Re: No coloring with colorls
It works correctly! My /etc/profile now looks like this: export TERM=xterm-256color export CLICOLOR=yes export CLICOLOR_FORCE=yes export LSCOLORS=exfxcxdxbxegedabagacad And with colorls -Ghl I get the output in color. Thank you all very much! Op 25-03-2024 om 23:46 schreef Benjamin Stürz: On 25.03.24 23:40, Karel Lucas wrote: Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad Try CLICOLOR=1 (and TERM=xterm-256color, if it doesn't help).
Re: sftp server empty password login
On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua wrote: [...] > /bin/true is not in the /etc/shells file on my system. > Did you suggest I should add it ? I did suggest that as a possible resolution to your problem. Since your problem is now resolved, I wouldn't change it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Fastnetmon on openBSD Can't pass data to stdin of program /usr/local/bin/notify_about_attack.sh
Folks, Just wondering if any of you are having issues with fastnetmon notification scripts in my /var/log/fastnetmon/fastnetmon.log Im getting [ERROR] Can't pass data to stdin of program /usr/local/bin/notify_about_attack.sh [IPAddress] incoming 122936 ban has anyone come across this issue. ? Im running OpenBSD 7.4 Stable on amd 64 I have upgraded to OpenBSD 7.5 snapshot and updated the Fastnetmon package Thanks Tom Smyth
Re: rm: #08057459: Operation not permitted
On 2024-03-26, deich...@placebonol.com wrote: > > can you share what caused ls to coredump=20 corrupt timestamp. https://marc.info/?t=17114738861=1=2 -> https://marc.info/?l=openbsd-bugs=17114820954=2
Re: rm: #08057459: Operation not permitted
newfs(8), and restore from backup. Your filesystem is fubar. Or a hexeditor and a steady hand, but then you are very much on your own and we'll just watch in amazement. On 26 March 2024 21:30:14 CET, Peter Fraser wrote: >The reason why ls -l faulted has been found and is being worked on. > >The next step is trying to delete the files. >Running as root >rm fails with Operation not permitted >so does chmod and chown end chattr > >Any ideas on how to get rid of the files > > -- Sent from a mobile device. Please excuse poor formatting.
Re: rm: #08057459: Operation not permitted
can you share what caused ls to coredump On March 26, 2024 2:30:14 PM MDT, Peter Fraser wrote: >The reason why ls -l faulted has been found and is being worked on. > >The next step is trying to delete the files. >Running as root >rm fails with Operation not permitted >so does chmod and chown end chattr > >Any ideas on how to get rid of the files > >
rm: #08057459: Operation not permitted
The reason why ls -l faulted has been found and is being worked on. The next step is trying to delete the files. Running as root rm fails with Operation not permitted so does chmod and chown end chattr Any ideas on how to get rid of the files
Re: No coloring with colorls
Hello, I use in my user .profile ~/.profile TERM=wsvt25 export PATH HOME TERM export ENV=$HOME/.kshrc export CLICOLOR=true export LSCOLORS=ExGxcxdxCxegedabagacad and in the .kshrc ~/.kshrc alias ls=/usr/local/bin/colorls For me it´s ok on the console and on X. For me it's a gimmick. Actually always try to stick to base with everything. Hope it´s on topic. Wish you all the best, Heinz Gesendet: Dienstag, 26. März 2024 um 18:50 Uhr Von: "Chris Bennett" An: "Karel Lucas" , misc@openbsd.org Betreff: Re: No coloring with colorls On Mon, Mar 25, 2024 at 11:40:52PM +0100, Karel Lucas wrote: > Hi all, > > LSCOLORS=exfxcxdxbxegedabagacad > I just use TERM=xterm If you use a black background (or some other dark colors), you will want to change LSCOLORS to not use a dark blue. I find that color combo unreadable. I just use alias ls='colorls -Gla'. You can either have other aliases or just type colorls with the same arguments as ls to get other options. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
Re: securelevel=2 and mount hardening
Stuart Henderson writes: > I think you'd need to disable mount completely, otherwise you can mount > a new writable filesystem (e.g. MFS) that doesn't have noexec. Yeah, I completely missed that vector. And really, that makes more sense. How often do you live mount filesystems on a firewall? Anyway, I'm going to go ahead and code this up so I can try it on a running production firewall. I'll add in a sysctl to control if secureleve=2 mounts are allowed at all. --lyndon
Re: sftp server empty password login
Problem solved, thank you !
Just removing the password asterisk using vipw was enough :
$ grep media /etc/passwd
media::2000:2000::/home/media:/sbin/nologin
and I am now able to log in, from the local network
(still need to open my ISP's box port and confirm that it
works remotely)
Le 2024-03-26 13:26, Darren Tucker a écrit :
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua
wrote:
[...]
# useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
/bin/true is not in the /etc/shells file on my system.
Did you suggest I should add it ?
`# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
I meant that I could still not login sftp://media@lap after setting
a password using the passwd command.
--
Sylvain Saboua
www.saboua.xyz
Re: No coloring with colorls
On Mon, Mar 25, 2024 at 11:40:52PM +0100, Karel Lucas wrote: > Hi all, > > LSCOLORS=exfxcxdxbxegedabagacad > I just use TERM=xterm If you use a black background (or some other dark colors), you will want to change LSCOLORS to not use a dark blue. I find that color combo unreadable. I just use alias ls='colorls -Gla'. You can either have other aliases or just type colorls with the same arguments as ls to get other options. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
One more thought about security..
Hello, Just adding a simple evidence: dark mode is difficult to print. If you are dedicating time to web browser and email client development in OpenBSD.. I suggest to point antennas on dark mode too.. -Dan
Re: configure rad for ULA addresses
> To reach the internet from ULA addresses you'll need NAT. > Alternatively use *both* global and ULA prefixes in rad.conf (or I > think you can use auto prefix). But I don't think you've got that far > yet. I was planning on using the ULAs for internal addressing only, and doing port-forwarding from pf for external services. I'd like all devices to have both GUA and ULA addresses, but devices on the network would refer to each other using ULA to safeguard against my ISP changing my prefix delegation (which has already happened once in the past few days). > Better to show what's actually configured (ifconfig -A, rad.conf, > netstat -rnfinet6, etc). For context, my OpenBSD router (cerberus) has four interfaces: igc0 (connected to ISP #1), igc1, igc2 (unused), & igc3. My test client is another laptop running OpenBSD (vulpes) that has a hardwired connection to the igc3 interface. Public-facing IPs & ports have been redacted. cerberus# cat /etc/hostname.igc0 inet autoconf inet6 autoconf inet6 alias fdd0:c720:85fa:100::1 64 cerberus# cat /etc/hostname.igc1 inet 192.168.1.1 255.255.255.0 NONE inet6 autoconf cerberus# cat /etc/hostname.igc2 inet autoconf inet6 autoconf cerberus# cat /etc/hostname.igc3 inet6 autoconf cerberus# netstat -rnfinet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface default fe80::ee7c:5cff:fe1c:3bce%igc0 UGS1 724 - 8 igc0 ::/96 ::1 UGRS 00 32768 8 lo0 ::1 ::1 UHhl 11 22 32768 1 lo0 :::0.0.0.0/96 ::1 UGRS 00 32768 8 lo0 gua1::601:15::c1f a8:b8:e0:01:d0:51 UHLl 03 - 1 igc0 gua1::454e:cf00::/56::1 UGR02 3276856 lo0 gua1::454e:cf00::/64gua1::454e:cf00::1 UCn47 - 4 igc1 gua1::454e:cf00::1 a8:b8:e0:01:d0:52 UHLl 0 38 - 1 igc1 gua1::454e:cf00:1155:d278:71b7:acf7 00:e0:4c:11:22:b5 UHLc 0 331 - 3 igc1 gua1::454e:cf00:265e:beff:fe68:5f61 24:5e:be:68:5f:61 UHLc 0 200 - 3 igc1 gua1::454e:cf00:28df:b561:3fea:f448 5c:1b:f4:7c:c0:6a UHLc 1 284 - 3 igc1 gua1::454e:cf00:50af:f07a:55d9:61ff 5c:1b:f4:7c:c0:6a UHLc 0 15 - 3 igc1 gua1::454e:cf02::/64gua1::454e:cf02::1 UCn00 - 4 igc3 gua1::454e:cf02::1 a8:b8:e0:01:d0:54 UHLl 00 - 1 igc3 2002::/24 ::1 UGRS 00 32768 8 lo0 2002:7f00::/24 ::1 UGRS 00 32768 8 lo0 2002:e000::/20 ::1 UGRS 00 32768 8 lo0 2002:ff00::/24 ::1 UGRS 00 32768 8 lo0 fdd0:c720:85fa:100::/64 fdd0:c720:85fa:100::1 UCn00 - 4 igc0 fdd0:c720:85fa:100::1 a8:b8:e0:01:d0:51 UHLl 0 1063 - 1 igc0 fe80::/10 ::1 UGRS 04 32768 8 lo0 fec0::/10 ::1 UGRS 00 32768 8 lo0 fe80::%igc0/64 fe80::aab8:e0ff:fe01:d051%igc0 UCn11 - 4 igc0 fe80::aab8:e0ff:fe01:d051%igc0 a8:b8:e0:01:d0:51 UHLl 0 16 - 1 igc0 fe80::ee7c:5cff:fe1c:3bce%igc0 ec:7c:5c:1c:3b:ce UHLch 1 50 - 3 igc0 fe80::%igc1/64 fe80::aab8:e0ff:fe01:d052%igc1 UCn36 - 4 igc1 fe80::2e:233a:e1fc:f8b0%igc15c:1b:f4:7c:c0:6a UHLc 0 95 - 3 igc1 fe80::1836:c7a0:e2cb:777%igc1 00:e0:4c:11:22:b5 UHLc 0 60 - 3 igc1 fe80::265e:beff:fe68:5f61%igc1 24:5e:be:68:5f:61
Re: sftp server empty password login
Sylvain Saboua writes: [...] > $ more /etc/ssh/sshd_config # relevant extracts and changes : > ... > PermitRootLogin no > ... > # override default of no subsystems > #Subsystem sftp/usr/libexec/sftp-server -d /home/media > Subsystem sftp internal-sftp # -d /home/media > > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes Hi, I have a setup that looks like this (except I'm using pubkey authentication). The only other difference I see is that I have not specified the "-d" option for the internal-sftp command. It is not clear to me (by manpages) if it should be the same as ChrootDirectory or a path *under* ChrootDirectory. Maybe you could try to remove this "-d" option. -- Manuel Giraud
Re: Does anyone know whether this hardware runs OpenBSD?
On Tue, Mar 26, 2024 at 1:07 AM Jose Maldonado wrote: > > El Mon, 25 Mar 2024 04:39:15 -0400 > Steve Litt escribió: > > Does anyone know whether this hardware runs OpenBSD? > > > > https://www.walmart.com/ip/MeLE-Quieter3Q-Fanless-Mini-PC-N5105-Windows-11-8GB-256GB-4K-UHD-Wifi-6-Mini-Desktop-Computer-New/2177929669 > > > > Thanks, > > > > SteveT > > > > Steve Litt > > > > Autumn 2023 featured book: Rapid Learning for the 21st Century > > http://www.troubleshooters.com/rl21 > > > > Hi! Why not this? > > https://www.pcliquidations.com/p150914-hp-elitedesk-705-g4 > > Better hardware and OpenBSD support Why not a full desktop PC? How are these even comparable? Your suggestion is more than 5 times as large and heavy, and it even has a fan.
Re: sftp server empty password login
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua wrote:
[...]
> # useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
> `# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Re: configure rad for ULA addresses
On 2024-03-25, Evan Sherwood wrote:
>>> interface igc1 {
>>> prefix fdbf:e79a:8e3e::/48
>>
>> lesser operating systems will refuse to form autoconf addresses if the
>> prefix length is not 64.
>
> Thanks, this was helpful. I got addresses allocated on client machines,
> but they don't seem routable.
> I can ping6 back to my router using the IPv6 address in the prefix
> delegation from my ISP, but I cannot seem to do the same for the
> addresses in my ULA prefix.
Did you configure an address in the ULA prefix on the gateway?
(hostname.if / ifconfig).
> I was following this guide:
> https://www.kuon.ch/post/2022-03-15-openbsd-dhcp-pd/
>
> I modified my /etc/dhcpcd_up.sh to read
>
> ```
> route sourceaddr -ifp igc0
> ```
>
> ... where igc0 is my ISP-facing interface. I assigned a static ULA to
> the same interface as an alias. Not sure if that's relevant, but it felt
> relevant to mention.
>
> On the router, netstat -rn shows a route to my client in the ISP prefix,
> but no route in my ULA prefix.
>
> Is there something additional I need to do to enable communication over
> addresses in my ULA prefix?
>
Better to show what's actually configured (ifconfig -A, rad.conf,
netstat -rnfinet6, etc).
To reach the internet from ULA addresses you'll need NAT. Alternatively
use *both* global and ULA prefixes in rad.conf (or I think you can
use auto prefix). But I don't think you've got that far yet.
--
Please keep replies on the mailing list.
Re: some ports give "Error while reading header" while fetching
On Tue, Mar 26, 2024 at 12:32:52PM +0100, Peter Hessler wrote: There was a mistake while signing these packages, you want the set signed 2024-03-22 or later. ftp.hostserver.de and the other 2nd level mirrors most certainly has those, and the other mirrors should get them over time. thank you for the very quick and informative response! --
Re: some ports give "Error while reading header" while fetching
There was a mistake while signing these packages, you want the set signed 2024-03-22 or later. ftp.hostserver.de and the other 2nd level mirrors most certainly has those, and the other mirrors should get them over time. On 2024 Mar 26 (Tue) at 11:22:08 + (+), void wrote: :Hello, : :Posting in misc@ because it's an issue not limited to any particular port. : :context is 7.5 GENERIC.MP#138 arm64 aarch64 : :error: :$ doas pkg_add -D snap mupdf quirks-7.14 signed on 2024-03-18T13:07:59Z :Ambiguous: choose package for mupdf :a 0: : 1: mupdf-1.23.11 : 2: mupdf-1.23.11-js :Your choice: 1 :mupdf-1.23.11:gumbo-0.12.1: ok :mupdf-1.23.11:jbig2dec-0.19: ok :mupdf-1.23.11:lcms2-2.15: ok :mupdf-1.23.11:openjp2-2.5.2: ok :pkg_add: Ustar [http://www.mirrorservice.org/pub/OpenBSD/snapshots/packages/aarch64/xdg-utils-1.2.1.tgz][?]: Error while reading header : :I've also seen it happen with xz. It doesn't seem to matter what server the :installurl (currently set to mirrorservice) is. Is it a problem with the :port(s) or my connection (dual-stack)? thanks, :-- : -- Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse
Re: securelevel=2 and mount hardening
Thanks for the reply.. Good one, try to think I was sure it was meaning many western right wingers (cats) vs 1 jelly fish (cattle). Then, when I have time I explain what is coudardy.. -Dan Mar 26, 2024 11:06:17 Alexis : > Dan writes: > >> I'm curious John Doe.. you said cloud but not firewall, and cattle but >> not pets, right? > > As with a number of your posts, i'm not clear on what you're saying or > asking, but for those wondering, here's an explanation of "cattle vs pets" in > the context of computing infrastructure: > > https://www.copado.com/resources/blog/pets-vs-cattle-more-than-an-analogy-for-modern-infrastructures > > > Alexis.
some ports give "Error while reading header" while fetching
Hello, Posting in misc@ because it's an issue not limited to any particular port. context is 7.5 GENERIC.MP#138 arm64 aarch64 error: $ doas pkg_add -D snap mupdf quirks-7.14 signed on 2024-03-18T13:07:59Z Ambiguous: choose package for mupdf a 0: 1: mupdf-1.23.11 2: mupdf-1.23.11-js Your choice: 1 mupdf-1.23.11:gumbo-0.12.1: ok mupdf-1.23.11:jbig2dec-0.19: ok mupdf-1.23.11:lcms2-2.15: ok mupdf-1.23.11:openjp2-2.5.2: ok pkg_add: Ustar [http://www.mirrorservice.org/pub/OpenBSD/snapshots/packages/aarch64/xdg-utils-1.2.1.tgz][?]: Error while reading header I've also seen it happen with xz. It doesn't seem to matter what server the installurl (currently set to mirrorservice) is. Is it a problem with the port(s) or my connection (dual-stack)? thanks, --
sftp server empty password login
I have been using the secure shell for remote maintenance on my local machine for some time. I wish to go one step further and implement a secure file transfer server, where user(s) could download files from a read-only /home/media directory as well as upload their own files to /home/media/pub Ideally this would be done via passwordless/empty password login. I have done some research (manpages) and configuration but still fail to connect from another machine on the same local network. obsd configuration : # useradd -g media -s /sbin/nologin -u 2000 -v media # usermod -G media sylvain $ more /etc/ssh/sshd_config # relevant extracts and changes : ... PermitRootLogin no ... # override default of no subsystems #Subsystem sftp/usr/libexec/sftp-server -d /home/media Subsystem sftp internal-sftp # -d /home/media Match User media ForceCommand internal-sftp -d /home/media ChrootDirectory /home/media PasswordAuthentication yes AuthenticationMethods none PermitEmptyPasswords yes $ ll -d /home/media /home/media/pub drwxr-xr-x 16 root wheel 512 Mar 25 17:42 /home/media/ drwxr-xr-x 3 media media 512 Mar 25 17:42 /home/media/pub/ failed connexion attempt from second local machine (just pressing Enter at password prompt): Last login: Tue Mar 26 09:46:37 on ttys001 sylvain@sylvainmac ~ % sftp media@10.0.0.11 media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: media@10.0.0.11: Permission denied (). Connection closed sylvain@sylvainmac ~ % Attempting to login using a password (after definition using `# passwd media') does not work either. What am I doing wrong ? Thank you -- Sylvain Saboua www.saboua.xyz
Re: securelevel=2 and mount hardening
Dan writes: I'm curious John Doe.. you said cloud but not firewall, and cattle but not pets, right? As with a number of your posts, i'm not clear on what you're saying or asking, but for those wondering, here's an explanation of "cattle vs pets" in the context of computing infrastructure: https://www.copado.com/resources/blog/pets-vs-cattle-more-than-an-analogy-for-modern-infrastructures Alexis.
Re: No coloring with colorls
On Mon, Mar 25, 2024 at 07:03:06PM -0400, Amelia A Lewis wrote: > Note that you need a color-capable terminal to enable colorls. This > means you should set your TERM to "wsvt25" on the wscons(4) console For several releases now, you should be able to set TERM to "xterm" even when using wscons. If there are any issues using TERM=xterm in place of vt220, feel free to let me know.
Re: securelevel=2 and mount hardening
On 2024-03-25, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > I am curious to hear peoples thoughts on adding some mount(2) > hardening when the system is running at securelevel 2. Specifically: > > * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID, > or MT_RDONLY in conjunction with MNT_UPDATE > > * do not allow MNT_WXALLOWED in conjunction with > MNT_UPDATE > > Currently, if someone does manage to get a root toehold on a host, > they can remove noexec from /tmp as a possible springboard to upload > nasties, and then change /usr from read-only to read-write and > scribble all over your binaries. I think you'd need to disable mount completely, otherwise you can mount a new writable filesystem (e.g. MFS) that doesn't have noexec. -- Please keep replies on the mailing list.
Re: No coloring with colorls
On 2024-03-25, Karel Lucas wrote: > In which configuration file can I change this? Is 'wsvt25' universally > suitable for use? For X, it's configured in your terminal emulator, e.g. for xterm you can use one of these :in .Xdefaults XTerm*termName: xterm-color XTerm*termName: xterm-256color For text console, /etc/ttys. For current OpenBSD versions (7.1 and on) xterm-color should be a reasonable choice too (for older versions, pccon). -- Please keep replies on the mailing list.
Re: No coloring with colorls
On 2024-03-25, Karel Lucas wrote: > Hi all, > > After installing colorls and making some adjustments to the system, I > still have no colored output from colorls. Below I have indicated the > settings that have been made or are present by default. I would like to > know what is wrong and what needs to be improved. > > Default environment: > TERM=vt220 This is a monochrome terminal. Perhaps you want xterm-color. > Added environment: > CLICOLOR=yes > CLICOLOR_FORCE=yes > LSCOLORS=exfxcxdxbxegedabagacad > > -- Please keep replies on the mailing list.
Re: securelevel=2 and mount hardening
I'm curious John Doe.. you said cloud but not firewall, and cattle but not pets, right? You are a strange anglophon western toddler.. -Dan Mar 25, 2024 23:41:44 jslee : > On Tue, 26 Mar 2024, at 04:30, Dan wrote: >> Eventually, having the kernel possibility to customize the config path >> from /etc in eg /heroxyz >> could be helpful for a firewall, what do you think? > > Everything you to complicate ongoing admin will hinder your maintenance and > IMO this will make your overall security posture worse, not better > > Unless, perhaps, you have a system to rebuild the machine every time you want > to update software and/or config? Cattle, not pets? I do this in cloud > environments but it’s rather more effort elsewhere > > John
