10.10.10.1.
>
>Why vlan0 not linked vio0(parent) without create bridge?
>
>Is this normal? AM I miss understand vlan?
>
>(eg: I also tried on real machine with hostname.em0 card, same result)
>
>Thanks.
>
>
>
>
>
>Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC


Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

vlan problem

2019-01-28 Thread johnw

hi, I want create vlan network, I create two files

hostname.vio0
up

hostname.vlan0
inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10

then reboot

I can not ping 10.10.10.1

If I create bridge0, and add vio0 and vlan0 to bridge0, then I can ping 
10.10.10.1

Or if I just use vio0 without vlan,
hostname.vio0
inet 10.10.10.101 255.255.255.0 10.10.10.255
I can also ping 10.10.10.1.

Why vlan0 not linked vio0(parent) without create bridge?

Is this normal? AM I miss understand vlan?

(eg: I also tried on real machine with hostname.em0 card, same result)

Thanks.





Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

/var/www/tmp permission

2018-12-13 Thread johnw

Hi, I want to run php-fpm as other did than www, but non www uid, cannot write 
session file to /var/www/tmp.
(Is it good or bad, to run different uid?)

Why the /var/www/tmp permission is 1700?
Is it possible make /var/www/tmp permission 1777 by default?

Thanks.

Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

smtpctl spf walk [-4|-6]

2018-01-25 Thread johnw


Hi Gilles,

Is it possible add ipv4|ipv6 parameter to smtpctl spf walk [-4|-6]

Thanks.

Index: smtpctl.c
===
RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.c,v
retrieving revision 1.155
diff -u -r1.155 smtpctl.c
--- smtpctl.c   6 Jan 2018 07:59:27 -   1.155
+++ smtpctl.c   26 Jan 2018 02:30:28 -
@@ -1070,6 +1070,7 @@
cmd_install("show stats", do_show_stats);
cmd_install("show status",do_show_status);
cmd_install("spf walk",   do_spfwalk);
+   cmd_install("spf walk ",   do_spfwalk);
cmd_install("trace ",  do_trace);
cmd_install("uncorrupt ",do_uncorrupt);
cmd_install("unprofile ",  do_unprofile);


--
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

Re: pf tagged rule not work/match

2017-05-20 Thread johnw

Hi, this one fixed my problem, thanks

http://marc.info/?l=openbsd-cvs=149532101008885=2


On 2017年5月19日 GMT+08:00下午10時00分32秒, johnw <johnw.m...@gmail.com> wrote:
>After upgrade to last day current, pf tagged rule not work/match any 
>more,
>it work before.
>
>( below rules not match/work any more )
>pass in quick on $int_if from any flags any tag HOME
>pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
>HOME
>
>if change
>pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
>HOME
>to
>pass out quick on $ext_if from any nat-to ($ext_if:0) flags any
>
>NAT work again, thanks.
>
>-- 
>Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC


Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

pf tagged rule not work/match

2017-05-19 Thread johnw

After upgrade to last day current, pf tagged rule not work/match any 
more,

it work before.

( below rules not match/work any more )
pass in quick on $int_if from any flags any tag HOME
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
HOME


if change
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
HOME

to
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any

NAT work again, thanks.

--
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC
SENDBUG: -*- sendbug -*-
SENDBUG: Lines starting with `SENDBUG' will be removed automatically.
SENDBUG:
SENDBUG: Choose from the following categories:
SENDBUG:
SENDBUG: system user library documentation kernel alpha amd64 arm hppa i386 
m88k mips64 powerpc sh sparc sparc64 vax
SENDBUG:
SENDBUG:
To: b...@openbsd.org
Subject: pf tagged not working
From: johnw.m...@gmail.com

>Synopsis:  
>Category:  
>Environment:
System  : OpenBSD 6.1
Details : OpenBSD 6.1-current (GENERIC.MP) #68: Thu May 18 19:55:43 
MDT 2017
 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64
>Description:

After upgrade to last day current, pf tagged rule not work/match any 
more,
it work before.
>How-To-Repeat:
( below rules not match/work any more )
pass in quick on $int_if from any flags any tag HOME
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
HOME
>Fix:
change 
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any tagged 
HOME
to
pass out quick on $ext_if from any nat-to ($ext_if:0) flags any

SENDBUG: Run sendbug as root if this is an ACPI report!
SENDBUG: dmesg and usbdevs are attached.
SENDBUG: Feel free to delete or use the -D flag if they contain sensitive 
information.

dmesg:
OpenBSD 6.1-current (GENERIC.MP) #68: Thu May 18 19:55:43 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8466735104 (8074MB)
avail mem = 8204345344 (7824MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe8590 (56 entries)
bios0: vendor Intel Corp. version "IDG4510H.86A.0093.2009.0402.2013" date 
04/02/2009
bios0: Intel Corporation DG45ID
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG ASF! HPET
acpi0: wakeup devices P0P1(S3) P0P2(S3) USB0(S3) USB1(S3) USB2(S3) EUSB(S3) 
USB3(S3) USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) 
GBE_(S4) USB5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 3000.02 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2999.67 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P2)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus 2 (PEX3)
acpiprt6 at acpi0: bus -1 (PEX4)
acpicpu0 at acpi0: !C4(260@80 io@0x416), !C3(500@60 io@0x415), !C2(750@40 
io@0x414), C1(1000@20 halt), PSS
acpicpu1 at acpi0: !C4(260@80 io@0x416), !C3(500@60 io@0x415), !C2(750@40 
io@0x414), C1(1000@20 halt), PSS
acpibtn0 at acpi0: PWRB
cpu0: Enhanced SpeedStep 3000 MHz: speeds: 2997, 1998 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel G45 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel G45 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xc000, size 0x1000
inteldrm0: msi
inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel G45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
vendor "Intel", unknown product 0x2e24 (class communications subclass 
miscellaneous, rev 0x03) at pci0 dev 3 function 0 not configured
em0 at pci0 dev 25 function

Re: /usr/sbin/httpd and chunked transfer encoding

2017-05-08 Thread johnw

Both tried and not work.

On 2017年5月8日 GMT+08:00下午4時57分56秒, Francois Stephany <franc...@tamere.eu> wrote:
>Hi,
>
>I don't know the politics behind ownCloud/nextcloud but it seems that
>there
>are two apps:
>
>- https://github.com/owncloud/android
>- https://github.com/nextcloud/android
>
>Maybe the nextcloud one fixed the bug?
>
>
>On Mon, May 8, 2017 at 8:10 AM, johnw <johnw.m...@gmail.com> wrote:
>
>> On 05/08/2017 01:32 PM, Reyk Floeter wrote:
>> > Hi,
>> >
>> > you cannot disable it and this Android client is broken.
>> >
>> > "A recipient MUST be able to parse and decode the chunked
>> > transfer coding."
>> >
>> > https://tools.ietf.org/html/rfc7230#section-4.1
>> >
>> > Reyk
>> >
>> Agreed, this Android client is broken, but is it possible to make the
>> "chunked transfer coding" optional,
>> let people choice to compatible broken client like this one?
>>
>>
>> I tried to manully disable this feature by edit (I'm NOT really know
>> coding, just try) the code like below,
>>
>> Index: server_fcgi.c
>> ===
>> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
>> retrieving revision 1.74
>> diff -u -p -u -r1.74 server_fcgi.c
>> --- server_fcgi.c21 Jan 2017 11:32:04 -1.74
>> +++ server_fcgi.c8 May 2017 05:50:05 -
>> @@ -385,7 +385,8 @@ server_fcgi(struct httpd *env, struct cl
>>  fcgi_add_stdin(clt, NULL);
>>  }
>>
>> -if (strcmp(desc->http_version, "HTTP/1.1") == 0) {
>> +if (strcmp(desc->http_version, "HTTP/1.1") == 0 && \
>> +strcmp("my-cloud.domain.com", srv_conf->name) != 0) {
>>  clt->clt_fcgi.chunked = 1;
>>  } else {
>>  /* HTTP/1.0 does not support chunked encoding */
>>
>> And then this broken Android client work normally.
>>
>> Please help, thanks.
>>


Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

Re: /usr/sbin/httpd and chunked transfer encoding

2017-05-08 Thread johnw

On 05/08/2017 01:32 PM, Reyk Floeter wrote:
> Hi,
>
> you cannot disable it and this Android client is broken.
>
> "A recipient MUST be able to parse and decode the chunked
> transfer coding."
>
> https://tools.ietf.org/html/rfc7230#section-4.1
>
> Reyk
>
Agreed, this Android client is broken, but is it possible to make the
"chunked transfer coding" optional,
let people choice to compatible broken client like this one?


I tried to manully disable this feature by edit (I'm NOT really know
coding, just try) the code like below,

Index: server_fcgi.c
===
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 server_fcgi.c
--- server_fcgi.c21 Jan 2017 11:32:04 -1.74
+++ server_fcgi.c8 May 2017 05:50:05 -
@@ -385,7 +385,8 @@ server_fcgi(struct httpd *env, struct cl
 fcgi_add_stdin(clt, NULL);
 }
 
-if (strcmp(desc->http_version, "HTTP/1.1") == 0) {
+if (strcmp(desc->http_version, "HTTP/1.1") == 0 && \
+strcmp("my-cloud.domain.com", srv_conf->name) != 0) {
 clt->clt_fcgi.chunked = 1;
 } else {
 /* HTTP/1.0 does not support chunked encoding */

And then this broken Android client work normally.

Please help, thanks.


signature.asc
Description: OpenPGP digital signature

/usr/sbin/httpd and chunked transfer encoding

2017-05-07 Thread johnw

Hi, After installed owncloud/nextcloud on my openbsd,

I noticed android client do not support "chunked transfer encoding"

(https://github.com/owncloud/android/issues/1128;

Is it possible to disable this feature with "/usr/sbin/httpd"?

Any idea how to solve it?

Thanks.




signature.asc
Description: OpenPGP digital signature

Re: httpd, SlowCGI, POST_MAX and 413 Payload Too Large

2016-11-27 Thread johnw


I have this inherit problem too. (explain below)

Is it possible config "max request" sub domain independence?

Thanks.

https://marc.info/?l=openbsd-misc=144080241519699=2

-
There seems to be an inherit problem with httpd.conf.

Say you have two servers:

server "foo.net" {
  listen on egress port 80
  root "/foo_net"
  ...
  Other options here
  ...
}

server "bar.foo.net" {
  listen on egress port 80
  root "/bar_foo_net"

  connection { max request body 8388608 }
}

When httpd.conf parses this config, it believes "foo.net" is the 
"parent".
But since "foo.net" has no connection { max request body  } 
parameter,

it uses the #define SERVER_MAXREQUESTBODY value which is 1048576.

However, if you add "connection { max request body 8388608 }" to the
server "foo.net" stanza, all of the sudden the max request body works
for "bar.foo.net".. however, if will ONLY use what "foo.net" has.
You can't override it with a different value for "bar.foo.net".

I believe this is down to the behavior in config.c, line 454, in 
function

config_getserver_config:

srv_conf->maxrequestbody = parent->maxrequestbody;

It is always set to the parent's maxrequestbody.

Is this by design?

Thanks,
Tom


--
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC


0xCF2C80AC.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: vmd: /dev/vmm: Operation not supported by device

2016-10-31 Thread johnw

On 10/31/2016 06:09 PM, Stefan Sperling wrote:
> It seems the current implementation only supports a CPU if dmesg displays
> "VMX/EPT", not just "VMX" (the vmmopen() function only succeeds if EPT
> support is present).
>
> As for if or when this will change, I cannot say.
>
> Keep in mind that we're not at release yet and that you're testing an
> intermediate state of things. I'd expect that eventually this will either be
> made to work or that vmm will be prevented from attaching on such CPUs.

Ok, understand now, thank you.




signature.asc
Description: OpenPGP digital signature

vmd: /dev/vmm: Operation not supported by device

2016-10-31 Thread johnw

Hi, I know my cpu (Intel E8400) support vt-x/vt-d, but when I run vmd,

vmd: /dev/vmm: Operation not supported by device

What is this mean?

I did run kvm/qemu/linux on this machine before, and just checked my
bios setting,

the "Intel® Virtualization Technology" is enabled.

Is this cpu support to run vmd?

Attached dmesg,

Thanks.

OpenBSD 6.0-current (GENERIC.MP) #0: Sun Oct 30 10:38:08 MDT 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8466735104 (8074MB)
avail mem = 8205594624 (7825MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe8590 (56 entries)
bios0: vendor Intel Corp. version "IDG4510H.86A.0093.2009.0402.2013" date 
04/02/2009
bios0: Intel Corporation DG45ID
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG ASF! HPET
acpi0: wakeup devices P0P1(S3) P0P2(S3) USB0(S3) USB1(S3) USB2(S3) EUSB(S3) 
USB3(S3) USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) 
GBE_(S4) USB5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 3000.09 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2999.67 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P2)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus 2 (PEX3)
acpiprt6 at acpi0: bus -1 (PEX4)
acpicpu0 at acpi0: !C4(260@80 io@0x416), !C3(500@60 io@0x415), !C2(750@40 
io@0x414), C1(1000@20 halt), PSS
acpicpu1 at acpi0: !C4(260@80 io@0x416), !C3(500@60 io@0x415), !C2(750@40 
io@0x414), C1(1000@20 halt), PSS
acpibtn0 at acpi0: PWRB
cpu0: Enhanced SpeedStep 3000 MHz: speeds: 2997, 1998 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel G45 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel G45 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xc000, size 0x1000
inteldrm0: msi
inteldrm0: 1024x768
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel G45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
vendor "Intel", unknown product 0x2e24 (class communications subclass 
miscellaneous, rev 0x03) at pci0 dev 3 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel ICH10 R BM LF" rev 0x00: msi, address 
00:1c:c0:8f:5c:cb
uhci0 at pci0 dev 26 function 0 "Intel 82801JI USB" rev 0x00: apic 0 int 16
uhci1 at pci0 dev 26 function 1 "Intel 82801JI USB" rev 0x00: apic 0 int 21
uhci2 at pci0 dev 26 function 2 "Intel 82801JI USB" rev 0x00: apic 0 int 18
ehci0 at pci0 dev 26 function 7 "Intel 82801JI USB" rev 0x00: apic 0 int 18
ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb0 at pci0 dev 28 function 0 "Intel 82801JI PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 3 "Intel 82801JI PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), 
msi, address e8:94:f6:02:0d:46
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
uhci3 at pci0 dev 29 function 0 "Intel 82801JI USB" rev 0x00: apic 0 int 23
uhci4 at pci0 dev 29 function 1 "Intel 82801JI USB" rev 0x00: apic 0 int 19
uhci5 at pci0 dev 29 function 2 "Intel 82801JI USB" rev 0x00: apic 0 int 18
ehci1 at pci0 dev 29 function 7 "Intel 82801JI USB" rev 0x00: apic 0 int 23
ehci1: timed out waiting for BIOS
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x90
pci3 at ppb2 bus 3
fxp0 at pci3 dev 0 function 0 "Intel 8255x" rev 0x08, i82559: apic 0 int 21, 
address 00:d0:b7:60:aa:ce
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
pcib0 at pci0 dev 31 function 0 "Intel 82801JIR LPC" rev 0x00
pciide0

Re: traceroute and pf

2016-09-28 Thread johnw

On 09/28/2016 07:05 PM, Janne Johansson wrote:
> Apart from PF failing the syntax, what would one expect to achieve with
> >=0 ?
>
> That would always cover all users, since its never a negative number.
> /usr/include/sys/types.h:typedef__uid_t uid_t;
>  /* user id */
> /usr/include/sys/_types.h:typedef   __uint32_t  __uid_t;  
>  /* user id */
>
>
No, PF do not failing the syntax, pfctl -f pf.conf without any error and
pfctl can load the rule (pfctl -sr can see it)

I mean is why, below rule do not let traceroute work?

pass out quick on $ext_if inet proto udp from ($ext_if) to any user 0

then run traceroute as root:   traceroute google.com

traceroute to google.com (216.58.221.238), 64 hops max, 40 byte packets
traceroute: sendto: No route to host
1 traceroute: wrote google.com 40 chars, ret=-1

Thanks.

-- 
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC



signature.asc
Description: OpenPGP digital signature

traceroute and pf

2016-09-28 Thread johnw

Hi, I have some problem setup pf, to pass out traceroute with user keyword.


below rule do WORK.

pass out quick on $ext_if inet proto udp from ($ext_if) to any

or below one also WORK.

pass out quick on $ext_if inet proto udp from ($ext_if) to any user != 1


but below one, do NOT WORK.

pass out quick on $ext_if inet proto udp from ($ext_if) to any user >= 0


Is it bug? or normal (if is normal, why the last one will not work)

Thanks.



0xCF2C80AC.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Logging/backup .ksh_history

2016-08-08 Thread johnw

On 08/08/2016 04:33 PM, David Dahlberg wrote:
> Am Montag, den 08.08.2016, 14:39 +0800 schrieb johnw:
>> Hi, I use /bin/ksh as a console/terminal shell program, I want to
>> log/backup all command, run on console/terminal/ksh,
>>
>> Any idea how to do this?
> man 1 ksh, search for HISTFILE.
>
> Cheers
>   David

Yes, I already set HISTFILE and HISTSIZE, but when I open two terminal
at the same time,

some command is not logged, and I also log-rotate.

I want log all the command (but not the command stdout|stderr output),

even I open two ksh terminal at the same time.

Thank you

-- 
Key ID: 0xCF2C80AC
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC

signature.asc
Description: OpenPGP digital signature

Logging/backup .ksh_history

2016-08-08 Thread johnw

Hi, I use /bin/ksh as a console/terminal shell program, I want to
log/backup all command, run on console/terminal/ksh,

Any idea how to do this?

Thanks.


-- 
Key ID: 0xCF2C80AC
Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC



0xCF2C80AC.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Fwd: about rc.subr

2016-04-28 Thread johnw

Hi, dbus also not working after upgrade to  today current.

CVSROOT: /cvs Module name: src Changes by: ajacou...@cvs.openbsd.org 2016/04/28 
03:15:16 Modified files: etc/rc.d : rc.subr sndiod Log message: Experiment on 
matching on the daemon_user is over. It needs more work. portmap isn't happy 
with it as reported by naddy@
-- 
Sent from my Android phone.

Re: L2TP/IPSec via npppd won't work with Android 5.x

2016-04-14 Thread johnw

Hi Renaud and the lists,

Did you tried to use iked/ikev2 for android (+5.x) client?
I checked my note3 is support ikev2 psk/rsa,
I want to setup my home OpenBSD router act as vpn/nat router for my note3,
Thanks.

Renaud Allard  allard.it> writes:

>
>
> I can't get android to connect with modp > 1024, but settings like this
> work:
> ike passive esp transport \
> proto udp from A.B.C.D to any port l2tp \
> main auth "hmac-sha2-256" enc "aes-256" group modp1024 \
> quick auth "hmac-sha2-256" enc "aes-256" \
> psk "mysharedsecret"

sleep with tame(2)?

2015-09-30 Thread johnw


Hi all,

After upgrade to 30-Sep-2015 12:20 snapshot (AMD64),
(download from http://ftp.openbsd.org)

I noticed /bin/sleep with run tame(2) call, but I can not find any tame 
call in source code (cvsweb.openbsd.org).


when I run sleep:
john@pdc:[~]$ sleep
Killed
then I run dmesg, the last line show me
sleep(31307): syscall 4

when I run "sleep 3600"; then run "ps aux", I see this
john 32490  0.0  0.0   132   124 p0  S+t1:26PM0:00.00 sleep 3600
 ^^^
man ps said, t   The process has called tame(2).

Is it normal?

Thanks.

tame(2) will by pass systrace rules

2015-09-20 Thread johnw


Hi all,

I run my program will systrace, I noticed the program can by pass 
systrace, If I add the tame(2) call to my program.


my program will connect to inet, if I run my program will systrace, I 
need to add systrace rule like this "native-connect:  permit",
I noticed, if I add the tame("inet", NULL) call before connect to inet, 
I can connect to inet, even do not need to add systrace 
rule(native-connect: XXX permit" without any error.


Thanks.

/etc/daily report error/warning message

2014-08-17 Thread johnw

Hi, I noticed my system(5.6current/amd64) daily report with 
error/warning message

--
Running security(8):
/bin/sh: /.cshrc[8]: syntax error: `(' unexpected
--

I did not edit /.cshrc or /etc/daily
why will report this error/warning message?

Thanks.

/etc/daily

#
#   $OpenBSD: daily,v 1.81 2014/07/02 13:39:41 sthen Exp $
#   From: @(#)daily 8.2 (Berkeley) 1/25/94
#
# For local additions, create the file /etc/daily.local.
# To get section headers, use the function next_part in daily.local.
#
umask 022

PARTOUT=/var/log/daily.part
MAINOUT=/var/log/daily.out
install -o 0 -g 0 -m 600/dev/null $PARTOUT
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT

start_part() {
TITLE=$1
exec  $PARTOUT 21
}

end_part() {
exec  $MAINOUT 21
test -s $PARTOUT || return
echo 
echo $TITLE
cat $PARTOUT
}

next_part() {
end_part
start_part $1
}

run_script() {
f=/etc/$1
test -e $f || return
if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
echo $f has insecure permissions, skipping:
ls -l $f
return
fi
. $f
}

start_part Running daily.local:
run_script daily.local

next_part Removing scratch and junk files:
if [ -d /tmp -a ! -L /tmp ]; then
cd /tmp  {
find -x . \
\( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
-o -path ./portslocks -o -path './tmux-*' \) \
-prune -o -type f -atime +3 -execdir rm -f -- {} \; 2/dev/null
find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
! -path ./.ICE-unix ! -path ./portslocks ! -name . \
-execdir rmdir -- {} \; /dev/null 21; }
fi

if [ -d /var/tmp -a ! -L /var/tmp ]; then
cd /var/tmp  {
find -x . \
\( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
-o -path ./portslocks -o -path './tmux-*' \) \
-prune -o ! -type d -atime +7 -execdir rm -f -- {} \; 2/dev/null
find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
! -path ./.ICE-unix ! -path ./portslocks ! -name . \
-execdir rmdir -- {} \; /dev/null 21; }
fi

# Additional junk directory cleanup would go like this:
#if [ -d /scratch -a ! -L /scratch ]; then
#   cd /scratch  {
#   find . ! -name . -atime +1 -execdir rm -f -- {} \;
#   find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
#   /dev/null 21; }
#fi

next_part Purging accounting records:
if [ -f /var/account/acct ]; then
mv -f /var/account/acct.2 /var/account/acct.3
mv -f /var/account/acct.1 /var/account/acct.2
mv -f /var/account/acct.0 /var/account/acct.1
cp -f /var/account/acct /var/account/acct.0
sa -sq
fi

# If ROOTBACKUP is set to 1 in the environment, and
# if filesystem named /altroot is type ffs and mounted xx,
# use it as a backup root filesystem to be updated daily.
next_part Backing up root filesystem:
while [ X$ROOTBACKUP = X1 ]; do
rootbak=`awk '$1 !~ /^#/  $2 == /altroot  $3 == ffs  \
$4 ~ /xx/ { print $1 }'  /etc/fstab`
if [ -z $rootbak ]; then
echo No xx ffs /altroot device found in the fstab(5).
break
fi
rootbak=${rootbak#/dev/}
bakdisk=${rootbak%%?(.)[a-p]}
sysctl -n hw.disknames | grep -Fqw $bakdisk || break
bakpart=${rootbak##$bakdisk?(.)}
OLDIFS=$IFS
IFS=,
for d in `sysctl -n hw.disknames`; do
# If the provided disk name is a duid, substitute the device.
if [ X$bakdisk = X${d#*:} ]; then
bakdisk=${d%:*}
rootbak=$bakdisk$bakpart
fi
done
IFS=$OLDIFS
baksize=`disklabel $bakdisk 2/dev/null | \
awk -v part=$bakpart: '$1 == part { print $2 }'`
rootdev=`mount | awk '$3 == /  $1 ~ /^\/dev\//  $5 == ffs \
{ print substr($1, 6) }'`
if [ -z $rootdev ]; then
echo The root filesystem is not local or not ffs.
break
fi
if [ X$rootdev = X$rootbak ]; then
echo The device $rootdev holds both root and /altroot.
break
fi
rootdisk=${rootdev%[a-p]}
rootpart=${rootdev#$rootdisk}
rootsize=`disklabel $rootdisk 2/dev/null | \
awk -v part=$rootpart: '$1 == part { print $2 }'`
if [ $rootsize -gt $baksize ]; then
echo Root ($rootsize) is larger than /altroot ($baksize).
break
fi
next_part Backing up root=/dev/r$rootdev to /dev/r$rootbak:
sync
dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1

Re: /etc/daily report error/warning message

2014-08-17 Thread johnw


On 08/17/2014 03:46 PM, Philip Guenther wrote:


I'm 95% certain that this was the result of a bug in 
/usr/libexec/security fixed in late June.



Philip Guenther


Hello Philip Guenther, my system /usr/libexec/security is version 1.31.

My system version is:
OpenBSD 5.6 (GENERIC.MP) #325: Tue Aug  5 23:13:02 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Thank you.

Re: /etc/daily report error/warning message

2014-08-17 Thread johnw


On 08/17/2014 05:06 PM, Philip Guenther wrote:



Heh, good thing I had that 5% hedge when making a guess based on 
fading memory of an email thread and the possibility that you were 
running an old snapshot.  :-/


If no one else speaks up, the next step for tracking this down may be 
to ktrace the cron invocation of the daily script by changing its root 
crontab entry to say ktrace -i -f /root/daily.ktrace.out /bin/sh 
/etc/daily and then matching up the output there with the scripting 
to figure out what is triggering that warning.



Philip Guenther


When I run (as root), env SHELL=/bin/sh /usr/libexec/security,
I see the same error message.

root@ksh:[/]# env SHELL=/bin/sh /usr/libexec/security
/bin/sh: /.cshrc[8]: syntax error: `(' unexpected

So, I think you are right, the error message is triggered from 
/usr/libexec/security,
if I run env SHELL=/bin/ksh /usr/libexec/security, there is no error 
message.

but my /usr/libexec/security is up-to-date(1.31).


I noticed another problem, when I run env SHELL=/bin/sh ktrace -i -f 
/tmp/k.out  /usr/libexec/security.

then run kdump   /tmp/k.out, kdump show the error message
kdump: ktrace.out: No such file or directory
I need to rename k.out to ktrace.out to make kdump work.
(ktrace filesize is 3xxMB, so I can not post here)

Thank you.

Re: /etc/daily report error/warning message

2014-08-17 Thread johnw

On 08/17/2014 05:06 PM, Philip Guenther wrote:
 On Sun, Aug 17, 2014 at 1:02 AM, johnw johnw.m...@gmail.com 
 mailto:johnw.m...@gmail.com wrote:

 On 08/17/2014 03:46 PM, Philip Guenther wrote:


 I'm 95% certain that this was the result of a bug in
 /usr/libexec/security fixed in late June.

 Hello Philip Guenther, my system /usr/libexec/security is version
 1.31.

 My system version is:
 OpenBSD 5.6 (GENERIC.MP http://GENERIC.MP) #325: Tue Aug  5
 23:13:02 MDT 2014
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
 http://GENERIC.MP


 Heh, good thing I had that 5% hedge when making a guess based on 
 fading memory of an email thread and the possibility that you were 
 running an old snapshot.  :-/

 If no one else speaks up, the next step for tracking this down may be 
 to ktrace the cron invocation of the daily script by changing its root 
 crontab entry to say ktrace -i -f /root/daily.ktrace.out /bin/sh 
 /etc/daily and then matching up the output there with the scripting 
 to figure out what is triggering that warning.


 Philip Guenther

I think I found out the problem.
Because I added something to /root/.profile like this:
case X${SHELL} in
 X/bin/ksh)
 . ${HOME}/.kshrc
 ;;
 X/usr/local/bin/bash)
 . ${HOME}/.bashrc
 ;;
 X/bin/csh)
 . ${HOME}/.cshrc
 ;;
 *)
 . /.cshrc
 ;;
esac
So, /usr/libexec/security will run . /.cshrc,
I delete it, then the problem is gone.
Thank you.

Re: Major dhclient(8) changes - no more dhclient-script

2012-11-10 Thread johnw

I have some problem after upgrade to new dhclient.

my /etc/dhclient.conf:

initial-interval 1;

supersede domain-name .;

supersede domain-name-servers 127.0.0.1;

request subnet-mask,

broadcast-address,

routers;



before upgrade, my /etc/resolv.conf

search .

nameserver 127.0.0.1

lookup file bind



after upgrade, my /etc/resolv.conf (only one line)

lookup file bind



ç± johnw éé Google é±è®å¨å³éçµ¦æ¨ï¼ Major dhclient(8) changes - no

more dhclient-script ç¶ç± gmane.os.openbsd.tech Kenneth R Westerback è

(æ¥æçº 2012/11/9)



Those of you following -current or running very recent snaps may have

noticed a lot of changes to dhclient in the last couple of weeks. Aside

from some major clean up, these changes revolve around the elimination

of the dhclient-script as both detrimental to sanity and our ability to

move forward to better network configuration automation. So far a

couple of uses for dhclient-script have been reported and workarounds

have to be developed for these scenarios. But now that most of the

changes are committed we are very interested in making sure that

scenarios that lead people to modify dhclient-script are identified

sooner rather than later. So please test the new dhclient(8) in as many

situations as possible and report both 'noraml' bugs/regressions and

problems you have not been able to solve without dhclient-script.

Thanks.  Ken



æ¨å¯ä»¥å¨éè£¡æä½çäºé ï¼

- ä½¿ç¨ Google é±è®å¨è¨é± gmane.os.openbsd.tech

- éå§ä½¿ç¨ Google 
é±è®å¨ï¼è¼é¬ææ¡æææ¨ææç¶²ç«çææ°è³è¨

Re: Major dhclient(8) changes - no more dhclient-script

2012-11-10 Thread johnw

Today,
OpenBSD 5.2-current (GENERIC) #77: Fri Nov  9 13:54:32 MST 2012

grep dhclient /var/log/daemon:
Nov 10 20:41:54 pdc dhclient[25385]: DHCPREQUEST on fxp0 to 255.255.255.255
port 67
Nov 10 20:41:55 pdc dhclient[25385]: DHCPACK from 183.179.12.1
(00:13:7f:98:89:80)
Nov 10 20:41:55 pdc dhclient[25385]: bound to 183.179.14.210 -- renewal in
21600 seconds.

Thank you.

2012/11/10 Kenneth R Westerback kwesterb...@rogers.com


 What is the date of the snapshot or source tree you upgraded to? I just
 tried this configuration and it worked fine for me on -current.

 Are there any messages in /var/log/daemon that might shed light on
 what happened?

  Ken

Re: Signatures for distribution sets and packages?

2012-09-05 Thread johnw

Just a curious, why openbsd do not support scp/sftp to download packages,
like the anoncvs does?

Re: Signatures for distribution sets and packages?

2012-09-05 Thread johnw

 2) Because nobody understands what you mean.
Sorry, my english is so bad.
anyway, i want to say is ... below

 pkg_add does support scp for downloading packages, though there aren't any
 mirrors that use it. See pkg_add(1):

Yes, why those mirrors do not support scp/sftp (package files)
transfer? (loading problem? or?)

they already support anoncvs (which is over ssh transfer too).

Thanks.

xsystrace do not exit

2012-08-09 Thread johnw

I run the command systrace chrome, then close the chrome,
after that I still can see the xsystrace process here.
why the xsystrace process do not follow the systrace process exit?
is it normal?
thank you.

Re: after upgrade to current(25-06-2012), can not login ssh

2012-06-26 Thread johnw

HI, i found sandbox-systrace.c need the mquery() to work with
UsePrivilegeSeparation sandbox

below change maybe related,
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/malloc.c.diff?r1=1.143;r2=1.144;sortby=date

anyway, add mquery() to sandbox-systrace.c work on my system.
thank you.

--- /usr/src/usr.bin/ssh/sandbox-systrace.c Fri Jul 29 22:42:45 2011
+++ sandbox-systrace.c Tue Jun 26 16:31:37 2012
@@ -45,6 +45,7 @@
 /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL
*/
 static const struct sandbox_policy preauth_policy[] = {
  { SYS_open, SYSTR_POLICY_NEVER },
+ { SYS_mquery, SYSTR_POLICY_NEVER },

  { SYS___sysctl, SYSTR_POLICY_PERMIT },
  { SYS_close, SYSTR_POLICY_PERMIT },


2012/6/25 Fred Crowson fred.crow...@gmail.com

 On 25 June 2012 12:41, johnw johnw.m...@gmail.com wrote:
  I change UsePrivilegeSeparation sandbox to UsePrivilegeSeparation
 yes,
  then i can login now.
  maybe the sandbox feature has something broken.
  thank you.

 The following article gives some more information on the sandbox function:

 http://www.undeadly.org/cgi?action=articlesid=20110721123003

 hth

 Fred

after upgrade to current(25-06-2012), can not login ssh

2012-06-25 Thread johnw

I attached the server side error message (photo)
please help, thank you.

ssh - 192.168.168.1
OpenSSH_6.0p1 Debian-2, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/john/.ssh/config
debug1: /home/john/.ssh/config line 1: Applying options for 192.168.168.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.168.1 [192.168.168.1] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load /home/john/.ssh/kdc.id_rsa as a RSA1 public key
debug1: identity file /home/john/.ssh/kdc.id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/john/.ssh/kdc.id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
debug1: match: OpenSSH_6.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-2
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host 192.168.168.1 from file
/home/john/.ssh/known_hosts
debug3: load_hostkeys: found key type ECDSA in file
/home/john/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-...@openssh.com,
ecdsa-sha2-nistp384-cert-...@openssh.com,
ecdsa-sha2-nistp521-cert-...@openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-...@openssh.com,
ecdsa-sha2-nistp384-cert-...@openssh.com,
ecdsa-sha2-nistp521-cert-...@openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server-client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client-server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA
ee:e2:6a:0d:b9:a0:31:15:14:35:17:7b:b2:c6:f8:ba
debug3: load_hostkeys: loading entries for host 192.168.168.1 from file
/home/john/.ssh/known_hosts
debug3: load_hostkeys: found key type ECDSA in file

Re: after upgrade to current(25-06-2012), can not login ssh

2012-06-25 Thread johnw

I upload the photo to here
http://www1.picturepush.com/photo/a/8571544/640/8571544.jpg

2012/6/25 johnw johnw.m...@gmail.com

 I attached the server side error message (photo)
 please help, thank you.

 ssh - 192.168.168.1
 OpenSSH_6.0p1 Debian-2, OpenSSL 1.0.1c 10 May 2012
 debug1: Reading configuration data /home/john/.ssh/config
 debug1: /home/john/.ssh/config line 1: Applying options for 192.168.168.1
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 19: Applying options for *
 debug2: ssh_connect: needpriv 0
 debug1: Connecting to 192.168.168.1 [192.168.168.1] port 22.
 debug1: Connection established.
 debug3: Incorrect RSA1 identifier
 debug3: Could not load /home/john/.ssh/kdc.id_rsa as a RSA1 public key
 debug1: identity file /home/john/.ssh/kdc.id_rsa type 1
 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
 debug1: identity file /home/john/.ssh/kdc.id_rsa-cert type -1
 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
 debug1: match: OpenSSH_6.0 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-2
 debug2: fd 3 setting O_NONBLOCK
 debug3: load_hostkeys: loading entries for host 192.168.168.1 from file
 /home/john/.ssh/known_hosts
 debug3: load_hostkeys: found key type ECDSA in file
 /home/john/.ssh/known_hosts:2
 debug3: load_hostkeys: loaded 1 keys
 debug3: order_hostkeyalgs: prefer hostkeyalgs:
 ecdsa-sha2-nistp256-cert-...@openssh.com,
 ecdsa-sha2-nistp384-cert-...@openssh.com,
 ecdsa-sha2-nistp521-cert-...@openssh.com
 ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug2: kex_parse_kexinit:
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-...@openssh.com,
 ecdsa-sha2-nistp384-cert-...@openssh.com,
 ecdsa-sha2-nistp521-cert-...@openssh.com
 ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit: first_kex_follows 0
 debug2: kex_parse_kexinit: reserved 0
 debug2: kex_parse_kexinit:
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,z...@openssh.com
 debug2: kex_parse_kexinit: none,z...@openssh.com
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit: first_kex_follows 0
 debug2: kex_parse_kexinit: reserved 0
 debug2: mac_setup: found hmac-md5
 debug1: kex: server-client aes128-ctr hmac-md5 none
 debug2: mac_setup: found hmac-md5
 debug1: kex: client-server aes128-ctr hmac-md5 none
 debug1: sending SSH2_MSG_KEX_ECDH_INIT
 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
 debug1: Server host key: ECDSA
 ee:e2

Re: after upgrade to current(25-06-2012), can not login ssh

2012-06-25 Thread johnw

The sshd_config like this:
ListenAddress 192.168.168.1
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePrivilegeSeparation sandbox
Subsystem sftp /usr/libexec/sftp-server

2012/6/25 johnw johnw.m...@gmail.com

 I attached the server side error message (photo)
 please help, thank you.

 ssh - 192.168.168.1
 OpenSSH_6.0p1 Debian-2, OpenSSL 1.0.1c 10 May 2012
 debug1: Reading configuration data /home/john/.ssh/config
 debug1: /home/john/.ssh/config line 1: Applying options for 192.168.168.1
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 19: Applying options for *
 debug2: ssh_connect: needpriv 0
 debug1: Connecting to 192.168.168.1 [192.168.168.1] port 22.
 debug1: Connection established.
 debug3: Incorrect RSA1 identifier
 debug3: Could not load /home/john/.ssh/kdc.id_rsa as a RSA1 public key
 debug1: identity file /home/john/.ssh/kdc.id_rsa type 1
 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
 debug1: identity file /home/john/.ssh/kdc.id_rsa-cert type -1
 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
 debug1: match: OpenSSH_6.0 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-2
 debug2: fd 3 setting O_NONBLOCK
 debug3: load_hostkeys: loading entries for host 192.168.168.1 from file
 /home/john/.ssh/known_hosts
 debug3: load_hostkeys: found key type ECDSA in file
 /home/john/.ssh/known_hosts:2
 debug3: load_hostkeys: loaded 1 keys
 debug3: order_hostkeyalgs: prefer hostkeyalgs:
 ecdsa-sha2-nistp256-cert-...@openssh.com,
 ecdsa-sha2-nistp384-cert-...@openssh.com,
 ecdsa-sha2-nistp521-cert-...@openssh.com
 ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug2: kex_parse_kexinit:
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-...@openssh.com,
 ecdsa-sha2-nistp384-cert-...@openssh.com,
 ecdsa-sha2-nistp521-cert-...@openssh.com
 ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit: first_kex_follows 0
 debug2: kex_parse_kexinit: reserved 0
 debug2: kex_parse_kexinit:
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit:
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
 rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
 ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
 hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,z...@openssh.com
 debug2: kex_parse_kexinit: none,z...@openssh.com
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit:
 debug2: kex_parse_kexinit: first_kex_follows 0
 debug2: kex_parse_kexinit: reserved 0
 debug2: mac_setup: found hmac-md5
 debug1: kex: server-client aes128-ctr hmac-md5 none
 debug2: mac_setup: found hmac-md5
 debug1: kex: client

Re: after upgrade to current(25-06-2012), can not login ssh

2012-06-25 Thread johnw

I change UsePrivilegeSeparation sandbox to UsePrivilegeSeparation yes,
then i can login now.
maybe the sandbox feature has something broken.
thank you.

2012/6/25 Fred Crowson fred.crow...@gmail.com

 On 25 June 2012 10:03, johnw johnw.m...@gmail.com wrote:
  The sshd_config like this:
  ListenAddress 192.168.168.1
  PermitRootLogin yes
  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys
  PasswordAuthentication yes
  UsePrivilegeSeparation sandbox
  Subsystem sftp /usr/libexec/sftp-server

 Is pf enabled on the server?
 Have you allowed ssh connections in pf?

 Broken pipes hint at a network error.

 hth

 Fred

can i tune the bind/resolver timeout time?

2012-06-17 Thread johnw

HI, i use openbsd/i386, and use /usr/sbin/bind act as dns server.
can i tune the gethostbyname timeout time?
(tunning system or bind)

and can i config the resolver do not search the local domain?
man resolv.conf say i can config the domain and search option in
/etc/resolv.conf
but can i tell the resolver, never try to search those domain?
when i use gethostbyname(nothis.domain), it will search nothis.domain
then search nothis.domain.local.domain
can i tell the gethostbyname just only search nothis.domain?

thank you.

can not use the up key to last command at root?

2011-12-20 Thread johnw

my system is i386/current, i do not know why and when,
today, i noticed i can not use the up key to last command at root anymore.

i can use the up key to last command at non root user,
both is use ksh.

any idea?

please help and thank you.

how to use the new rc.d system to start the daemon with systrace?

2011-10-20 Thread johnw

after upgrade to current, now /etc/rc use the new rc.d system.
my question is how to start the daemon(ntpd, named etc ..) with systrace?
before upgrade to new rc.d system, i can edit /etc/rc like this

echo 'starting named'; named $named_flags
to
echo 'starting named'; systrace -Ua named $named_flags

any idea? thank you.

dmesg: write fail ??

2011-09-21 Thread johnw

Hi, i see it in dmesg
bsdbox /bsd: pid 9648 (mlnet): user write of 4096@0x202d4000 at 5328
failed: 14

what is this mean?

thanks.

all libc of my openbsd/i386

2011-07-29 Thread johnw

(23:24:04) john@pdc:[~]$ du -sh /usr/lib/libc.so.*
704K /usr/lib/libc.so.34.2
704K /usr/lib/libc.so.35.0
704K /usr/lib/libc.so.35.1
704K /usr/lib/libc.so.36.0
720K /usr/lib/libc.so.37.0
720K /usr/lib/libc.so.38.0
720K /usr/lib/libc.so.38.1
688K /usr/lib/libc.so.38.2
688K /usr/lib/libc.so.38.3
3.8M /usr/lib/libc.so.38.4
3.8M /usr/lib/libc.so.39.0
3.8M /usr/lib/libc.so.39.1
3.8M /usr/lib/libc.so.39.2
3.8M /usr/lib/libc.so.39.3
3.8M /usr/lib/libc.so.40.0
3.8M /usr/lib/libc.so.40.1
3.8M /usr/lib/libc.so.40.2
3.8M /usr/lib/libc.so.40.3
3.8M /usr/lib/libc.so.41.0
3.8M /usr/lib/libc.so.42.0
3.8M /usr/lib/libc.so.42.1
3.8M /usr/lib/libc.so.43.0
3.9M /usr/lib/libc.so.44.0
3.9M /usr/lib/libc.so.45.0
3.9M /usr/lib/libc.so.46.0
3.9M /usr/lib/libc.so.47.0
3.9M /usr/lib/libc.so.48.0
4.0M /usr/lib/libc.so.49.0
4.0M /usr/lib/libc.so.50.0
4.0M /usr/lib/libc.so.50.1
4.1M /usr/lib/libc.so.51.0
4.1M /usr/lib/libc.so.51.1
4.1M /usr/lib/libc.so.51.2
4.1M /usr/lib/libc.so.52.0
4.1M /usr/lib/libc.so.53.0
4.1M /usr/lib/libc.so.53.1
4.1M /usr/lib/libc.so.53.2
4.1M /usr/lib/libc.so.54.0
4.1M /usr/lib/libc.so.55.0
2.4M /usr/lib/libc.so.56.0
2.4M /usr/lib/libc.so.57.0
2.4M /usr/lib/libc.so.58.0
2.4M /usr/lib/libc.so.58.1
2.5M /usr/lib/libc.so.58.2
2.5M /usr/lib/libc.so.58.3
2.5M /usr/lib/libc.so.60.0

Re: how to enable ipv6?

2011-03-02 Thread johnw

I cp /usr/local/share/examples/wide-dhcpv6/dhcp6c.conf.sample to 
/etc/dhcp6c.conf



interface fxp0 {
send ia-na 0;
send rapid-commit;
send domain-name-servers;
};

id-assoc na {
};


then root@shell: /usr/local/sbin/dhcp6c -c /etc/dhcp6c.conf -Df fxp0

but can not get the ipv6 ip

sorry to ask that, but can anyone get me simple examples(dhcp6c.conf) to 
get ipv6 from my isp?

my english is bad, and i don't understand the man page.
please help, and thank you.

this is the output of ifconfig fxp0:

fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:d0:b7:70:20:7f
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2d0:b7ff:fe70:207f%fxp0 prefixlen 64 scopeid 0x1
inet 58.176.246.221 netmask 0xff00 broadcast 58.176.246.255


this is the output of the dhcp6c command:
-
Mar/02/2011 19:23:58: get_duid: extracted an existing DUID from 
/var/db/dhcp6c_duid: 00:01:00:01:14:ff:cd:24:00:d0:b7:70:20:7f
Mar/02/2011 19:23:58: dhcp6_ctl_authinit: failed to open 
/etc/dhcp6cctlkey: No such file or directory
Mar/02/2011 19:23:58: client6_init: failed initialize control message 
authentication

Mar/02/2011 19:23:58: client6_init: skip opening control port
Mar/02/2011 19:23:58: cfdebug_print: 3[interface] (9)
Mar/02/2011 19:23:58: cfdebug_print: 5[fxp0] (4)
Mar/02/2011 19:23:58: cfdebug_print: 3begin of closure [{] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3[send] (4)
Mar/02/2011 19:23:58: cfdebug_print: 3[ia-na] (5)
Mar/02/2011 19:23:58: cfdebug_print: 3[0] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3end of sentence [;] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3[send] (4)
Mar/02/2011 19:23:58: cfdebug_print: 3[rapid-commit] (12)
Mar/02/2011 19:23:58: cfdebug_print: 3end of sentence [;] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3[send] (4)
Mar/02/2011 19:23:58: cfdebug_print: 3[domain-name-servers] (19)
Mar/02/2011 19:23:58: cfdebug_print: 3end of sentence [;] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3end of closure [}] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3end of sentence [;] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3[id-assoc] (8)
Mar/02/2011 19:23:58: cfdebug_print: 13[na] (2)
Mar/02/2011 19:23:58: cfdebug_print: 13begin of closure [{] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3end of closure [}] (1)
Mar/02/2011 19:23:58: cfdebug_print: 3end of sentence [;] (1)
Mar/02/2011 19:23:58: configure_pool: called
Mar/02/2011 19:23:58: add_options: invalid operation (0) for option type 
(16)

Mar/02/2011 19:23:58: clear_poolconf: called
Mar/02/2011 19:23:58: dhcp6_reset_timer: reset a timer on fxp0, 
state=INIT, timeo=0, retrans=383

Mar/02/2011 19:23:59: client6_send: a new XID (22c5da) is generated
Mar/02/2011 19:23:59: copy_option: set client ID (len 14)
Mar/02/2011 19:23:59: copyout_option: set identity association
Mar/02/2011 19:23:59: copy_option: set rapid commit (len 0)
Mar/02/2011 19:23:59: copy_option: set elapsed time (len 2)
Mar/02/2011 19:23:59: client6_send: send solicit to ff02::1:2%fxp0
Mar/02/2011 19:23:59: dhcp6_reset_timer: reset a timer on fxp0, 
state=SOLICIT, timeo=0, retrans=1088

Mar/02/2011 19:24:00: copy_option: set client ID (len 14)
Mar/02/2011 19:24:00: copyout_option: set identity association
Mar/02/2011 19:24:00: copy_option: set rapid commit (len 0)
Mar/02/2011 19:24:00: copy_option: set elapsed time (len 2)
Mar/02/2011 19:24:00: client6_send: send solicit to ff02::1:2%fxp0
Mar/02/2011 19:24:00: dhcp6_reset_timer: reset a timer on fxp0, 
state=SOLICIT, timeo=1, retrans=2151

Mar/02/2011 19:24:02: copy_option: set client ID (len 14)
Mar/02/2011 19:24:02: copyout_option: set identity association
Mar/02/2011 19:24:02: copy_option: set rapid commit (len 0)
Mar/02/2011 19:24:02: copy_option: set elapsed time (len 2)
Mar/02/2011 19:24:02: client6_send: send solicit to ff02::1:2%fxp0
Mar/02/2011 19:24:02: dhcp6_reset_timer: reset a timer on fxp0, 
state=SOLICIT, timeo=2, retrans=4283

-

how to enable ipv6?

2011-03-01 Thread johnw

I search google, and all howto is assert isp not support ipv6 and use
tunnel/gif.
but I know my isp is support ipv6,
how can i enable ipv6 with dhclient?
thank you.

回覆： how to viewing packet data?

2010-09-21 Thread johnw

you are looking for -X option to tcpdump(8). Read the man page for more
details.

Yes, i tried it before (-X).
but that is not what i want to get.

I want to get is something like that
Data: Post /from.php?q=123 abc.com

Can tcpdump -X do that?
if yes, can you give me one example?

Thank you.

44 matches

Mail list logo