Re: Fix parsing of '\' in hostname.if
On Sun, Jan 05, 2020 at 10:36:24PM -0600, Matt Kunkel wrote: > Backslash characters inside hostname.if cause it to differ from > parameters provided to ifconfig. I don't understand what you mean by that, can you elaborate? > Adding '-r' to eliminate the need to > escape '\' inside hostname.if (ssid/wpa key material). Can you provide an example of hostname.if(5) lines that cause trouble for you? > If this has > unintended consequences, I can provide a hostname.if man patch > (currently an un-documented "feature"). Escaping is mentioned in the manual: !command Arbitrary shell commands can be executed using this directive, as long as they are available in the single-user environment (for instance, /bin or /sbin). Useful for doing interface-specific configuration such as setting up custom routes using route(8) or establishing tunnels using ifconfig(8). It is worth noting that “\$if” in a command line will be replaced by the interface name.
[WIP] mprotect_ept for vmm(4)
Hi I have been working on this diff on and off for a while now, mlarkin was able to give me lots of tips, but now i am stuck, so i thought i would ask for nits, tips or even your doing it wrong. The code below causes the vm to triple fault without the ((*pte & EPT_WB) == EPT_WB) check in vmx_mprotect_ept, some calls pass this check and i am able to modify the ept, other fail, and are skipped. I am just not sure i am looking up the ept entry correctly, any help here would be grealy appreciated. The kernel code is called from solo5[1] as follows. if(mprotect(vaddr_start, size, prot) == -1) return -1; ret = 0; struct hvt_b *hvb = hvt->b; struct vm_mprotect_ept_params *vmep; vmep = calloc(1, sizeof (struct vm_mprotect_ept_params)); if (vmep == NULL) { warn("calloc"); return -1; } vmep->vmep_vm_id = hvb->vcp_id; vmep->vmep_vcpu_id = hvb->vcpu_id; // sgpa = vmr->vmr_gpa(0x0) + (addr - vmr->vmr_va) // vmep->vmep_sgpa = (vaddr_t)0x0 + (vaddr_t)(vaddr_start - hvt->mem); vmep->vmep_sgpa = addr_start; vmep->vmep_size = size; vmep->vmep_prot = prot; if (ioctl(hvb->vmd_fd, VMM_IOC_MPROTECT_EPT, vmep) < 0) { warn("mprotect ept vmm ioctl failed - exiting"); ret = -1; } Cheers Adam [1] https://github.com/adamsteen/solo5/blob/wnox/tenders/hvt/hvt_openbsd.c#L169-L225 ? div Index: sys/arch/amd64/amd64/vmm.c === RCS file: /cvs/src/sys/arch/amd64/amd64/vmm.c,v retrieving revision 1.257 diff -u -p -u -p -r1.257 vmm.c --- sys/arch/amd64/amd64/vmm.c 13 Dec 2019 03:38:15 - 1.257 +++ sys/arch/amd64/amd64/vmm.c 6 Jan 2020 03:30:39 - @@ -41,7 +41,7 @@ #include #include -/* #define VMM_DEBUG */ +#define VMM_DEBUG void *l1tf_flush_region; @@ -124,6 +124,7 @@ int vm_get_info(struct vm_info_params *) int vm_resetcpu(struct vm_resetcpu_params *); int vm_intr_pending(struct vm_intr_params *); int vm_rwregs(struct vm_rwregs_params *, int); +int vm_mprotect_ept(struct vm_mprotect_ept_params *); int vm_rwvmparams(struct vm_rwvmparams_params *, int); int vm_find(uint32_t, struct vm **); int vcpu_readregs_vmx(struct vcpu *, uint64_t, struct vcpu_reg_state *); @@ -201,6 +202,8 @@ void vmx_setmsrbw(struct vcpu *, uint32_ void vmx_setmsrbrw(struct vcpu *, uint32_t); void svm_set_clean(struct vcpu *, uint32_t); void svm_set_dirty(struct vcpu *, uint32_t); +int vmx_mprotect_ept(vm_map_t, paddr_t, paddr_t, int); +pt_entry_t * vmx_pmap_find_pte_ept(pmap_t, paddr_t); void vmm_init_pvclock(struct vcpu *, paddr_t); int vmm_update_pvclock(struct vcpu *); @@ -225,6 +228,9 @@ void vmm_decode_efer_value(uint64_t); void vmm_decode_rflags(uint64_t); void vmm_decode_misc_enable_value(uint64_t); const char *vmm_decode_cpu_mode(struct vcpu *); +void dump_requested_vmx_mprotect_ept(int prot); +void vmx_dump_pte_prot(pt_entry_t *pte); +void vmx_dump_pte_after(pt_entry_t *pte); extern int mtrr2mrt(int); @@ -494,6 +500,9 @@ vmmioctl(dev_t dev, u_long cmd, caddr_t case VMM_IOC_WRITEREGS: ret = vm_rwregs((struct vm_rwregs_params *)data, 1); break; + case VMM_IOC_MPROTECT_EPT: + ret = vm_mprotect_ept((struct vm_mprotect_ept_params *)data); + break; case VMM_IOC_READVMPARAMS: ret = vm_rwvmparams((struct vm_rwvmparams_params *)data, 0); break; @@ -532,6 +541,7 @@ pledge_ioctl_vmm(struct proc *p, long co case VMM_IOC_INTR: case VMM_IOC_READREGS: case VMM_IOC_WRITEREGS: + case VMM_IOC_MPROTECT_EPT: case VMM_IOC_READVMPARAMS: case VMM_IOC_WRITEVMPARAMS: return (0); @@ -807,6 +817,261 @@ vm_rwregs(struct vm_rwregs_params *vrwp, } /* + * vm_mprotect_ept + * + * IOCTL handler to sets the access protections of the ept + * + * Parameters: + * vmep: decribes the memory for which the protect will be applied.. + * + * Return values: + * 0: if successful + * ENOENT: if the VM defined by 'vmep' cannot be found + * EINVAL: if the sgpa or size is not page aligned, the prot is WX or RWX, + * size is too large (512GB), there is wraparound + * (like start = 512GB-1 and end = 512GB-2), + * the address specified is not within the vm's mem range + * or the address lies inside reserved (MMIO) memory + */ +int +vm_mprotect_ept(struct vm_mprotect_ept_params *vmep) +{ + struct vm *vm; + struct vcpu *vcpu; + struct vm_mem_range *vmr; + vaddr_t sgpa; + size_t size; + vm_prot_t prot; + int i, ret, mem_type; + + /* Find the desired VM */ + rw_enter_read(_softc->vm_lock); + ret = vm_find(vmep->vmep_vm_id, ); + rw_exit_read(_softc->vm_lock); + + /* Not found? exit. */ + if (ret != 0) { + DPRINTF("%s: vm id %u not found\n", __func__, +
Fix parsing of '\' in hostname.if
Backslash characters inside hostname.if cause it to differ from parameters provided to ifconfig. Adding '-r' to eliminate the need to escape '\' inside hostname.if (ssid/wpa key material). If this has unintended consequences, I can provide a hostname.if man patch (currently an un-documented "feature"). diff --git etc/netstart etc/netstart index 8cfa7bbf9b9..4168d3634d1 100644 --- etc/netstart +++ etc/netstart @@ -134,7 +134,7 @@ ifstart() { # Parse the hostname.if(5) file and fill _cmds array with interface # configuration commands. set -o noglob - while IFS= read -- _line; do + while IFS= read -r -- _line; do parse_hn_line $_line done <$_hn
Re: EFI frame buffer > 4GB
On Sun, Sep 22, 2019 at 04:18:08PM +0900, YASUOKA Masahiko wrote: > Hi, > > I'm sorry for delay. > > On Fri, 20 Sep 2019 22:08:52 -0700 > Mike Larkin wrote: > > On Fri, Sep 20, 2019 at 03:35:00PM +0200, Mark Kettenis wrote: > >> > Date: Fri, 20 Sep 2019 06:06:40 -0700 > >> > From: Mike Larkin > >> > On Fri, Sep 20, 2019 at 02:22:13PM +0200, Mark Kettenis wrote: > >> > > > Date: Fri, 20 Sep 2019 02:55:27 -0700 > >> > > > From: Mike Larkin > >> > > > > >> > > > On Fri, Sep 20, 2019 at 01:09:56AM +0900, YASUOKA Masahiko wrote: > >> > > > > Hi, > >> > > > > > >> > > > > I recently got a VAIO Pro PK. The diff below is required to boot. > >> > > > > Without the diff, it freezes during boot. > >> > > > > > >> > > > > >> > > > > Its EFI framebuffer is located 0x40 (9 zeros). This is > > >> > > > > 4GB > >> > > > > and higher than highest available memory of the machine. These > >> > > > > configuraions seem to cause the problem. > >> > > > > > >> > > > > * * * > >> > > > > > >> > > > > Call cninit() after pmap_bootstrap() is called. Since the EFI > >> > > > > framebuffer may be located > 4GB which is not initialized by > >> > > > > locore, > >> > > > > but by pmap_bootstrap(). Also make the address parameter passed to > >> > > > > pmap_bootstrap() cover the framebuffer. Actually VAIO pro PK's > >> > > > > framebuffer is located higher than the highest available memory > >> > > > > region. > >> > > > > > >> > > > > ok? comments? > >> > > > > > >> > > > > >> > > > Hi, > >> > > > > >> > > > I have a few questions... > >> > > > > >> > > > 1. There seems to be no limit on the max PA that we extend to here. > >> > > >This means, for example, if EFI places the framebuffer past 2TB > >> > > >PA, we won't have enough direct map to cover the mapping. Plus > >> > > >I think this will end up extending the direct map to cover any > >> > > > hole > >> > > >between "end of phys mem" and "efi fb addr". At a minimum, I think > >> > > >we need some sort of max PA clamp here. I don't know what Sony's > >> > > >placement algorithm is, but 0x40 is 256GB PA. > >> > > > >> > > A dmesg and pcidump output would be useful. > > Attached them at the bottom. > > >> > > I suspect that this is a discrete graphics card where the EFI frame > >> > > buffer resides in VRAM. Using the direct map in this case is probably > >> > > not the right thing to do. > >> > > > >> > > > 2. What does delaying cninit do for machines that have errors or > >> > > >printfs before this? Would those even print anymore? This would > >> > > >affect all machines, even those without efifb, correct? > >> > > > >> > > Yes and no. It doesn't affect the classic VGA glass console, but it > >> > > does mean serial output might disappear. That isn't acceptable I'd > >> > > say. > >> > > > >> > > > 3. I am not a big fan of placing device-specific quirks in > >> > > >init_x86_64. Could this not be done in the efifb specific console > >> > > >init code? You could pmap_enter whatever you wanted there, based > >> > > > on > >> > > >the PA EFI sent you. Or does efifb go through the direct map for > >> > > >all video output? If so, we may be stuck creating that big direct > >> > > > map > >> > > >range. If that's the case though, we should probably try to > >> > > > restrict > >> > > >the permissions in the unused holes. > >> > > > >> > > The direct map is only used early on in the boot process. The frame > >> > > buffer is remapped in mainbus_attach() such that we can use > >> > > write-combining. But that is done after we print copyright. I think > >> > > the remapping could be done a bit earlier, but not before uvm gets > >> > > initialized, which happens after we print the copyright message. > >> > > > >> > > We don't have to use the direct map during early boot. If you gave us > >> > > some other way to map the framebuffer before pmap_bootstrap() has been > >> > > called we could stick that into efifb_cnattach_common(). We'd need > >> > > your help with that though. Note that the framebuffer can be fairly > >> > > large though (but we can probably come up with a reasonable upper > >> > > limit). > >> > > >> > What sort of function do you need? Map this PA range at X, but before > >> > pmap_bootstrap? > >> > >> Map this PA range and hand me back the VA where you mapped it, indeed > >> before pmap_bootstrap(). > >> > >> I reckon you'd need to reserve slots in the early page tables for > >> this. The mapping needs to be uncached (UC or WC). I suspect we'll > >> continue to remap the frame buffer later, UC is fine as we're not > >> going to produce massive amounts of output to the console before doing > >> so. > > > > Likely doable, but it will be some time before I can get to it. > > Thanks, > > * * * > Domain /dev/pci0: > 0:0:0: Intel Core 8G Host > 0x: Vendor ID: 8086, Product ID: 3e34 > 0x0004: Command: 0006, Status: 2090 > 0x0008: Class: 06 Bridge,
Re: Scrolling in top(1)
5 января 2020 г. 22:37:05 GMT+02:00, Ted Unangst пишет: >Vadim Zhukov wrote: >> Today I get really upset and angry due limitation of top(1): it shows >> only hrrm, top processes (thank you, Chromium). Now here is a diff >that >> allows you to scroll process list by line or by half a screen. >> >> I've used the '0' and '9' keys to scroll down and up, respectively. >> Unfortunately, 'k' is already taken, so vi-like binding to 'j'/'k' >keys >> is not possible. And emacs-style 'v'-for-all looks like too complex. >> Anyone, who wants to use up/down and page up/page down keys, be my >guest >> for converting command_chars in top.c to using multi-byte sequences, >> or whatever is needed for proper handling of those keys. >> >> Ideas, comments and (may I hope?) okays are welcome. :) > >One of each? It would be nice to extend this with some indication of >where we >are in the display (a first line that says skipping 19). I would have >used >,.<> as navigation keys, but no matter. And it seems to work great, so >ok. Yes, indication would be good and I thought about it, too. But implementing it in current top(1) code is not that straightforward, unfortunately, so I planned to do this separately, avoiding complication of the current diff. Thanks! -- With best regards, Vadim Zhukov
Re: Scrolling in top(1)
Vadim Zhukov wrote: > Today I get really upset and angry due limitation of top(1): it shows > only hrrm, top processes (thank you, Chromium). Now here is a diff that > allows you to scroll process list by line or by half a screen. > > I've used the '0' and '9' keys to scroll down and up, respectively. > Unfortunately, 'k' is already taken, so vi-like binding to 'j'/'k' keys > is not possible. And emacs-style 'v'-for-all looks like too complex. > Anyone, who wants to use up/down and page up/page down keys, be my guest > for converting command_chars in top.c to using multi-byte sequences, > or whatever is needed for proper handling of those keys. > > Ideas, comments and (may I hope?) okays are welcome. :) One of each? It would be nice to extend this with some indication of where we are in the display (a first line that says skipping 19). I would have used ,.<> as navigation keys, but no matter. And it seems to work great, so ok.
ldomctl: Fail on duplicate vcpu and memory parameters
Domains get to define their cores and memory only once unlike the other parameters of which it makes sense to have more than one. $ cat dup.conf domain primary { vcpu 2 vcpu 2 } $ ldomctl init-system -n dup.conf ; echo $? 0 $ ./obj/ldomctl init-system -n dup.conf dup.conf:3 duplicate vcpu option OK? Index: parse.y === RCS file: /cvs/src/usr.sbin/ldomctl/parse.y,v retrieving revision 1.13 diff -u -p -r1.13 parse.y --- parse.y 28 Nov 2019 18:40:42 - 1.13 +++ parse.y 5 Jan 2020 18:03:54 - @@ -138,10 +155,18 @@ domainoptsl : domainopts nl ; domainopts : VCPU vcpu { + if (domain->vcpu) { + yyerror("duplicate vcpu option"); + YYERROR; + } domain->vcpu = $2.count; domain->vcpu_stride = $2.stride; } | MEMORY memory { + if (domain->memory) { + yyerror("duplicate memory option"); + YYERROR; + } domain->memory = $2; } | VDISK STRING {
Re: netcat unix getnameinfo
On Sun, Jan 05, 2020 at 06:41:08PM +0100, Alexander Bluhm wrote: > When using netcat with the options -Uuvs I get: > netcat-regress: getnameinfo: Invalid argument Correction, -U -u -n -v -l triggers the bug. -U -u -v -l gives: netcat-regress: getnameinfo: ai_family not supported My diff fixes both. > Index: usr.bin/nc/netcat.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v > retrieving revision 1.212 > diff -u -p -r1.212 netcat.c > --- usr.bin/nc/netcat.c 17 Nov 2019 17:38:33 - 1.212 > +++ usr.bin/nc/netcat.c 5 Jan 2020 17:26:07 - > @@ -597,7 +597,8 @@ main(int argc, char *argv[]) > > if (vflag) > report_sock("Connection received", > - (struct sockaddr *), len, NULL); > + (struct sockaddr *), len, > + family == AF_UNIX ? host : NULL); > > readwrite(s, NULL); > } else { > @@ -1784,11 +1785,14 @@ report_sock(const char *msg, const struc > if (nflag) > flags |= NI_NUMERICHOST; > > - if ((herr = getnameinfo(sa, salen, host, sizeof(host), > - port, sizeof(port), flags)) != 0) { > - if (herr == EAI_SYSTEM) > + herr = getnameinfo(sa, salen, host, sizeof(host), port, sizeof(port), > + flags); > + switch (herr) { > + case 0: > + break; > + case EAI_SYSTEM: > err(1, "getnameinfo"); > - else > + default: > errx(1, "getnameinfo: %s", gai_strerror(herr)); > } >
netcat unix getnameinfo
Hi, When using netcat with the options -Uuvs I get: netcat-regress: getnameinfo: Invalid argument Using the same check when calling report_sock() as a few lines below fixes it. While there use the same error check for both calls to getnameinfo(3). ok? bluhm Index: usr.bin/nc/netcat.c === RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v retrieving revision 1.212 diff -u -p -r1.212 netcat.c --- usr.bin/nc/netcat.c 17 Nov 2019 17:38:33 - 1.212 +++ usr.bin/nc/netcat.c 5 Jan 2020 17:26:07 - @@ -597,7 +597,8 @@ main(int argc, char *argv[]) if (vflag) report_sock("Connection received", - (struct sockaddr *), len, NULL); + (struct sockaddr *), len, + family == AF_UNIX ? host : NULL); readwrite(s, NULL); } else { @@ -1784,11 +1785,14 @@ report_sock(const char *msg, const struc if (nflag) flags |= NI_NUMERICHOST; - if ((herr = getnameinfo(sa, salen, host, sizeof(host), - port, sizeof(port), flags)) != 0) { - if (herr == EAI_SYSTEM) + herr = getnameinfo(sa, salen, host, sizeof(host), port, sizeof(port), + flags); + switch (herr) { + case 0: + break; + case EAI_SYSTEM: err(1, "getnameinfo"); - else + default: errx(1, "getnameinfo: %s", gai_strerror(herr)); }
Scrolling in top(1)
Hi all. Today I get really upset and angry due limitation of top(1): it shows only hrrm, top processes (thank you, Chromium). Now here is a diff that allows you to scroll process list by line or by half a screen. I've used the '0' and '9' keys to scroll down and up, respectively. Unfortunately, 'k' is already taken, so vi-like binding to 'j'/'k' keys is not possible. And emacs-style 'v'-for-all looks like too complex. Anyone, who wants to use up/down and page up/page down keys, be my guest for converting command_chars in top.c to using multi-byte sequences, or whatever is needed for proper handling of those keys. Ideas, comments and (may I hope?) okays are welcome. :) -- WBR, Vadim Zhukov Index: machine.c === RCS file: /cvs/src/usr.bin/top/machine.c,v retrieving revision 1.101 diff -u -p -r1.101 machine.c --- machine.c 16 Dec 2019 19:21:17 - 1.101 +++ machine.c 5 Jan 2020 14:10:44 - @@ -546,6 +546,14 @@ format_comm(struct kinfo_proc *kp) return (buf); } +void +skip_next_process(struct handle *hndl) +{ + /* find and remember the next proc structure */ + hndl->next_proc++; + hndl->remaining--; +} + char * format_next_process(struct handle *hndl, const char *(*get_userid)(uid_t, int), pid_t *pid) Index: machine.h === RCS file: /cvs/src/usr.bin/top/machine.h,v retrieving revision 1.27 diff -u -p -r1.27 machine.h --- machine.h 8 Oct 2019 20:51:03 - 1.27 +++ machine.h 5 Jan 2020 14:10:44 - @@ -90,6 +90,7 @@ extern void get_system_info(struct s extern struct handle *get_process_info(struct system_info *, struct process_select *, int (*) (const void *, const void *)); +extern void skip_next_process(struct handle *); extern char*format_next_process(struct handle *, const char *(*)(uid_t, int), pid_t *); extern uid_tproc_owner(pid_t); Index: top.1 === RCS file: /cvs/src/usr.bin/top/top.1,v retrieving revision 1.71 diff -u -p -r1.71 top.1 --- top.1 28 Nov 2018 22:00:30 - 1.71 +++ top.1 5 Jan 2020 14:10:44 - @@ -291,6 +291,10 @@ or any process highlighting put in place interactive command. .It 1 Toggle the display of per CPU or combined CPU statistics. +.It 9 | 0 +Scroll up/down the process list by one line. +.It \&( | \&) +Scroll up/down the process list by screen half. .It C Toggle the display of process command line arguments. .It d Ar count Index: top.c === RCS file: /cvs/src/usr.bin/top/top.c,v retrieving revision 1.101 diff -u -p -r1.101 top.c --- top.c 8 Oct 2019 20:51:03 - 1.101 +++ top.c 5 Jan 2020 14:10:44 - @@ -68,6 +68,7 @@ static void reset_display(void); intrundisplay(void); static int max_topn; /* maximum displayable processes */ +static int skip; /* how many processes to skip (scroll) */ extern int ncpu; extern int ncpuonline; @@ -126,6 +127,10 @@ struct statics statics; #define CMD_add21 #define CMD_hl 22 #define CMD_cpus 23 +#define CMD_down 24 +#define CMD_up 25 +#define CMD_pagedown 26 +#define CMD_pageup 27 static void usage(void) @@ -557,6 +562,15 @@ restart: active_procs = topn; if (active_procs > max_topn) active_procs = max_topn; + /* determine how many process to skip, if asked to */ + /* +* this number is tweaked by user, but gets shrinked +* when number of active processes lowers too much +*/ + if (skip + active_procs > system_info.p_active) + skip = system_info.p_active - active_procs; + for (i = skip; i > 0; i--) + skip_next_process(processes); /* now show the top "n" processes. */ for (i = 0; i < active_procs; i++) { pid_t pid; @@ -618,7 +632,7 @@ rundisplay(void) char ch, *iptr; int change, i; struct pollfd pfd[1]; - static char command_chars[] = "\f qh?en#sdkriIuSopCHg+P1"; + static char command_chars[] = "\f qh?en#sdkriIuSopCHg+P109)("; /* * assume valid command unless told @@ -966,6 +980,21 @@ rundisplay(void) combine_cpus = !combine_cpus; max_topn = display_resize(); reset_display(); + break; + case CMD_down: + skip++; + break; + case CMD_up:
Re: openiked.org down?
who can bring up openiked.org to life? > Sent: Tuesday, December 31, 2019 at 4:14 PM > From: "Umgeher Torgersen" > To: m...@openbsd.org > Subject: Re: openiked.org down? > > yeah, it's down... > > ; <<>> DiG 9.4.2-P2 <<>> openiked.org > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58691 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;openiked.org. IN A > > ;; AUTHORITY SECTION: > openiked.org. 2496IN SOA > a.ns.bsws.de. noc.bsws.de. 1577745128 1 3600 604800 86400 > > ;; Query time: 0 msec > ;; SERVER: 10.0.5.5#53(10.0.5.5) > ;; WHEN: Tue Dec 31 15:14:22 2019 > ;; MSG SIZE rcvd: 82 > > On Tue, Dec 31, 2019 at 03:08:47PM +0100, lu hu wrote: > > Hello, > > > > did anyone noticed that the https://openiked.org/ is down? > > > > NO "A" record is associated with the domain? > > > > Thanks for any infos. > > > >
Fw: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config?
Hello, any thoughts anyone? > Sent: Sunday, December 29, 2019 at 6:07 PM > From: "lu hu" > To: m...@openbsd.org > Subject: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config? > > Hello: > > 66# grep -i challenge /etc/ssh/sshd_config > #ChallengeResponseAuthentication yes > 66# sshd -T|grep -i challenge > challengeresponseauthentication yes > 66# > > it doesn't counts if it is commented out, since it is by default YES as I > started the thread with: > > > > > > > # what am I talking about? > > > > > > https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication > > > > > > ChallengeResponseAuthentication > > > Specifies whether challenge-response authentication is allowed. All > > > authentication styles from login.conf(5) are supported. The default is > > > yes. > > > > anyone in this world that understands what am I trying to point out? :) > > with all the infos so far I have, the "ChallengeResponseAuthentication" > should be by default NO. but it isn't currently. > > maybe someone from the devs? or sorry, am I posting to the wrong list? > > Really Many Thanks. > > Happy New Year! > > > > > Sent: Monday, December 23, 2019 at 1:58 PM > > From: "Jan Betlach" > > To: "lu hu" > > Cc: m...@openbsd.org > > Subject: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config? > > > > > > Isn’t it commented out by default? > > > > Jan > > > > > > > Hello, > > > > > > nobody about the $subject? :) > > > > > > Why isn't ChallengeResponseAuthentication NO in sshd_config by > > > default? > > > > > > It would be more secure, afaik. > > > > > > Many thanks. > > > > > > > > >> Sent: Thursday, December 19, 2019 at 7:58 PM > > >> From: "lu hu" > > >> To: m...@openbsd.org > > >> Subject: Re: Why isn't ChallengeResponseAuthentication NO in > > >> sshd_config? > > >> > > >>> Sent: Wednesday, December 18, 2019 at 9:49 PM > > >>> From: "Bodie" > > >>> To: m...@openbsd.org, owner-m...@openbsd.org > > >>> Subject: Re: Why isn't ChallengeResponseAuthentication NO in > > >>> sshd_config? > > >>> > > >>> > > >>> > > >>> On 18.12.2019 18:48, lu hu wrote: > > Hello, > > > > > > # what am I talking about? > > > > https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication > > > > ChallengeResponseAuthentication > > Specifies whether challenge-response authentication is allowed. > > All > > authentication styles from login.conf(5) are supported. The default > > is > > yes. > > > > > > # what does linux distros use: > > > > If I ex.: read: > > > > https://access.redhat.com/solutions/336773 > > > > then I can see ChallengeResponseAuthentication is NO for security > > reasons. Ubuntu too. > > > > > > # what else says ChallengeResponseAuthentication should be NO? > > > > https://www.openwall.com/lists/oss-security/2019/12/04/5 > > -> > > >>> > > >>> These issues were quickly fixed in OpenBSD as you can see in > > >>> Security > > >>> > > >> > > >> This isn't related to the subject. > > >> > > >>> > > 1. CVE-2019-19521: Authentication bypass > > > > this attack should be more mitigated if > > ChallengeResponseAuthentication would be by default set to NO. > > > > > > # FIX: > > > > from this: > > cat /etc/ssh/sshd_config > > ... > > # Change to no to disable s/key passwords > > #ChallengeResponseAuthentication yes > > ... > > > > to this: > > vi /etc/ssh/sshd_config > > cat /etc/ssh/sshd_config > > ... > > # Change to no to disable s/key passwords > > ChallengeResponseAuthentication no > > ... > > > > But of course by default, without fixing sshd_config it should be > > NO. > > > > Who the hell uses s/key with sshd nowadays? > > > > >>> > > >>> And you are aware that this option is not there just for S/Key, > > >>> right? > > >>> It's for example PAM Google authenticator too on Linux and > > >>> others > > >>> > > >>> I think you missed couple of points. Eg.: > > >>> > > >>> https://www.openbsd.org/faq/faq10.html#SKey > > >>> > > >>> and the fact that login.conf(5) on OpenBSD by default enables S/Key. > > >>> > > >> > > >> I checked the https://www.openbsd.org/faq/faq10.html#SKey > > >> > > >> first step is to have a /etc/skey dir. So checked it: > > >> > > >> 66# ls /etc/skey > > >> ls: /etc/skey: No such file or directory > > >> 66# > > >> > > >> There is no /etc/skey by default. So you have to do the "skeyinit -E" > > >> as root, etc. Same for Google authenticator, etc. So > > >> ChallengeResponseAuthentication should be only enabled then.. when > > >> you set up extra auth methods. > > >> >
MAKE: fix -q flag
-q is just plain broken in compat mode, it's easy to fix though. The second issue is that, if a Makefile as an .END target, that one will always be run, even in query mode, contrary to .BEGIN. So let's fix that as well. Fairly obvious patch Index: compat.c === RCS file: /cvs/src/usr.bin/make/compat.c,v retrieving revision 1.88 diff -u -p -r1.88 compat.c --- compat.c21 Dec 2019 15:29:25 - 1.88 +++ compat.c5 Jan 2020 13:43:32 - @@ -266,11 +266,12 @@ CompatMake(void *gnp, /* The node to mak } } -void +bool Compat_Run(Lst targs) /* List of target nodes to re-create */ { GNode *gn = NULL; /* Current root target */ int errors; /* Number of targets not built due to errors */ + boolout_of_date = false; /* For each entry in the list of targets to create, call CompatMake on * it to create the thing. CompatMake will leave the 'built_status' @@ -291,11 +292,15 @@ Compat_Run(Lst targs) /* List of target else if (gn->built_status == ABORTED) { printf("`%s' not remade because of errors.\n", gn->name); + out_of_date = true; errors++; + } else { + out_of_date = true; } } /* If the user has defined a .END target, run its commands. */ - if (errors == 0) + if (errors == 0 && !queryFlag) run_gnode(end_node); + return out_of_date; } Index: compat.h === RCS file: /cvs/src/usr.bin/make/compat.h,v retrieving revision 1.3 diff -u -p -r1.3 compat.h --- compat.h19 Jul 2010 19:46:43 - 1.3 +++ compat.h5 Jan 2020 13:43:32 - @@ -35,8 +35,9 @@ * - friendly variable substitution. */ -/* Compat_Run(to_create); - * Run the actual make engine, to create targets that need to. */ -extern void Compat_Run(Lst); +/* out_of_date = Compat_Run(to_create); + * Run the actual make engine, to create targets that need to, + * return true if any target is out of date. */ +extern bool Compat_Run(Lst); #endif Index: main.c === RCS file: /cvs/src/usr.bin/make/main.c,v retrieving revision 1.123 diff -u -p -r1.123 main.c --- main.c 22 Apr 2019 18:32:09 - 1.123 +++ main.c 5 Jan 2020 13:43:32 - @@ -804,7 +804,7 @@ main(int argc, char **argv) if (compatMake) /* Compat_Init will take care of creating all the * targets as well as initializing the module. */ - Compat_Run(); + outOfDate = Compat_Run(); else { /* Traverse the graph, checking on all the targets. */ outOfDate = Make_Run(); Index: make.c === RCS file: /cvs/src/usr.bin/make/make.c,v retrieving revision 1.76 diff -u -p -r1.76 make.c --- make.c 21 Dec 2019 15:31:54 - 1.76 +++ make.c 5 Jan 2020 13:43:32 - @@ -572,7 +572,8 @@ Make_Run(Lst targs) /* the initial list (void)MakeStartJobs(); } - problem = Job_Finish(); + if (!queryFlag) + problem = Job_Finish(); /* * Print the final status of each target. E.g. if it wasn't made
Re: sparc64: autoconf: Ignore reboot-memory device
> Date: Sun, 5 Jan 2020 00:45:12 +0100 > From: Klemens Nanni > > On Thu, Dec 26, 2019 at 10:02:42PM +0100, Klemens Nanni wrote: > > Solaris supports booting fallback images from "retained memory" which > > is a relatively new feature introduced, it requires recent versions of > > Solaris as well as recent hardware support; T2+ machines do not show > > this pseudo-device with latest firmware, T4 machines however do: > > > > {0} ok show-devs > > ... > > /reboot-memory@0 > > ... > > > > "reboot-memory" at mainbus0 not configured > > > > > > Neither NetBSD nor FreeBSD support such machines in the first place, so > > they do not exclude anything newer than we do; our list comes from > > NetBSD where it stays the same since import in 1998. > > > > OK to ignore this firmware specific and Solaris only pseudo-device? > > > > NB: I see "pci-performance-counters" as well but am not certain whether > > this could in fact be used at some point from OpenBSD, so I'm not this > > pseudo-device now. > Ping. I don't see a fundamental reason why we couldn't make use of this in OpenBSD. So I'd rather keep it as a reminder our sparc64 support isn't complete ;). > Index: arch/sparc64/sparc64/autoconf.c > === > RCS file: /cvs/src/sys/arch/sparc64/sparc64/autoconf.c,v > retrieving revision 1.134 > diff -u -p -r1.134 autoconf.c > --- arch/sparc64/sparc64/autoconf.c 4 Jan 2020 23:43:54 - 1.134 > +++ arch/sparc64/sparc64/autoconf.c 4 Jan 2020 23:44:59 - > @@ -920,6 +920,7 @@ extern bus_space_tag_t mainbus_space_tag >* These are _root_ devices to ignore. Others must be handled >* elsewhere. >*/ > + "reboot-memory", > "virtual-memory", > "aliases", > "memory", > >