Secure storage of config files (was Re: Bootable installation partition on a hard drive?)

On Sep 7, 2020, at 5:48 AM, Stuart Henderson wrote: > > My suggestions would be to keep the config files in a management system > of some sort. Whether that's a full-blown config management system like > ansible/salt, one of the simpler tools like rset, judo, rdist, or even > just commiting confi

Re: Select ssh key from ssh-agent?

> On May 22, 2020, at 11:45 AM, Stuart Henderson wrote: > > Ahh I just realised that you might be wanting to use agent-forwarded > keys to connect to bitbucket. What I described should work if you have > local keys on the server where you run the git commands but it's not > using them because i

Re: Select ssh key from ssh-agent?

On May 22, 2020, at 10:08 PM, David A. Pocock wrote: > > Consider: > > workstation$ eval $(ssh-agent) > workstation$ ssh-add ~/.ssh/my_primary_key > workstation$ ssh-add ~/.ssh/my_secondary_key > workstation$ ssh-add -l > hash /home/user/.ssh/my_primary_key > hash /home/use

Re: Select ssh key from ssh-agent?

> On May 22, 2020, at 3:35 AM, Stuart Henderson wrote: > > On 2020-05-21, Paul Suh wrote: >> However, if you are loading multiple keys into ssh-agent and forwarding keys >> to other hosts, there doesn’t seem to be a way to select which key will be >> presented to

Select ssh key from ssh-agent?

Folks, I’m not sure this is the right place to ask, but I hope someone can point me in the right direction. When using ssh with keys that are in files on the local host, you can specify which key is used for the connection by using the -i option and giving the path to the key file. However

Re: Automated OS builds?

On Jan 5, 2020, at 12:43 PM, Morten Gade Liebach wrote: > > Read release(8), then write a script runs through the described process. I can do that, and will if I have to, but if someone has already done it or has a base to start from that would be better. (I’ve been building OpenBSD releases t

Automated OS builds?

Folks, My DuckDuckGo-fu seems to be weak right now. Is there a set of automated scripts somewhere that: 1) Checks anoncvs*.*.openbsd.org:/cvs for updates to the patch branch source tree 2) Checks them out 3) Builds them 4) Builds a release Then notifies me when this has happened? I’m looki

Re: 6.5 PowerPC Packages

On May 9, 2019, at 11:41 AM, danieljb...@icloud.com wrote: > > On Thu, May 09, 2019 at 08:55:40AM -0600, Theo de Raadt wrote: >> The real reason is because we're low on current for the flux capacitor, >> after shifting time for the early 6.5 release. Not all the machines >> were able to fit into

Linux equivalent of ifstated?

Folks, Sorry to pollute with with non-OpenBSD but it's sorta related. I need to work on a Linux system and I need the functionality of ifstated(8), in particular with respect to arbitrary tests as well as interface state. The ifupdown scripts are not sufficient. Can anyone tell me the equivale

Re: serial console images for installing on vmd based guests

> On Mar 13, 2019, at 6:30 PM, Chris Cappuccio wrote: > > I think I'm just too stupid to use Linux. I know grub-based boot loaders give > you that option, but then I went to try Alpine Linux, and from what I'm > finding, I have to setup a config file put it back into the ISO. Chris, I've bee

Re: Are there open source firewall distributions which are built on top of OpenBSD?

> On Mar 13, 2019, at 6:05 AM, Stuart Henderson wrote: > > On 2019-03-13, Mehma Sarja wrote: >> My current setup is basic firewall with DHCP, NAT and routing. But there is >> power in the simplicity. When something goes wrong -and it has happened >> twice due to power failures, there is so muc

Re: Cheaper alternatives for APC UPS

On Dec 23, 2018, at 7:13 AM, Stuart Henderson wrote: > > I have had APCs that required a crowbar to remove the batteries before ;) > Whatever brand, it's probably a good idea to schedule a battery inspection > from time to time. I would second this and go further. I spent four years working in t

Mac laptop to iked errors

Folks, Fiddling with a basic iked configuration: ikev2 roadwarrior \ from any to 172.31.0.0/20 \ local 172.31.15.102 peer any \ config address 172.31.0.224/28 \ config protected-subnet 172.31.0.0/20 \ tag "IKED" I created a ca and certs using ikectl using hostnames. When I

Re: TLS suddenly not working over IKED site-to-site

> On Dec 3, 2018, at 12:18 PM, Rachel Roch wrote: > > I hope someone here can shed light on an infuriating problem I’ve spent a > week trying to resolve without luck. > > The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints > fully syspatched). > > The VPN worked abs

Pass through a single external IP address and NAT others

Folks, I'm about to make a change in my external networking setup. I have 5 public IPs from Verizon FIOS and all 5 are coming into an OpenBSD 6.3 (shortly to be 6.4) box using pf and NAT. I would like to have four of the IPs continue to come into the OpenBSD box but pass through the fifth IP to

IPSec Flow and SA to unexpected subnet

Folks, I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd, something I've done many times before. The other end is a Sonicwall NSA 4500, which I've used as an endpoint before as well. My ipsec.conf file is: > ike active esp \ > from 192.168.144.0/24 \ >

DNS hijacking (was Re: Is this an intrusion?)

On Jun 16, 2017, at 9:32 PM, Joe Holden wrote: > > It is done by the VM dns servers, if you visit a domain that doesn't > exist you should be directed to the advanced search page, there *should* > be a link to disable it there, but if not login to your account and > disable it, can't remember wha

Re: OT: Recommendations for a CMS?

> On May 12, 2017, at 11:34 AM, Michael Hekeler wrote: > > Am Wed, 10 May 2017 15:58:18 -0400 > schrieb Paul Suh : > >> (...) >>> https://redaxo.org >> >> I guess it's ok, but the site is entirely in German, und mein Deutsch >> ist nicht gu

Re: OT: Recommendations for a CMS?

Thanks to everyone for suggestions and ideas. My comments on some of the suggestions, in more or less chronological order: > I would recommend something like Magento Magento is total overkill -- this is not an e-commerce site and the additional exposed attack surface is horrendous. > https:

Re: IPsec and certificates

> On May 7, 2017, at 2:10 PM, Steve Shockley > wrote: > > I'm trying to get IPsec set up in transport mode using isakmpd, between > OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1. I've already gotten everything > working using PSK, but I'd like to use certificates. > > I've created a certifica

OT: Recommendations for a CMS?

Folks, Completely off topic, but I'd value input from this community in particular. I need to recommend a (replacement) CMS for the public-facing web site for my day job. My wants: 1) NOT Wordpress -- I don't need the security headaches. 2) Allows updates by users who don't know HTML and for

Re: Hardware recommendations for compact 1U firewall

> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac wrote: > > This is my favorite Ebay seller and they have lots of nice network > equipment for home, small, and large business. > > http://stores.ebay.com/MITXPC/ +1 for MITXPC. I've purchased several systems from them over the years and they've alw

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

> On Oct 2, 2016, at 3:06 PM, Peer Janssen wrote: > > Now I reinstalled on another CF-Disk (4GB Transcend) with another method > (miniboot.fs), this went through and first-rebooted just fine. > > But now halting the machine produces a panic: Peer, I suspect that part of the problem with your 480

Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

On Sep 28, 2016, at 10:04 PM, Chris Bennett wrote: > > I don't think bruteforce will be helpful in my case. I do occasionally > get bruteforce attacks, but not very often. > What I usually get are identical attacks of a certain set of variations > of URLs from one IP address. A little later the sa

Re: Long life on SSD in a firewall environment

> On Jun 19, 2016, at 5:56 AM, Sjöholm Per-Olov wrote: > > Hi > > Does anyone know if there exist any list of recommendations about how to make > an SSD disk to live as long as possible when using it for firewall purpose on > OpenBSD? It seems that OpenBSD lack some features related to SSDs like

Re: I am thankful for OpenBSD quality docs

> On May 17, 2016, at 11:17 AM, Donald Allen wrote: > > My point is that good documentation is not > easy to do, something I think many of us tend to forget. It's also > less fun than writing code. Things like K&R that explain their subject > so concisely and yet completely take tremendous skill.

I am thankful for OpenBSD quality docs

Folks, I've been playing over at Alpine Linux, to get support for a WiFi card that is not supported under OpenBSD. Their installation instructions and general documentation are horribly confused and outdated. Makes me long for our goodness here. --Paul [demime 1.01d removed an attachment of typ

Re: your mail

Bah, humbug! TECO Rulez! > On May 17, 2016, at 5:47 AM, Roderick wrote: > > On Mon, 16 May 2016, 1 9 wrote: > >> What editor? vim or emacs? what is the reason? [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Support for Realtek wifi card?

Folks, Can someone give me a read on support for Realtek WiFi cards -- specifically the support for the 8723BE? I'm thinking it's along the lines of "ba-ha-ha-ha-ha you're joking right?". It's not critical for me -- I got the little box because it has 4 GigE ports and a Atom D525, the WiFi would j

Re: Syntax error in pf rules

> On Mar 30, 2016, at 10:58 PM, Adam Smith wrote: > > Are you the owner of misc@openbsd.org? > >> --- dera...@cvs.openbsd.org wrote: >> >> From: Theo de Raadt >> To: ken...@dcemail.com >> >>> I know. Do you have proof that I hadn't put in my minimum effort >>> before jumping to conclusions?

Re: 5.8 IKEv2 with OSX 10.11.3

DY - First things first. Can you please post a printout of the certificate in text and PEM format? Clearly the OS X machine doesn't like the subjectAltName, but there may be other issues as well. --Paul > On Jan 31, 2016, at 1:16 AM, Dot Yet wrote: > > Forgot to mention that I know the probl

Re: random.seed question

> On Thu, Nov 26, 2015 at 01:30:51PM +0100, Marko Cupa?? wrote: > > | The reason why I am asking is the fact that I am preparing pcengines > | apu box which needs to be read-only because of reduced sdcard wear but > | also because it is going to be placed in remote environment with > | frequent pow

Re: Update OpenBSD Remotely

On May 17, 2015, at 10:08 AM, Peter Leber wrote: > > I want to build a test system based on OpenBSD 5.7 which updates > in an automated fashion. > The goal is to have a remotely located machine which runs OpenBSD 5.7 > and is constantly updated. While restarting the machine remotely via SSH > is p

Re: Creating and protecting flash installed OpenBSD image

> On Apr 3, 2015, at 5:30 AM, Denis Lapshin wrote: > > Interesting does anybody have experience of creating flash memory image with OpenBSD system running. > I see this like extracting all of soldered FLASH memory contents in to RAM and running from where. > > Flash memory image protection from re

Re: Quad-Gigabit 1U mini-itx board recommendations?

On Aug 30, 2011, at 2:34 AM, Martin Schrvder wrote: > 2011/8/30 Paul Suh : >> I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would > > Not a board, but full computers: > http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Com

Re: Quad-Gigabit 1U mini-itx board recommendations?

On Aug 30, 2011, at 9:47 AM, Stuart Henderson wrote: > On 2011-08-29, Paul Suh wrote: >> I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would >> like to fit two of them into a 1U, dual mini-ITX case to have a CARP/SASYNC >> pair with connect

Re: Quad-Gigabit 1U mini-itx board recommendations?

On Aug 30, 2011, at 2:03 AM, Johan Linner wrote: > We're running OpenBSD 4.9 on: > http://www.mini-itx.com/store/?c=47#jnc92-330 > > with Jetway 3x Gigabit LAN Motherboard Modules: > http://www.mini-itx.com/store/?c=34#modules > > Works great. Johan, Thanks for the info! --Paul [demime 1.0

Re: Quad-Gigabit 1U mini-itx board recommendations?

On Aug 30, 2011, at 3:18 AM, Paul de Weerd wrote: > Are you putting two boards in one case for redundancy / high > availability ? So that, when one fails the other can ... be taken > down too to fix the first one ? Paul, As far as I can tell. The two sides are fully independent of each other. A

Re: Quad-Gigabit 1U mini-itx board recommendations?

On Aug 30, 2011, at 3:08 AM, Henrique Antsnio Evaristo wrote: > Humm, nice ... I was interested in knowing the power consumption of that setup. > Do you have any possibility to provide that ? > Thanks. > > Best regards, > Henrique Henrique, I will be in a position to post on power consumption of

Quad-Gigabit 1U mini-itx board recommendations?

Folks, I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports. I would like to fit two of them into a 1U, dual mini-ITX case to have a CARP/SASYNC pair with connections to external, internal, and DMZ zones. Using Google i've f

Re: Jail-System for OpenBSD

Folks, I would add that sysjail (not the FreeBSD implementation but the implementation based on systrace(4)) has known holes that make it unsuitable as a security tool; please don't use it. I had the privilege of speaking with Robert Watson directly at a conference a few y

Re: Bug Tracking system does not work

On Jul 18, 2011, at 6:24 PM, Ted Unangst wrote: > On Mon, Jul 18, 2011, Sergey Bronnikov wrote: >> may be proper link is http://www.openbsd.org/query-pr.html > > The bug tracker is down and will still that way for some time. Ted, Is there something that we can do to help? --Paul > >> >>

Re: ISAKMPD

Folks, Hmm -- it's not showing on the 4.9 or 4.8 Errata pages: http://www.openbsd.org/errata49.html http://www.openbsd.org/errata48.html If it's easy to pull the diff it shouldn't be hard to post it, and it would be a nice thing to do for folks have scripts that notify them on changes of the err

Re: apache ssl behind nat problems

On Jul 12, 2011, at 9:35 PM, Jacob L. Leifman wrote: >> FWIW, I'm guessing that the problem is at the router. The packet trace is >> showing a TCP SYN coming from the client, followed correctly by a SYN-ACK >> going back from the server. The client should send an ACK packet back, but >> instead it

Re: How does OpenBSD compare to Ubuntu Server?

brraaiiinsss. B-) On Jul 12, 2011, at 7:25 PM, Zeb Packard wrote: > I think it worked. > > Sent from my iclone. > > On Tue, Jul 12, 2011 at 4:23 PM, Marco Peereboom wrote: >> shoot it again son. >> >> On Tue, Jul 12, 2011 at 03:59:31PM -0700, Zeb Packard wrote: >>> Help, i shot it three tim

Re: apache ssl behind nat problems

On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote: > Environment: > - OpenBSD 4.9, stock (base) apache with self-signed certificate > - behind a SOHO NAT router (with relevant in-bound redirects) > > Problem: non-local SSL connections never complete the handshake > (verified while monitoring the

Re: isakmpd and INVALID_COOKIE

Hmm.. sounds like this might be a candidate for -STABLE? --Paul On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote: > On 2011-07-08, Tony Sarendal wrote: If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certain

Re: How does OpenBSD compare to Ubuntu Server?

On Jul 9, 2011, at 11:34 AM, Nico Kadel-Garcia wrote: > On Thu, Jul 7, 2011 at 1:45 PM, Alexander Schrijver > wrote: >>> For starters, there is 100% consensus among developers that we'll never >>> use newfangled overengineered stuff like System V init. >>> >> >> You mean Upstart! >> >> or wait

Re: Anyone know of an smtp-proxy (or other mechanism) for routing mail to different IMAP servers depending recipient address?

sking on a Postfix-oriented mailing list. Hope this helps. --Paul Paul Suh http://www.ps-enable.com/ paul@ps-enable.com (240) 672-4212 [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Re: Is your switch a single point of failure?

Sam, On Jul 6, 2011, at 3:31 AM, Sam Vaughan wrote: > I should be able to avoid the need for a switch on the upstream side by > getting the ISP to provide me with two links from the rack router, one for > each firewall board. These links would be CARP'd to share one external static > IP. I'd be

Re: Can one interface have an IP address and bridge as well?

ver on? > > It might be possible to do bridging and nat on the same interface > (possibly using bridge rules and PF tags) but at best you're setting > yourself up for a complicated and fragile ruleset. > > On 2011-06-22, Shane Lazarus wrote: >> Heya >> >> On

Can one interface have an IP address and bridge as well?

Folks, Is this possible and/or a good idea? I have a router with three interfaces: sis0: external interface, IPv4 address 1.2.3.4/24 sis1: internal interface, IPv4 address 192.168.1.1/24 sis2: DMZ interface, IPv4 address 192.168.2.1/24 NAT rules pass all traffic from the internal and DMZ zones t

Re: website down from here

On Jun 21, 2011, at 12:37 AM, Samuel Baldwin wrote: > 2011/6/21 patric conant : >> $ ping www.openbsd.org >> PING www.openbsd.org (142.244.12.42): 56 data bytes >> --- www.openbsd.org ping statistics --- >> 7 packets transmitted, 0 packets received, 100.0% packet loss >> also cannot connect via br

Re: Hardware recommendation?

Nick, I'm getting about 40 Mbit/sec throughput with a Soekris Net4801, so the 5501 or 2d13 are both more than enough box for basic filtering. A lot depends on how much content filtering you want to do. Some simple QoS and squid rules won't place any serious load on it, but if you want to use somet

Re: Flag to move isakmpd default keys dir?

On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote: > On 06/05/2011 02:37 AM, Paul Suh wrote: >> Folks, >> >> I've been working with the flashrd system for booting from compact flash >> media, and ran across a case where I'd like to make some changes to isakmp

Re: Flag to move isakmpd default keys dir?

On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote: > On 2011/06/05 13:09, Paul Suh wrote: >> Stuart, >> >> I tried using a symlink, but isakmpd didn't seem to like it. > > For the file or the whole directory? > It seems to work with /etc/isakmpd -> /som

Re: Flag to move isakmpd default keys dir?

Stuart, I tried using a symlink, but isakmpd didn't seem to like it. --Paul On Jun 5, 2011, at 7:00 AM, Stuart Henderson wrote: > Can't you just use symlinks? > > On 2011-06-05, Paul Suh wrote: >> Folks, >> >> I've been working with the flashrd syst

Flag to move isakmpd default keys dir?

Folks, I've been working with the flashrd system for booting from compact flash media, and ran across a case where I'd like to make some changes to isakmpd, but before I do so I'm not sure that it's a good idea. The location for certificates, CA's, private keys, etc. is hard-coded in /usr/src/sbi

Asymmetric load balancing?

ps through the FIOS link, then send any overflow to the ADSL line, or (B) set the pf load balancing so that it favors the FIOS link over the ADSL link by a 10:3 ratio. Is there a pf config that does this, or do I need to get hacking? --Paul Paul Suh htt

Re: ipsec packets don't show up at destination enc0 interface

That seems to have fixed it, thanks! --Paul On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote: > On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: > >> Folks, >> >> I'm running 4.8-stable on one end and 4.5-stable at the other of a >> site-to-site IP

ipsec packets don't show up at destination enc0 interface

Folks, I'm running 4.8-stable on one end and 4.5-stable at the other of a site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are working before upgrading the 4.5-stable end.) The tunnel is configured using ipsec.conf and ipsecctl, and the relevant portions of the configs are: 4.8