date:20061124

Re: IPSec roadwarrior configuration?

2006-11-24 Thread Albert Chin

On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote:
 Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need
 to enable packet forwarding, and pf as you will need NAT:
 nat on $ext_if from !($ext_if) - ($ext_if:0)
 This is because packets from VPN-B will leave VPN-A with VPN-B's
 source address, which most of the time no computer on VPN-A's network
 will know how to reach.
 I didn't play with certificates yet, I just copied the keys to
 appropriate UFQDN.
 Now VPN-A has this in ipsec.conf:
 ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
 [EMAIL PROTECTED]
 
 And VPN-B's ipsec.conf:
 ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid
 [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

So every roadwarrior has one key, [EMAIL PROTECTED]

-- 
albert chin ([EMAIL PROTECTED])

Re: Why Sendmail?

2006-11-24 Thread Conrad Winchester


Thanks, I get it now.

Have installed my favourite MTA (it was so much easier on openBSD  
than other systems I have tried (gentoo/redhat/netBSD) which is  
nice). I will set up all important root/postmaster mail accounts etc  
to make sure I get the system emails (they are a bonus too).


BTW the openBSD docs are brilliant.

Conrad


On 23 Nov 2006, at 13:45, Cristiano Deana wrote:


2006/11/23, Conrad Winchester [EMAIL PROTECTED]:

I do have one question though and I apologize if people always ask  
this: At

the end of the install I asked whether I want to run sshd and ntpd by
default - very nice BUT why am I not given the option to turn off  
Sendmail
at this point? I NEVER use sendmail and for an OS that prides  
itself on
being as minimal as possible I would have thought giving you the  
option to

not run sendmail would also be there right from the start.


Any system needs a MTA running, at least to manage email from
nightly/weekly/monthly check.
So, default MUST be mta running (you can choose to stop it).

Why sendmail? Why not?

p.s.
i usually use another MTA

--
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

Re: demystify enc interface

2006-11-24 Thread Markus Friedl

On Thu, Nov 23, 2006 at 02:47:14PM +0100, Camiel Dobbelaar wrote:
 I think this tells me that I can see unencrypted/unencapsulated traffic on 
 enc0.

yes.

 However, with tcpdump I see this:
 
 14:09:27.894326 (authentic,confidential): SPI 0x728aafc9: 86.90.xx.xx  
 62.58.xx.xx: 192.168.2.3.1264  192.168.1.7.8194: . [tcp sum ok] ack 139 
 win 64431 (DF) (ttl 128, id 45685, len 40) (ttl 118, id 45685, len 60)
 
 14:09:27.915205 (authentic,confidential): SPI 0x021e1fcd: 62.58.xx.xx  
 86.90.xx.xx: 192.168.1.131.3389  192.168.2.3.1182: . [tcp sum ok] ack 
 177 win 65075 (ttl 127, id 59080, len 40) (ttl 64, id 46361, len 60, bad 
 cksum 0!)
 
 The encapsulation is included... that's pretty cool and handy, but I'm not 
 sure if that's what the manpage says.

no, the encapsulation is not included, only the _information_
about the encapsulation is (it's special information in the pcap
header)

 So inbound traffic passes twice: first with encapsulation, and the second 
 time without.  However, outbound traffic only passes _once_, without the 
 encapsulation.

that's an artefact of openbsd's ipsec implementation.
de-encapsulation happens in two steps, where the first
step removes the esp-layer, while the 2nd step removes
the ip-in-ip encapsulation for tunnel mode.

 So I think the pf rules for filtering on enc0 should look like this:
 # pass encapsulated traffic
 pass  in  quick log on enc0 proto ipencap from $ext_peer_ip to $ext_if 
 keep state (other.single 3600)
 # rules on decrypted traffic
 pass  in  quick on enc0 from 192.168.28.28 to 192.168.42.10 port 993 keep 
 state
 block in  quick on enc0

ipsec.conf(5) tells you how to filter on enc(4)

 All in all:
 - the bpf view is different from the pf view
 - the inbound pf view is different from outbound

not really. the only difference is that pf sees both
decapsulation steps.

 Should pf even see the inbound ipencap traffic?  Nothing much that can be 
 done with it, that cannot also be done on the physical interfaces...

it would require some special hacks and flags and heuristics
in the kernel. i don't know if this would justify the extra
code, but perhaps there's a simple solution.

 Shouldn't enc just carry the unencrypted/unencapsulated traffic like the 
 manpage says?  That would make it behave far more like a normal 
 interface.

it already does.  you could argue, that the encapsulation
information should only be printed on '-e', but that breaks
backward compatibility.

-m

ipsecctl setting up multiple SAs

2006-11-24 Thread Brian Candler

Hello,

I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box
and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP
over IPSEC tunnels].

Each SA is between the same two IP endpoints but specifies a different UDP
port pair.

I was able to get a single SA up using ipsecctl, after making this small fix:

--- sbin/ipsecctl/ike.c.origThu Nov 23 22:48:23 2006
+++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006
@@ -526,7 +526,7 @@
fprintf(fd, SET [lid-%s]:Port=%d force\n, src-name,
ntohs(sport));
if (dport)
-   fprintf(fd, SET [rid-%s]:Port=%d force\n, src-name,
+   fprintf(fd, SET [rid-%s]:Port=%d force\n, dst-name,
ntohs(dport));
 }

However, what I'm trying to do now is set up multiple SAs. Here's my test
config with 4 SAs, /etc/ipsec.conf.4 (the OpenBSD box is 10.1.1.6 and the
Cisco is 10.1.1.1)

ike esp transport proto udp from 10.1.1.6 port 1 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk mypresharedkey
ike esp transport proto udp from 10.1.1.6 port 10001 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk mypresharedkey
ike esp transport proto udp from 10.1.1.6 port 10002 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk mypresharedkey
ike esp transport proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk mypresharedkey

Here's how I'm running isakmpd:

# isakmpd -K -4 -v -d -L

And here's how I trigger the process:

# ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4
[output pasted below]

However, when I do this, only a single quick mode SA is set up. ipsecctl
shows this:

# ipsecctl -s all
FLOWS:
flow esp in proto udp from 10.1.1.1 port 1701 to 10.1.1.6 port 10003 peer 
10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type use
flow esp out proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 peer 
10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type require

SAD:
esp transport from 10.1.1.6 to 10.1.1.1 spi 0x09b364d2 auth hmac-md5 enc 
3des-cbc \
authkey 0x... \
enckey 0x...
esp transport from 10.1.1.1 to 10.1.1.6 spi 0x0a6994af auth hmac-md5 enc 
3des-cbc \
authkey 0x... \
enckey 0x...
#

and the same SAs are shown on the Cisco side too. isakmpd says only:

093109.047718 Default isakmpd: phase 1 done: initiator id 0a010106: 10.1.1.6, 
responder id 0a010101: 10.1.1.1, src: 10.1.1.6 dst: 10.1.1.1
093109.056238 Default isakmpd: quick mode done: src: 10.1.1.6 dst: 10.1.1.1

'tcpdump -nxr /var/log/isakmpd.pcap' shows that only one quick mode exchange
took place; crypto debug output on the Cisco shows the same.

Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
precedence over the others.

Is there a way to achieve what I'm trying to do, either using ipsecctl, or
manually configuring isakmpd?

Thanks,

Brian Candler.

P.S. I can paste the IOS config if you like, but I'm pretty sure it is
correct. I can set up multiple SAs from UDP port X to UDP port 1701 under
Linux using setkey and racoon from ipsec-tools, and run separate l2tpd
instances over them bound to separate ports.

Here is the output of ipsecctl:

# ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4
@1 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force
C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force
C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force
C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force
C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force
C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force
C set [lid-10.1.1.6]:Address=10.1.1.6 force
C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force
C set [rid-10.1.1.1]:Address=10.1.1.1 force
C set [lid-10.1.1.6]:Protocol=17 force
C set [rid-10.1.1.1]:Protocol=17 force
C set [lid-10.1.1.6]:Port=1 force
C set [rid-10.1.1.1]:Port=1701 force
C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1
@3 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set

[EMAIL PROTECTED]:/cvs

2006-11-24 Thread Uwe Dippel

cvs -q -d [EMAIL PROTECTED]:/cvs up -r OPENBSD_4_0 -Pd
No space left on device

Can someone please clean up ? Thanks !

Uwe

Re: IPSec roadwarrior configuration?

2006-11-24 Thread viq


On 24/11/06, Albert Chin [EMAIL PROTECTED] wrote:

On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote:
 Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need
 to enable packet forwarding, and pf as you will need NAT:
 nat on $ext_if from !($ext_if) - ($ext_if:0)
 This is because packets from VPN-B will leave VPN-A with VPN-B's
 source address, which most of the time no computer on VPN-A's network
 will know how to reach.
 I didn't play with certificates yet, I just copied the keys to
 appropriate UFQDN.
 Now VPN-A has this in ipsec.conf:
 ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
 [EMAIL PROTECTED]

 And VPN-B's ipsec.conf:
 ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid
 [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

So every roadwarrior has one key, [EMAIL PROTECTED]


That's the idea, if you want to have control over who is allowed to
connect and who's not. Besides, of you would want to have them all use
one key, you would have to replace the automatically generated private
key each box has.

I want to play with certificates, tinyCA makes that easier, but I
didn't get to that yet.


--
albert chin ([EMAIL PROTECTED])




--
viq

syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Alexander Farber


Hi,

I've read man syslog.conf several times, especially this passage:

!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken.  !* can be
used to ensure that any ensuing blocks are further evaluated (i.e. can-
celling the effect of a !prog or !!prog).

but don't understand it and how to adapt it for my purpose:

I have a program called pref which does following:

   openlog(__progname, LOG_CONS | LOG_PID, LOG_DAEMON);
...
   syslog(LOG_INFO, %s, msg);
...
   syslog(LOG_WARNING, %s, msg);
...
   syslog(LOG_ERR, %s, msg);

I'd like all of those messages to go into separate file /var/log/pref
but not into the /var/log/messages. So first I've appended

   !pref
   *.*/var/log/pref

to the /etc/syslog.conf, touched the /var/log/pref, adapted
newsyslog.conf and pkill -HUPped syslogd. This worked,
but the messages also were written into /var/log/messages.

Then I've added a second ! and moved those 2 lines to
the top of /etc/syslog.conf:

   !!pref
   *.*/var/log/pref

Now no messages at all are written into /var/log/messages :-/

Can anyone please give me a hint?

Regards
Alex




--
http://preferans.de

Re: on the remote root login in OpenSSH

2006-11-24 Thread Igor Sobrado

In message [EMAIL PROTECTED], chefren writes:
 Hello Igor,

Hello Chefren.

 You missed the crux of quite a few important points that Nick tried to 
 explain to you.

Indeed, I have carefully read his post.  He certainly explains some
important points related with sshd.  He is certainly right.

  You evidently don't know me.  I am not a security expert, why should I be?
 
 Please understand that was just a joke.

Ok, please, accept my apologies.  I say the same to Nick, he was
certainly providing very good points on his post.

  believe was unsolvable.  I was one of the youngest speakers at a plenary
  session of the ACM SIGCOMM.
 
 That might be fully true but you still missed some inportant basics 
 from Nick.

Agreed, I missed some important comments from Nick.  It is just that
I do not like the way he answered to my post and stop reading.  As I said,
I am not an expert on computer security at all, and I certainly do not
want to be one.  My research field is a different one.  I just observed
what seems to me a bad default setting in ssh.  Obviously, I was not aware
that most developers are against this change and missed the thread from
march 2005.  Nick is certainly right.

  Honestly, you have a wicked meaning for the word friendly.
 
 Nick is definitely very friendly. Please follow this list some time 
 and you will agree with me.

I certainly will do.  This mailing list is an excellent reference
for OpenBSD users.

By the way, on an unrelated matter... now that I write about good
references for OpenBSD users... when are updated the FAQs (in both
text and PDF)?  I see the FAQ for OpenBSD 4.0 available on-line,
but I would like to get the text version of the FAQ for 4.0... the
only one I found on the ~/pub/OpenBSD/doc directory of the anonymous
FTP server (or as a link from the on-line FAQ) is for 3.9.  Is there
an estimated time for the text and PDF versions to be upgraded?

I understand that both the OpenBSD and pf FAQs will probably have
some changes in the next months... I am just awaiting for the
updates to be publicly available.

I really think that the text version of these FAQs are very handly,

Igor.

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Brian Candler

On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote:
 Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
 precedence over the others.
 
 Is there a way to achieve what I'm trying to do, either using ipsecctl, or
 manually configuring isakmpd?

To answer my own question: inspired by the output of ipsecctl, I wrote a
perl program (attached) to generate a suitable isakmpd.conf (also attached),
and this appears to work just fine.

It would be nice if ipsecctl could do this too. It could easily generate the
lid-addr-port and rid-addr-port sections; the only slightly awkward part is
having to generate the Connections list, i.e.

[phase 2]
Connections=IPsec-addr-port-addr-port,IPsec-addr-port-addr-port,...

Regards,

Brian.

[demime 1.01d removed an attachment of type text/x-perl]
[Phase 1]
10.1.1.1=peer-10.1.1.1

[peer-10.1.1.1]
Phase=1
Address=10.1.1.1
Authentication=mypresharedkey
Configuration=mm-10.1.1.1

[mm-10.1.1.1]
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-MD5-GRP2

[qm-10.1.1.6-10.1.1.1]
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-TRP-3DES-MD5-SUITE

[Phase 2]
Connections=\
IPsec-10.1.1.6-1-10.1.1.1-1701,\
IPsec-10.1.1.6-10001-10.1.1.1-1701,\
IPsec-10.1.1.6-10002-10.1.1.1-1701,\
IPsec-10.1.1.6-10003-10.1.1.1-1701

[IPsec-10.1.1.6-1-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-1
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10001-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10001
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10002-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10002
Remote-ID=rid-10.1.1.1-1701

[IPsec-10.1.1.6-10003-10.1.1.1-1701]
Phase=2
ISAKMP-peer=peer-10.1.1.1
Configuration=qm-10.1.1.6-10.1.1.1
Local-ID=lid-10.1.1.6-10003
Remote-ID=rid-10.1.1.1-1701

[lid-10.1.1.6-1]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=1

[lid-10.1.1.6-10001]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10001

[lid-10.1.1.6-10002]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10002

[lid-10.1.1.6-10003]
ID-type=IPV4_ADDR
Address=10.1.1.6
Protocol=17
Port=10003

[rid-10.1.1.1-1701]
ID-type=IPV4_ADDR
Address=10.1.1.1
Protocol=17
Port=1701

Re: on the remote root login in OpenSSH

2006-11-24 Thread Joachim Schipper

On Fri, Nov 24, 2006 at 07:06:17AM +0100, Bill Maas wrote:
 Hi,
 
 how about this one:
 
 PermitRootLogin 192.168.1
 
 Should any of the SSH maintainers be reading this: possible new SSH
 feature?

I believe you can actually do this with the Match directive, although
I'd need to spend more time looking at the man page than I currently
have to be sure.

Joachim

Problem with Routerboard 44 quad port ethernet card

2006-11-24 Thread Kriloff


Hi,

I'm building a firewall with 6 ethernet interfaces. It's a Tyan S2425
mobo with 2 onboard NICs and added quad port Routerboard 44 card on a
1U PCI riser card.
The problem is that vr0 does not work. It's detected with MAC address
ff:ff:ff:ff:ff:ff and the PHY for vr0 is not detected.
vr1, vr2, vr3, as well as onboard fxp0 and fxp1 work just fine.

Any ideas what could be wrong here?
Here's the dmesg:

OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) III CPU - S 1266MHz (GenuineIntel
686-class) 1.27 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 535261184 (522716K)
avail mem = 480309248 (469052K)
using 4256 buffers containing 26865664 bytes (26236K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 05/01/03, BIOS32 rev. 0 @
0xfdb80, SMBIOS rev. 2.3 @ 0xf06 40 (131 entries)
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3b10/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x04
vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x04:
aperture at 0xfc00, size 0x20 0
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05
pci1 at ppb0 bus 1
ppb1 at pci1 dev 5 function 0 vendor Hint, unknown product 0x0021 rev 0x15
pci2 at ppb1 bus 2
vr0 at pci2 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address ff:ff:ff:ff:ff:ff
vr1 at pci2 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0c:42:02:2b:43
ukphy0 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci2 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0c:42:02:2b:44
ukphy1 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci2 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0c:42:02:2b:45
ukphy2 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
fxp0 at pci1 dev 8 function 0 Intel 82562 rev 0x03, i82562: irq 11,
address 00:e0:81:29:da:16
inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0
fxp1 at pci1 dev 11 function 0 Intel 8255x rev 0x08, i82559: irq 5,
address 00:e0:81:29:da:17
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05
pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA,
channel 0 wired to compatibilit y, channel 1 wired
to compatibility
pciide0: channel 0 disabled (no drives)
wd0 at pciide0 channel 1 drive 0: ST340016A
wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 10
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS
gpio0 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask f745 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Hans-Joerg Hoexer

Hi,

On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote:
 I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box
 and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP
 over IPSEC tunnels].
 
 Each SA is between the same two IP endpoints but specifies a different UDP
 port pair.
 
 I was able to get a single SA up using ipsecctl, after making this small fix:
 
 --- sbin/ipsecctl/ike.c.origThu Nov 23 22:48:23 2006
 +++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006
 @@ -526,7 +526,7 @@
 fprintf(fd, SET [lid-%s]:Port=%d force\n, src-name,
 ntohs(sport));
 if (dport)
 -   fprintf(fd, SET [rid-%s]:Port=%d force\n, src-name,
 +   fprintf(fd, SET [rid-%s]:Port=%d force\n, dst-name,
 ntohs(dport));
  }

this has been already commited, thanks!

Could you please try the diff below?  It's just a quick hack but
might solve that problem.

HJ.

Index: ike.c
===
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.54
diff -u -p -r1.54 ike.c
--- ike.c   24 Nov 2006 08:07:18 -  1.54
+++ ike.c   24 Nov 2006 10:28:33 -
@@ -38,12 +38,13 @@ static void ike_section_peer(struct ipse
 static voidike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
FILE *, u_int8_t);
 static int ike_get_id_type(char *);
-static voidike_section_ipsec(struct ipsec_addr_wrap *, struct
-   ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);
+static voidike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct
+   ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *,
+   char *, FILE *);
 static int ike_section_p1(struct ipsec_addr_wrap *, struct
ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);
-static int ike_section_p2(struct ipsec_addr_wrap *, struct
-   ipsec_addr_wrap *, u_int8_t, u_int8_t, struct
+static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct
+   ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct
ipsec_transforms *, FILE *, u_int8_t);
 static voidike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,
u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);
@@ -174,33 +175,45 @@ ike_get_id_type(char *string)
 }
 
 static void
-ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
-struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport,
+struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer,
+char *tag, FILE *fd)
 {
-   fprintf(fd, SET [IPsec-%s-%s]:Phase=2 force\n, src-name, dst-name);
+   char*p;
+
+   if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name,
+   ntohs(dport)) == -1)
+   err(1, ike_section_ipsec);
+
+   fprintf(fd, SET [IPsec-%s]:Phase=2 force\n, p);
 
if (peer)
-   fprintf(fd, SET [IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n,
-   src-name, dst-name, peer-name);
+   fprintf(fd, SET [IPsec-%s]:ISAKMP-peer=peer-%s force\n, p,
+   peer-name);
else
fprintf(fd, SET
-   [IPsec-%s-%s]:ISAKMP-peer=peer-default force\n,
-   src-name, dst-name);
+   [IPsec-%s]:ISAKMP-peer=peer-default force\n, p);
+
+   fprintf(fd, SET [IPsec-%s]:Configuration=qm-%s force\n, p, p);
+   fprintf(fd, SET [IPsec-%s]:Local-ID=lid-%s force\n, p, src-name);
+   fprintf(fd, SET [IPsec-%s]:Remote-ID=rid-%s force\n, p, dst-name);
 
-   fprintf(fd, SET [IPsec-%s-%s]:Configuration=qm-%s-%s force\n,
-   src-name, dst-name, src-name, dst-name);
-   fprintf(fd, SET [IPsec-%s-%s]:Local-ID=lid-%s force\n, src-name,
-   dst-name, src-name);
-   fprintf(fd, SET [IPsec-%s-%s]:Remote-ID=rid-%s force\n, src-name,
-   dst-name, dst-name);
+   if (tag)
+   fprintf(fd, SET [IPsec-%s]:PF-Tag=%s force\n, p, tag);
+
+   free(p);
 }
 
 static int
-ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
-u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,
-u_int8_t ike_exch)
+ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport,
+struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype,
+u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t 
ike_exch)
 {
-   char *tag, *exchange_type, *sprefix;
+   char*p, *tag, *exchange_type, *sprefix;
+
+   if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name,
+   ntohs(dport)) == -1)
+   err(1, ike_section_p2);
 
switch (ike_exch) {
case IKE_QM:
@@ -213,10 +226,9 @@ ike_section_p2(struct

Re: IPSec roadwarrior configuration?

2006-11-24 Thread Mathieu Sauve-Frankel

  Now VPN-A has this in ipsec.conf:
  ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
  [EMAIL PROTECTED]

If you need to support more than one user in you roadwarrior setup. 
Then don't set dstid. 

-- 
Mathieu Sauve-Frankel

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Stuart Henderson

On 2006/11/24 10:50, Alexander Farber wrote:
 I've read man syslog.conf several times, especially this passage:
...
 but don't understand it and how to adapt it for my purpose:

see the 'examples' section where this is demonstrated.

Re: pflogd: Failed to initialize: /dev/bpf0

2006-11-24 Thread Uwe Dippel

On Wed, 22 Nov 2006 22:19:37 +0200, Berk D. Demir wrote:

 This permission problem smells like a mixed kernel and userland match 
 or a version spaghetti to me.
 
 Please try a recent snapshot if possible. In case you want to run 
 -stable, make a _clean_ build.

Sounds reasonable. Only, I didn't do *any* install on it for the last 18
months; no build ever; it is a vanilla stable 3.7; waiting for the update.

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Marcus Popp

Hi Alexander,

On 2006-11-24T10:50, Alexander Farber wrote:
 Then I've added a second ! and moved those 2 lines to
 the top of /etc/syslog.conf:
 
!!pref
*.*/var/log/pref
 
 Now no messages at all are written into /var/log/messages :-/
 
 Can anyone please give me a hint?

read man syslog.conf

!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken.  !* can be
used to ensure that any ensuing blocks are further evaluated (i.e. can-
celling the effect of a !prog or !!prog).

hth,

Marcus.

Re: on the remote root login in OpenSSH

2006-11-24 Thread Stuart Henderson

On 2006/11/23 17:07, Igor Sobrado wrote:
...
 to set up a firewall with an ever-growing list of hostile machines.
...

I think you misunderstand me. I mean to restrict direct SSH access
to only those networks which need access, not to block attackers when
you see them. Authorized users would either connect from an approved
IP address, or by using authpf. (for this, I'm assuming use of a
separate firewall to protect a number of other machines, not 'self-
protecting').

There aren't a lot of cases where you need to leave SSH access
open to the world.

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Otto Moerbeek

On Fri, 24 Nov 2006, Alexander Farber wrote:

 Hi,
 
 I've read man syslog.conf several times, especially this passage:
 
 !!prog causes the subsequent block to abort evaluation when a message
 matches, ensuring that only a single set of actions is taken.  !* can be
 used to ensure that any ensuing blocks are further evaluated (i.e. can-
 celling the effect of a !prog or !!prog).
 
 but don't understand it and how to adapt it for my purpose:
 
 I have a program called pref which does following:
 
openlog(__progname, LOG_CONS | LOG_PID, LOG_DAEMON);
 ...
syslog(LOG_INFO, %s, msg);
 ...
syslog(LOG_WARNING, %s, msg);
 ...
syslog(LOG_ERR, %s, msg);
 
 I'd like all of those messages to go into separate file /var/log/pref
 but not into the /var/log/messages. So first I've appended
 
!pref
*.*/var/log/pref
 
 to the /etc/syslog.conf, touched the /var/log/pref, adapted
 newsyslog.conf and pkill -HUPped syslogd. This worked,
 but the messages also were written into /var/log/messages.
 
 Then I've added a second ! and moved those 2 lines to
 the top of /etc/syslog.conf:
 
!!pref
*.*/var/log/pref
 
 Now no messages at all are written into /var/log/messages :-/
 

Add the end marker !* after the *.* line

-Otto

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Alexander Farber


Hi Marcus,

On 11/24/06, Marcus Popp [EMAIL PROTECTED] wrote:

 Can anyone please give me a hint?

read man syslog.conf


read my original mail.

Can you imagine, that I've read the man page,
but it is just not good enough for me (or vice versa)?

Regards
Alex

--
http://preferans.de

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Hans-Joerg Hoexer

more correct diff:

Index: ike.c
===
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.54
diff -u -p -r1.54 ike.c
--- ike.c   24 Nov 2006 08:07:18 -  1.54
+++ ike.c   24 Nov 2006 10:46:19 -
@@ -38,17 +38,18 @@ static void ike_section_peer(struct ipse
 static voidike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
FILE *, u_int8_t);
 static int ike_get_id_type(char *);
-static voidike_section_ipsec(struct ipsec_addr_wrap *, struct
-   ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);
+static voidike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct
+   ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *,
+   char *, FILE *);
 static int ike_section_p1(struct ipsec_addr_wrap *, struct
ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);
-static int ike_section_p2(struct ipsec_addr_wrap *, struct
-   ipsec_addr_wrap *, u_int8_t, u_int8_t, struct
+static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct
+   ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct
ipsec_transforms *, FILE *, u_int8_t);
 static voidike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,
u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);
-static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
-   ipsec_addr_wrap *, FILE *);
+static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, u_int16_t,
+   struct ipsec_addr_wrap *, u_int16_t, FILE *);
 static int ike_gen_config(struct ipsec_rule *, FILE *);
 static int ike_delete_config(struct ipsec_rule *, FILE *);
 
@@ -174,33 +175,45 @@ ike_get_id_type(char *string)
 }
 
 static void
-ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
-struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport,
+struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer,
+char *tag, FILE *fd)
 {
-   fprintf(fd, SET [IPsec-%s-%s]:Phase=2 force\n, src-name, dst-name);
+   char*p;
+
+   if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name,
+   ntohs(dport)) == -1)
+   err(1, ike_section_ipsec);
+
+   fprintf(fd, SET [IPsec-%s]:Phase=2 force\n, p);
 
if (peer)
-   fprintf(fd, SET [IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n,
-   src-name, dst-name, peer-name);
+   fprintf(fd, SET [IPsec-%s]:ISAKMP-peer=peer-%s force\n, p,
+   peer-name);
else
fprintf(fd, SET
-   [IPsec-%s-%s]:ISAKMP-peer=peer-default force\n,
-   src-name, dst-name);
+   [IPsec-%s]:ISAKMP-peer=peer-default force\n, p);
 
-   fprintf(fd, SET [IPsec-%s-%s]:Configuration=qm-%s-%s force\n,
-   src-name, dst-name, src-name, dst-name);
-   fprintf(fd, SET [IPsec-%s-%s]:Local-ID=lid-%s force\n, src-name,
-   dst-name, src-name);
-   fprintf(fd, SET [IPsec-%s-%s]:Remote-ID=rid-%s force\n, src-name,
-   dst-name, dst-name);
+   fprintf(fd, SET [IPsec-%s]:Configuration=qm-%s force\n, p, p);
+   fprintf(fd, SET [IPsec-%s]:Local-ID=lid-%s force\n, p, src-name);
+   fprintf(fd, SET [IPsec-%s]:Remote-ID=rid-%s force\n, p, dst-name);
+
+   if (tag)
+   fprintf(fd, SET [IPsec-%s]:PF-Tag=%s force\n, p, tag);
+
+   free(p);
 }
 
 static int
-ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
-u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,
-u_int8_t ike_exch)
-{
-   char *tag, *exchange_type, *sprefix;
+ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport,
+struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype,
+u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t 
ike_exch)
+{
+   char*p, *tag, *exchange_type, *sprefix;
+
+   if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name,
+   ntohs(dport)) == -1)
+   err(1, ike_section_p2);
 
switch (ike_exch) {
case IKE_QM:
@@ -213,10 +226,9 @@ ike_section_p2(struct ipsec_addr_wrap *s
return (-1);
}
 
-   fprintf(fd, SET [%s-%s-%s]:EXCHANGE_TYPE=%s force\n,
-   tag, src-name, dst-name, exchange_type);
-   fprintf(fd, SET [%s-%s-%s]:Suites=%s-, tag, src-name,
-   dst-name, sprefix);
+   fprintf(fd, SET [%s-%s]:EXCHANGE_TYPE=%s force\n, tag, p,
+   exchange_type);
+   fprintf(fd, SET [%s-%s]:Suites=%s-, tag, p, sprefix);
 
switch (satype) {
case IPSEC_ESP:
@@ -339,6 +354,8 @@ ike_section_p2(struct ipsec_addr_wrap *s
fprintf(fd, -PFS);

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Alexander Farber


Thanks Otto, that was it

On 11/24/06, Otto Moerbeek [EMAIL PROTECTED] wrote:

!!pref
*.*/var/log/pref

 Now no messages at all are written into /var/log/messages :-/


Add the end marker !* after the *.* line

-Otto

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Brian Candler

On Fri, Nov 24, 2006 at 10:22:26AM +, Brian Candler wrote:
 To answer my own question: inspired by the output of ipsecctl, I wrote a
 perl program (attached) to generate a suitable isakmpd.conf (also attached),
 and this appears to work just fine.

And now I seem to have hit some sort of scalability problem.

Generating 1,000 transport mode SAs, and monitoring them with 
ipsecctl -s flow | grep wc -l

gives the following after isakmpd has been started:

Time(s)  Num flows
---  -
   10  606
   20  976
   30 1286
   40 1384
   50 1768
   60 1946
   70 1946 ..

And there it stops, never reaching 2000 (in+out).

But I find the following in /var/log/messages:

Nov 24 11:12:45 gw isakmpd[32720]: pf_key_v2_set_spi: UPDATE: No such process
Nov 24 11:12:45 gw last message repeated 26 times

1946 + 27*2 = 2000, so that's where the missing flows have gone. For some
reason some of them are not known; maybe some earlier messages to the kernel
were silently dropped?

A bit more background:

* The OpenBSD machine is a HP/Compaq desktop, single 2.8GHz processor,
  512MB, rl0 interface
* The Cisco is a 7301 with VAM2+ crypto accelerator. It barely breaks
  a sweat (peak CPU usage around 25% with all these SAs coming in)
* Connected via cheap 100M switch

I'm using isakmpd.conf as generated by the Perl script posted before,
setting up separate SAs for UDP ports 1 to 10999 inclusive. I've also
added

[General]
Exchange-max-time=180
Retransmits=10

at the top.

OK, so next I tried

# isakmpd -c /etc/isakmpd/isakmpd.conf.1000 -K -4 -v -d -D 5=99 log.out 21

but that actually made the problem go away - all 2000 flows were set up
correctly :-( I think that the extra work of writing debug info slowed it
down sufficiently that whatever was overflowing before is not overflowing
now. About 16MB of logs were generated.

Next I tried less debugging, with

# isakmpd -c /etc/isakmpd/isakmpd.conf.1000 -K -4 -v -d -D 5=50 log.out3 21

With this the number of flows maxed out at 1840. The logs include things
like:

...
113517.306433 Sdep 50 pf_key_v2_get_spi: spi:
113517.306449 Sdep 50 856af6c7
...
113630.081939 Sdep 40 pf_key_v2_convert_id: IPv4 address 10.1.1.6/32
113630.081951 Sdep 40 pf_key_v2_convert_id: IPv4 address 10.1.1.1/32
113630.081966 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.1.1.6 SPI 0x856af6c7
113630.082048 Default pf_key_v2_set_spi: UPDATE: No such process

I can upload this whole log file if anyone wants to see it (~1MB
uncompressed). But perhaps an IPSEC guru can suggest some better way to pin
this down.

Finally, I thought I'd give it a go with 10,000 SAs, which is the sort of
scale I wanted to test the Cisco with anyway.

# isakmpd -c /etc/isakmpd/isakmpd.conf.1 -K -4 -v -d -D 5=50 log.out4 21

It takes a few minutes for isakmpd to get going (although the OpenBSD box
remains responsive throughout). Its size grows to 133MB, after which it
starts to shrink, and then grow again.

The number of flows is low: after 5 minutes it shows

# ipsecctl -s flow | wc -l
 492
# grep No such process log.out4 | wc -l
  33

After 10 minutes:

# ipsecctl -s flow | wc -l
2568

After 20 minutes:

# ipsecctl -s flow | wc -l
2992

The machine isn't swapping, and remains responsive although isakmpd is using
100% CPU. But the rate of successful SA setups is much lower than it was
with 1,000.

Anyway, I think OpenBSD aquits itself pretty well, and I'm not too worried
about it being able to set up 10,000 SAs, but with 1,000 SAs I think it
would be worth trying to nail down the pf_key UPDATE problem.

Regards,

Brian Candler.

Re: syslog.conf question: log into a separate file, but not into /var/log/messages

2006-11-24 Thread Robert Urban


Alexander Farber wrote:

I've read man syslog.conf several times, especially this passage:

!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken.  !* 
can be
used to ensure that any ensuing blocks are further evaluated (i.e. 
can-

celling the effect of a !prog or !!prog).

you might consider simply replacing syslog with syslog-ng.

Rob Urban

Has anyone tried to install OpenBSD (PPC) on PS3?

2006-11-24 Thread John Blaze


Eventhough I know OpenBSD main purpose isn't game related, it would be
interesting to see it running on a PS3, even for benchmark-only
purposes.
Did anyone already get one?

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Brian Candler

Hans-Joerg Hoexer wrote:
 more correct diff:

Cool. It occurs to me that the protocol ought to be included as well though:
e.g.

[IPsec-10.1.1.6:1-10.1.1.1:1701-17]

That's because (in theory) you might have one SA for UDP and another SA for
TCP.

Other possibilities would be:

[IPsec-10.1.1.6-10.1.1.1-17] or
[IPsec-10.1.1.6:0-10.1.1.1:0-17]
# protocol specified but ports not specified

[IPsec-10.1.1.6-10.1.1.1] or
[IPsec-10.1.1.6:0-10.1.1.1:0-0]
# no protocol specified

Regards,

Brian.

Re: on the remote root login in OpenSSH

2006-11-24 Thread Christian Ruediger Bahls

[2006-11-24 11:26] Woodchuck [EMAIL PROTECTED] wrote:
 You know, I seem to recall that many versions ago (maybe even as far
 back as 2.xx) root login on ssh *was* disallowed by default.
 I recall being bitten by it, too, on remote (other-side-of-the-room)
 installations on headless machines.

just happened to me the day before yesterday
pkg_delete(d) bash (login shell of the only user in group wheel)
.. so i was indeed very happy to be able to do a ssh root:[EMAIL PROTECTED]

christian bahls
[1] i do not trust this workstation

X.org on Sun Ultra 10

2006-11-24 Thread Christian Ruediger Bahls

i post this to the list so it shows up in the web
should somebody have the some problem
(if you see any mistake please do not hesitate to contact me)

i hat problems setting up X.org for an Ultra 10
(i normally use that machine remote so X is less important)

this machine has a Creator3D Framebuffer
as well as an ATI Mach64 GP Graphics Card

dmesg:
vgafb0 at pci1 dev 2 function 0 ATI Mach64 GP rev 0x5c
wsdisplay0 at vgafb0
wsdisplay0: screen 0 added (std, sun emulation)
creator0 at mainbus0 addr 0xfebee000: Creator3D, model SUNW,501-4788, dac 10
wsdisplay1 at creator0: console (std, sun emulation), using wskbd0

the Monitor is connected to the Creator3D

/usr/X11R6/README helped for the first steps
(with 4.0 stable the keyboard did not work)

somehow i wasn't able to make X.org use the creator3d as display device
.. so i disabled the vgafb in the kernel config

with following xorg.conf at least i the display works:
(!notice the FbBpp!)

Section ServerLayout
Identifier X.org Configured
Screen  0  Screen0 0 0
InputDeviceMouse0 CorePointer
InputDeviceKeyboard0 CoreKeyboard
EndSection

Section Files
RgbPath  /usr/X11R6/lib/X11/rgb
FontPath /usr/X11R6/lib/X11/fonts/misc/
FontPath /usr/X11R6/lib/X11/fonts/TTF/
FontPath /usr/X11R6/lib/X11/fonts/Type1/
FontPath /usr/X11R6/lib/X11/fonts/CID/
FontPath /usr/X11R6/lib/X11/fonts/75dpi/
FontPath /usr/X11R6/lib/X11/fonts/100dpi/
EndSection

Section Module
EndSection

Section InputDevice
Identifier  Keyboard0
Driver  kbd
Option Protocol wskbd
Option Device /dev/wskbd0
EndSection

Section InputDevice
Identifier  Mouse0
Driver  mouse
OptionProtocol SunMouse
OptionDevice /dev/tty00
OptionBaudRate 1200
EndSection

Section Monitor
Identifier   Monitor
VendorName   Unknown
ModelNameUnknown
# Adjust those to your monitor before using another device than wsfb
# or you can destroy it !!
HorizSync31.5-60
VertRefresh  50-70
EndSection

# All framebuffers
Section Device
Identifier  Wsdisplay0
Driver  wsfb
Option  device /dev/ttyC0
EndSection

# All framebuffers
Section Screen
Identifier Screen0
Device Wsdisplay0
MonitorMonitor
DefaultDepth 24
SubSection Display
Depth 24
FbBpp   32
Weight  8 8 8
EndSubSection
EndSection
#

yours
  christian bahls

-- 
personal reaches me at gmx.de
[EMAIL PROTECTED]

Re: IPSec roadwarrior configuration?

2006-11-24 Thread Albert Chin

On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote:
   Now VPN-A has this in ipsec.conf:
   ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
   [EMAIL PROTECTED]
 
 If you need to support more than one user in you roadwarrior setup. 
 Then don't set dstid. 

But, according to ipsec.conf:
   dstid is similar to srcid, but instead specifies the ID to be used
   by the remote peer.

So, if I want multiple roadwarriors to connect, with X.509
certificates, and I leave srcid blank, won't the authentication occur
with the client IP, for which I certainly won't have a CERTIP
certificate because the IP is undetermined?

-- 
albert chin ([EMAIL PROTECTED])

Re: raidctl: ioctl (RAIDFRAME_CONFIGURE) failed on 4.0 amd64 for RAID 1 (mirroring)

2006-11-24 Thread Vijay Sankar

I am not sure whether this is relevant or not, but in my conf 
pseudo-device raid 4 is defined before option RAID_AUTOCONFIG.

Vijay

On Fri, 2006-24-11 at 11:17 +0530, Siju George wrote:
 On 11/24/06, Joachim Schipper [EMAIL PROTECTED] wrote:
  On Wed, Nov 22, 2006 at 10:35:52PM +0530, Siju George wrote:
   On 11/22/06, Joachim Schipper [EMAIL PROTECTED] wrote:
   On Tue, Nov 21, 2006 at 08:22:20PM -0600, Vijay Sankar wrote:
Good day,
   
I am pretty sure I was
booting from /dev/raid0a on the old server but couldn't repeat that 
with
this desktop. Here is my df -h
   
   raidctl -A root raid0?
  
   Nope it didn't work for me :-(
  
   relevant part from my mail earlier
  
   ===
   # raidctl -A root raid0
   raid0: Autoconfigure: Yes
   raid0: Root: Yes
   #
   #reboot
 
  Did you check that you have `option RAID_AUTOCONFIG' enabled? Even a
  typo will result in interesting behaviour (as I just found out an hour
  ago, bsd.rd is useful...)
 
 Joachim
 
 
 
 # cat /usr/src/sys/arch/amd64/conf/GENERIC.RAID
 include arch/amd64/conf/GENERIC
 
 option RAID_AUTOCONFIG
 pseudo-device raid 4
 #
 
 
 Yes I had this config file :-)
 
 kind Regards
 
 Siju
 
-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: SFTP only access to sshd

2006-11-24 Thread Ingo Schwarze

Damien Miller wrote on Fri, Nov 24, 2006 at 12:04:15PM +1100:
 On Thu, 23 Nov 2006, Ingo Schwarze wrote:
 
 From time to time, people come here to ask:
 How can i set up an account for SFTP only, forbidding shell access?
 
 One common answer is scponly, http://sublimation.org/scponly/wiki/
 This looks quite powerful, in particular if you intend to chroot.
 
 I just had to implement SFTP only access myself.  Reading the scponly
 sources, i realized that the task is nearly trivial as long as you
 only want SFTP, no other protocols, and need no chroot.  So i thought
 i might as well share with the list.  In case i overlooked anything
 serious, chances are i shall be beaten...  ;-)
 
 In OpenSSH-4.5:
 
 Match user djm
   X11Forwarding no
   AllowTCPForwarding no
   ForceCommand /usr/libexec/sftp-server

Oops, advertising hacks is certainly a bad idea when standard
solutions are already implemented...  Sorry for the noise...

What happened is this:  I first tried the ForceCommand solution
(which i do like for commands either redirecting stdio from /dev/null
or expecting ASCII input), but didn't much like the fact that users
erroneously using ssh(1) instead of sftp(1) will get no error
message, but a chance to type into a binary SFTP connection.
Doing harm by some ill chance appears improbable as the SSH_FXP_*
packet type codes are all below 32, so they do not correspond
to printable ASCII characters.  All the same, i feared such users
might get rather confused.
While searching for alternative solutions, i completely forgot
about ForceCommand.

In some situations, just executing /bin/sh -c ForceCommand,
regardless of the command supplied to the sshd(8), certainly is
the best thing to do.  In this speacial case, returning an error
message in case of a command mismatch might even be nicer.
But that probably won't warrant adding yet another option to
sshd_config(5).

Re: crash on 4.0 (but no ddb)

2006-11-24 Thread Stephen Takacs

This machine has been locking up randomly once or twice a day on
average, but always when X is running.  So I've been leaving it in
console mode at night, hoping it crashes into ddb...

Last night it crashed, but unfortunately, it didn't go into ddb on its
own, and the ddb.console Ctl-Alt-Esc key sequence didn't work either.
Once again, the keyboard was completely dead (CapsLock key doesn't even
toggle the LED).  Actually that's not entirely true, I had left the LCD
backlight turned off, and hitting a random key turned it back on.  But
that's the extent of the keyboard functionality.

It looks like there was no activity when the machine crashed.  I don't
have cron jobs that run at night, other than fetchmail (0,30 * * * *)
and it crashed sometime between 02:03:30 and 02:23:29:

Nov 24 01:03:29 icicle -- MARK --
Nov 24 01:23:29 icicle -- MARK --
Nov 24 01:43:30 icicle -- MARK --
Nov 24 02:03:30 icicle -- MARK --
Nov 24 08:59:58 icicle syslogd: restart
Nov 24 08:59:58 icicle /bsd: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 
MDT 2006
Nov 24 08:59:58 icicle /bsd: [EMAIL 
PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

I'm not sure what to do at this point.  I'll run memtest86 tonight, but
I'm very skeptical that it will reveal any hardware problems.  This
machine started acting strange the next day after I upgraded it to 4.0,
and I can't recall a single crash during the 3.7 - 3.9 releases.

Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Brian Candler

I'm getting the following when posting to 'misc'. Is this known and/or
intentional?

I'm not bcc'ing to 'ports' - honest!

Regards,

Brian.
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Fri, 24 Nov 2006 14:50:00 +
Received: from [127.0.0.1] (helo=mappit.linnet.org)
by localhost with esmtp (Exim 4.60) (envelope-from [EMAIL PROTECTED]) 
id 1GncNM-0004P6-1m
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 14:50:00 +
Received: from pop3.linnet.org
by mappit.linnet.org with POP3 (fetchmail-6.3.2)
for [EMAIL PROTECTED] (single-drop); Fri, 24 Nov 2006 14:50:00 + 
(GMT)
Received: from [208.210.124.73] (helo=gold.pobox.com)
by mk-mx-1.b2b.uk.tiscali.com with esmtp (Exim 4.24) id 1GnbXf-000OfK-2r
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 13:56:35 +
Received: from localhost.localdomain (localhost [127.0.0.1])
by gold.pobox.com (Postfix) with ESMTP id 0BDB2D0592
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:56:57 -0500 (EST)
Delivered-To: [EMAIL PROTECTED]
Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
by gold.pobox.com (Postfix) with ESMTP id A7234D4AFE
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:45:01 -0500 (EST)
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAjW7022092
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 06:10:45 -0700 (MST)
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
Date: Fri, 24 Nov 2006 06:10:45 -0700
From: [EMAIL PROTECTED]
To: Brian Candler [EMAIL PROTECTED]
Subject: Message rejected
X-Security: message sanitized on shear.ucar.edu See 
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 
1.147 $Date: 2004-10-02 11:16:26-07 
Content-Type: text/plain; charset=us-ascii
Message-ID: [EMAIL PROTECTED]
X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d
X-Converted-To-Plain-Text: Alternative section used was text/plain

Your message to ports@openbsd.org was rejected because it 
was not explicitly addressed to the ports mailing list.

If you intended to send a blind carbon copy, you must include a
valid Bcc: header.
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on shear.ucar.edu
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO  
autolearn=unavailable version=3.1.4
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222
for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST)
Received: by wx-out-0506.google.com with SMTP id t4so779681wxc
for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST)
Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 24 
Nov 2006 05:10:35 -0800 (PST)
X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org
X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], 
misc@openbsd.org
X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76
Delivered-To: [EMAIL PROTECTED]
Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 05:10:35 
-0800 (PST)
Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 24 Nov 
2006 05:10:35 -0800 (PST)
Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; 
Fri, 24 Nov 2006 05:10:35 -0800 (PST)
Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor 
denied by domain of [EMAIL PROTECTED])
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 24 
Nov 2006 05:45:41 -0700 (MST)
Received: from rune.pobox.com (rune.pobox.com [208.210.124.79])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553
for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST)
Received: from rune (localhost [127.0.0.1])
by rune.pobox.com (Postfix) with ESMTP id 92A15964BF
for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com 
[212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client 
certificate requested)
by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325
for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
Received: from brian
by mappit.linnet.org with local (Exim 4.60) (envelope-from [EMAIL 
PROTECTED]) id 1GnaOj-0002nE-FV
for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 +
Date: Fri, 24 Nov 2006 12:43:17 +
From: Brian Candler [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: ipsecctl setting up multiple SAs
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: [EMAIL

SCSI and several adapters on the same bus

2006-11-24 Thread Michael Schmidt


Hello,

does OpenBSD handle several adapters on the same SCSI bus?

Clarifying: Several adapters of course with different SCSI ids,
but connected via one cable on the same SCSI bus.
It may happen that I have a need for this, so would be fine to read
which experiences [EMAIL PROTECTED] have.

Have a nice day
Michael

--
Michael Schmidt MIRRORS:
DJGPP   ftp://ftp.fh-koblenz.de/pub/CompilerTools/DJGPP/
Watcom  ftp://ftp.fh-koblenz.de/pub/CompilerTools/Watcom/
OpenOffice  ftp://ftp.fh-koblenz.de/pub/OpenOffice/

Re: Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Nick Holland

Brian Candler wrote:
 I'm getting the following when posting to 'misc'. Is this known and/or
 intentional?
 
 I'm not bcc'ing to 'ports' - honest!
 
 Regards,
 
 Brian.
...
Yeah, someone did something annoying with their mail account.

The right people to fix it are trying to be contacted...in the mean
time, don't worry about it...

Nick.

Re: IPSec roadwarrior configuration?

2006-11-24 Thread Albert Chin

On Fri, Nov 24, 2006 at 07:54:49AM -0600, Albert Chin wrote:
 On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote:
Now VPN-A has this in ipsec.conf:
ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
[EMAIL PROTECTED]
  
  If you need to support more than one user in you roadwarrior setup. 
  Then don't set dstid. 
 
 But, according to ipsec.conf:
dstid is similar to srcid, but instead specifies the ID to be used
by the remote peer.
 
 So, if I want multiple roadwarriors to connect, with X.509
 certificates, and I leave srcid blank, won't the authentication occur
 with the client IP, for which I certainly won't have a CERTIP
 certificate because the IP is undetermined?

Ok, if I specify srcid but no dstid, then multiple clients can
connect. Maybe I missed something but it wasn't obvious that this
would work, reading ipsec.conf(5) and isakmpd(8).

-- 
albert chin ([EMAIL PROTECTED])

Re: Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Darrin Chandler

On Fri, Nov 24, 2006 at 02:52:23PM +, Brian Candler wrote:
 I'm getting the following when posting to 'misc'. Is this known and/or
 intentional?
 
 I'm not bcc'ing to 'ports' - honest!

Something weird is going on, and various things are ending up in ports@
that don't belong there. Someone has already noted this on ports@, and
I assume someone is looking into it.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: on the remote root login in OpenSSH

2006-11-24 Thread Paul de Weerd

Hi Dave,

On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote:
| At worst you have a small window during installation in which root
| logins are allowed, before you shut them off by chroot'ing as Paul
| outlined in his post.

I'm not sure I understand, what window is this ? Before (and after)
chroot'ing into your system, sshd is not running so root logins are
not allowed. At most, they're configured to be allowed when sshd
starts up (this is exactly what everybody is free to change after
install, in the chroot (or without chrooting using ed(1))).

| btw, that chroot to /mnt may not be obvious to some, and a little
| advisory (or even a menu choice) at the end of the install script
| might be a good use of a 100 bytes or so.
|
| Halt now (H), Chroot to installed system (C) or shell (S)? [S]

It's in the FAQ, these days. See section 4.5.7.

Cheers,

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: X.org on Sun Ultra 10

2006-11-24 Thread Nick Holland

Christian Ruediger Bahls wrote:
 i post this to the list so it shows up in the web
 should somebody have the some problem
 (if you see any mistake please do not hesitate to contact me)
 
 i hat problems setting up X.org for an Ultra 10
 (i normally use that machine remote so X is less important)
 
 this machine has a Creator3D Framebuffer
 as well as an ATI Mach64 GP Graphics Card
 
 dmesg:
 vgafb0 at pci1 dev 2 function 0 ATI Mach64 GP rev 0x5c
 wsdisplay0 at vgafb0
 wsdisplay0: screen 0 added (std, sun emulation)
 creator0 at mainbus0 addr 0xfebee000: Creator3D, model SUNW,501-4788, dac 10
 wsdisplay1 at creator0: console (std, sun emulation), using wskbd0
  ^^
   |

 the Monitor is connected to the Creator3D
 
 /usr/X11R6/README helped for the first steps
 (with 4.0 stable the keyboard did not work)
 
 somehow i wasn't able to make X.org use the creator3d as display device
 .. so i disabled the vgafb in the kernel config

There's a better way... :)
...
 # All framebuffers
 Section Device
 Identifier  Wsdisplay0
   ^^
|
 Driver  wsfb
 Option  device /dev/ttyC0
^^
make that   /dev/ttyD0

 EndSection

i.e., set up X to drive the second device, not the first device.

See the section in /usr/X11R6/README about ..systems with both UPA and
VGA framebuffers ...

What you did works, but in general, mod'ding the kernel (even with
config(8)) is less desirable than running completely stock, 'specially
when it comes to upgrades/updates.

Nick.

Re: Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Alden Pierre

This happens to me as well and unfortunately I don't know how to remedy 
this problem.


Regards,
Alden

Brian Candler wrote:

I'm getting the following when posting to 'misc'. Is this known and/or
intentional?

I'm not bcc'ing to 'ports' - honest!

Regards,

Brian.
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Fri, 24 Nov 2006 14:50:00 +
Received: from [127.0.0.1] (helo=mappit.linnet.org)
by localhost with esmtp (Exim 4.60) (envelope-from [EMAIL PROTECTED]) 
id 1GncNM-0004P6-1m
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 14:50:00 +
Received: from pop3.linnet.org
by mappit.linnet.org with POP3 (fetchmail-6.3.2)
for [EMAIL PROTECTED] (single-drop); Fri, 24 Nov 2006 14:50:00 + 
(GMT)
Received: from [208.210.124.73] (helo=gold.pobox.com)
by mk-mx-1.b2b.uk.tiscali.com with esmtp (Exim 4.24) id 1GnbXf-000OfK-2r
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 13:56:35 +
Received: from localhost.localdomain (localhost [127.0.0.1])
by gold.pobox.com (Postfix) with ESMTP id 0BDB2D0592
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:56:57 -0500 (EST)
Delivered-To: [EMAIL PROTECTED]
Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
by gold.pobox.com (Postfix) with ESMTP id A7234D4AFE
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:45:01 -0500 (EST)
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAjW7022092
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 06:10:45 -0700 (MST)
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
Date: Fri, 24 Nov 2006 06:10:45 -0700
From: [EMAIL PROTECTED]
To: Brian Candler [EMAIL PROTECTED]
Subject: Message rejected
X-Security: message sanitized on shear.ucar.edu See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.147 $Date: 2004-10-02 11:16:26-07 
Content-Type: text/plain; charset=us-ascii

Message-ID: [EMAIL PROTECTED]
X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d
X-Converted-To-Plain-Text: Alternative section used was text/plain

Your message to ports@openbsd.org was rejected because it 
was not explicitly addressed to the ports mailing list.


If you intended to send a blind carbon copy, you must include a
valid Bcc: header.
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on shear.ucar.edu
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO  autolearn=unavailable version=3.1.4

Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222
for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST)
Received: by wx-out-0506.google.com with SMTP id t4so779681wxc
for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST)
Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 24 
Nov 2006 05:10:35 -0800 (PST)
X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org
X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], 
misc@openbsd.org
X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76
Delivered-To: [EMAIL PROTECTED]
Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 05:10:35 
-0800 (PST)
Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 24 Nov 
2006 05:10:35 -0800 (PST)
Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; 
Fri, 24 Nov 2006 05:10:35 -0800 (PST)
Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor 
denied by domain of [EMAIL PROTECTED])
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 24 
Nov 2006 05:45:41 -0700 (MST)
Received: from rune.pobox.com (rune.pobox.com [208.210.124.79])
by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553
for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST)
Received: from rune (localhost [127.0.0.1])
by rune.pobox.com (Postfix) with ESMTP id 92A15964BF
for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com 
[212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client 
certificate requested)
by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325
for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
Received: from brian
by mappit.linnet.org with local (Exim 4.60) (envelope-from [EMAIL 
PROTECTED]) id 1GnaOj-0002nE-FV
for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 +
Date: Fri, 24 Nov 2006 12:43:17 +
From: Brian Candler [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: ipsecctl setting up multiple SAs
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]

Re: Why Sendmail?

2006-11-24 Thread Paolo Maero


Martin,

Why being so nice?

Fear of widening openbsd customer base?

/Paolo


On Nov 23, 2006, at 2:44 PM, Martin Schrvder wrote:


Search the archives, you troll

Re: crash on 4.0 (but no ddb)

2006-11-24 Thread Christopher D. Palmer


From: Stephen Takacs [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 9:35 AM

---snip---

I'm not sure what to do at this point.  I'll run memtest86 tonight, but
I'm very skeptical that it will reveal any hardware problems.  This
machine started acting strange the next day after I upgraded it to 4.0,
and I can't recall a single crash during the 3.7 - 3.9 releases.


If you haven't done it already, check your motherboard hardware for signs of 
heat creep.
A system I recently troubleshot had an unsecured DIMM memory ejector clip 
and the
memory module was slightly lifted up on one side causing random system 
lockups.

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Håkan Olsson


On 24 nov 2006, at 13.12, Brian Candler wrote:
...

Time(s)  Num flows
---  -
   10  606
   20  976
   30 1286
   40 1384
   50 1768
   60 1946
   70 1946 ..

And there it stops, never reaching 2000 (in+out).

But I find the following in /var/log/messages:

Nov 24 11:12:45 gw isakmpd[32720]: pf_key_v2_set_spi: UPDATE: No  
such process

Nov 24 11:12:45 gw last message repeated 26 times

1946 + 27*2 = 2000, so that's where the missing flows have gone.  
For some
reason some of them are not known; maybe some earlier messages to  
the kernel

were silently dropped?


This particular part of the IKE implementation works something like  
the following:


1. start a negotiation (here: start 1000 negotiations simultaneously)
2. each negotiation starts by reserving a SPI value (for every  
proposal) in the kernel, the SPI is a 32-bit number but has to be  
unique. If you do debug logging, you'll see a number of GETSPI  
calls here.

3. isakmpd starts to send out IKE packets to the other host(s)
4. the other side responds, and assuming everything is ok one  
proposal (per negotiation) is selected
5. the selected SPI (or larval SA state) on the local system is  
updated with the keying material, timeouts etc - i.e the real SA is  
finalized


This continues until all negotiations are complete -- however there  
is a limit on how long this larval SA lives in the kernel... as you  
may guess it's 60 seconds. (The idea being if a negotiation has not  
completed in 60 seconds something has probably failed.)


Since the hosts seems to be a bit slow in running IKE negotiations,  
you hit the 60 second limit before all negotiations are complete, all  
remaining larval SAs are dropped and when isakmpd tries to update  
them into real SAs this of course fails. (No such process approx  
means no SA found here.)


/H

PS
When I tried between two ~700Mhz P-III machines a while back, setting  
up 4096 (or was it 8k) SAs was no problem. Another developer had a  
scenario setting up 40960 SAs over loopback on his laptop -- mainly a  
test of kernel memory usage, but he did not hit the 60s larval-SA  
time limit there either.

powerpc package updates

2006-11-24 Thread Ben Calvert

I notice that while some platforms ( i386, amd64, sparc64 ) get their
current packages rebuilt somewhat frequently, the powerpc platform is
over 30 days old.

Is this due to a hardware shortage?  Would getting someone to donate an
Xserve help?

-
   Hobbes : Well, you still have afternoons and weekends 
   Calvin : That's when I watch TV.

Re: Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Brian Candler

On Fri, Nov 24, 2006 at 08:20:02AM -0700, Darrin Chandler wrote:
 On Fri, Nov 24, 2006 at 02:52:23PM +, Brian Candler wrote:
  I'm getting the following when posting to 'misc'. Is this known and/or
  intentional?
  
  I'm not bcc'ing to 'ports' - honest!
 
 Something weird is going on, and various things are ending up in ports@
 that don't belong there. Someone has already noted this on ports@, and
 I assume someone is looking into it.

FWIW, when I sent a mail to 'bugs' I got two similar bounces back; one said
I was trying to bcc 'ports' and the other said I was trying to bcc 'misc'

Regards,

Brian.

Re: crash on 4.0 (but no ddb)

2006-11-24 Thread Stuart Henderson

 I'm not sure what to do at this point.  I'll run memtest86 tonight, but
 I'm very skeptical that it will reveal any hardware problems.  This
 machine started acting strange the next day after I upgraded it to 4.0,
 and I can't recall a single crash during the 3.7 - 3.9 releases.

I've had faulty hardware that was somewhat stable with earlier releases
but crashed more often with code from sometime in april; the key point is
that the hardware _was_ faulty. memtest86 did not find any RAM errors.
'make build' whilst running stress (from ports) did crash (quickly in
the case of the newer OS; after running for a while in the case of
the older OS). This was resolved by replacing the CPU with a good one.

I guess some people would prefer things to keep running even with
faulty hardware. This may be more common amongst people who think that
computers crash for no good reason from time to time, though hopefully
they are running some other OS...

Unlock your ePassporte Online Account

2006-11-24 Thread [EMAIL PROTECTED]

 WARNING! We've noticed that you experienced trouble logging into
ePassporte Online Account.
After three unsuccessful attempts to access your account, your ePassporte
Online Profile
has been locked. This has been done to secure your accounts and to
protect your
private information. ePassporte is committed to making sure that your
online transactions
are secure.
To unlock your account, and verify your identity please follow this link
and sign in:
SERVICE: ePassporte Online Secure
EXPIRATION: Nov -  24 - 2006
Sign in Now your ePassporte Online Secure.

Sincerely,
ePassporte
   Online Customer Service. Please do not reply to this message. For any
inquiries, contact Customer Service. Document Reference: (87051203).
 Copyright 1996 - 2006 ePassporte, N.A. Internet Service.

New Article

2006-11-24 Thread Brian O'Sullivan

Has anyone seen 
http://uncyclopedia.org/wiki/OpenBSDhttp://uncyclopedia.org/wiki/OpenBSD ?

Quite informative.

_
The new Windows Live Toolbar helps you guard against viruses 
http://toolbar.live.com/?mkt=en-gb

Re: Is RAIDframe good for production?

2006-11-24 Thread L. V. Lammert

On Fri, 24 Nov 2006, Igor Goldenberg wrote:

 So, what's better - to have base system partially on RAID or only for
 custom data or not to use RAID at all?

We use RAIDFrame all the time, but *ONLY* on production servers with
totally reliable power. We used to use it for customer machines, but
without at least triple power redundancy the rebuild time is way too long.

For customers, we have moved them to a 15 minute rsync.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: wirless LAN - DWL-G120 on OPENBSD 4.0

2006-11-24 Thread Damien Bergamini

It is based on the Conexant Prism54 USB2.0 chipset which
is not currently supported in OpenBSD.
If you send it to me I may consider writing a driver for
it on a rainy day ;-)

Damien


| Is any one working on this driver?
| I have D-LINK DWL-G120 USB wireless.
| dmesg shows some thing like this
| -
| ugen0 at uhub2 port 1
| ugen0: D-Link product 0x3701, rev 2.00/2.03, addr 2
| 
| -
| I run ifconfig -a  but cannot show it at all?
| 
| DO you have  any ideas to make this card work?
| do I have to compile the kernel?
| if yes , what to change?
| 
| Thanks
| Minh

Re: on the remote root login in OpenSSH

2006-11-24 Thread Woodchuck

On Fri, 24 Nov 2006, Paul de Weerd wrote:

 Hi Dave,
 
 On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote:
 | At worst you have a small window during installation in which root
 | logins are allowed, before you shut them off by chroot'ing as Paul
 | outlined in his post.
 
 I'm not sure I understand, what window is this ? Before (and after)

Apparently no window at all, perhaps the one painted on my wall
by some of the refreshments yesterday.  I was ignoring changing
it after installation and before first boot.  The window would
have been between first boot and hupping sshd with the no root
option.

Dave
-- 
  Confound these wretched rodents! For every one I fling away,
   a dozen more vex me! -- Doctor Doom

Re: Mail to 'misc' being forwarded to 'ports'?

2006-11-24 Thread Brian Candler

On Fri, Nov 24, 2006 at 10:33:35AM -0500, Alden Pierre wrote:
 This happens to me as well and unfortunately I don't know how to remedy 
 this problem.

OK, I actually read those headers this time, and I think I have a clue now.
Look:

 Received: from wx-out-0506.google.com (wx-out-0506.google.com 
 [66.249.82.235])
  by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222
  for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST)
 Received: by wx-out-0506.google.com with SMTP id t4so779681wxc
  for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST)
 Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 
 24 Nov 2006 05:10:35 -0800 (PST)
 X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org
 X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], 
 misc@openbsd.org
 X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76
 Delivered-To: [EMAIL PROTECTED]
 Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 
 05:10:35 -0800 (PST)
 Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 
 24 Nov 2006 05:10:35 -0800 (PST)
 Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
  by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; 
  Fri, 24 Nov 2006 05:10:35 -0800 (PST)
 Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor 
 denied by domain of [EMAIL PROTECTED])
 Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
  by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 
  24 Nov 2006 05:45:41 -0700 (MST)
 Received: from rune.pobox.com (rune.pobox.com [208.210.124.79])
  by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553
  for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST)
 Received: from rune (localhost [127.0.0.1])
  by rune.pobox.com (Postfix) with ESMTP id 92A15964BF
  for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
 Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com 
 [212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No 
 client certificate requested)
  by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325
  for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST)
 Received: from brian
  by mappit.linnet.org with local (Exim 4.60) (envelope-from 
  [EMAIL PROTECTED]) id 1GnaOj-0002nE-FV
  for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 +

It got delivered to [EMAIL PROTECTED] It then got delivered to
[EMAIL PROTECTED], who is presumably a subscriber to misc. It then seems to
have been forwarded from there to ports@openbsd.org, [EMAIL PROTECTED],
misc@openbsd.org [and presumbly misc detects the loop]

So it appears the solution is to unsubscribe [EMAIL PROTECTED] from all
openbsd mailing lists (since he/she seems to be doing the same for 'bugs'
too)

Regards,

Brian.

Re: ipsecctl setting up multiple SAs

2006-11-24 Thread Brian Candler

On Fri, Nov 24, 2006 at 05:22:05PM +0100, H?kan Olsson wrote:
 5. the selected SPI (or larval SA state) on the local system is  
 updated with the keying material, timeouts etc - i.e the real SA is  
 finalized
 
 This continues until all negotiations are complete -- however there  
 is a limit on how long this larval SA lives in the kernel... as you  
 may guess it's 60 seconds. (The idea being if a negotiation has not  
 completed in 60 seconds something has probably failed.)
 
 Since the hosts seems to be a bit slow in running IKE negotiations,  
 you hit the 60 second limit before all negotiations are complete, all  
 remaining larval SAs are dropped and when isakmpd tries to update  
 them into real SAs this of course fails. (No such process approx  
 means no SA found here.)

Thank you for that very clear description.

Is this 60 second timeout a tunable? Or can you point me to where it's
defined in the kernel? I'd like to try increasing it.

However, at this stage I don't really understand why setting -D 5=99, which
generates copious logs, makes it work. In fact I can get to 3,000 tunnels
(6,000 flows) within a couple of minutes with this flag set. Perhaps this
extra logging delays the starts of some of the negotations, somehow
spreading the workload.

(Maybe having a workload spreading option, so that no more than N
outstanding exchanges are present at once, would be a useful control anyway)

 PS
 When I tried between two ~700Mhz P-III machines a while back, setting  
 up 4096 (or was it 8k) SAs was no problem. Another developer had a  
 scenario setting up 40960 SAs over loopback on his laptop -- mainly a  
 test of kernel memory usage, but he did not hit the 60s larval-SA  
 time limit there either.

I can think of several possibilities as to why some negotiations are taking
more than 60 seconds. For instance:

(1) The Cisco 7301 may be slow to respond. It does have a VAM2+ crypto
accelerator installed, but I don't know if it's used for isakmp exchanges,
or just for symmetric encryption/decryption. (However, 'show proc cpu
history' suggests CPU load is no more than about 25%)

(2) There may be packet loss and retransmissions, maybe due to some network
buffer overflowing, either on OpenBSD or Cisco.

The OpenBSD box is using a nasty rl0 card, because that's the only spare
interface I had available to go into the test LAN. Having said that,
watching with 'top' I don't see the interrupt load go above 10%.

I'm not sure how to probe deeper to get a handle on what's actually
happening though. Perhaps isakmpd -L logging might shed some light, although
I don't fancy decoding QM exchanges by hand :-(

Regards,

Brian.

Re: New Article

2006-11-24 Thread Chris

Brian O'Sullivan wrote:
 Has anyone seen
 http://uncyclopedia.org/wiki/OpenBSD ?
 Quite informative.
 

This site is a riot! it makes fun of all the OS's


-- 
Best regards,
Chris

Never eat at a place called moms, never play cards with a
man named doc, and never lie down with a woman who has
got more troubles than you.

Re: Java firefox plugin

2006-11-24 Thread Greg Thomas


On 11/24/06, ICMan [EMAIL PROTECTED] wrote:

Hello,

When I compiled the JDK 1.5 in ports, it did not create a plugin for
Firefox, or if it did, I can't find it.  Can anyone help?  I would like
to install the plugin for my Firefox implementation


pkg_info -M jdk



Also, is there any information about other plugins for Firefox which
have been ported to OpenBSD?  in particular, I would like to find
Macromedia Flash and Shockwave plugins if they are available.



http://www.openbsd.org/faq/faq13.html#flashplugin

Also check the mailing list archives.  I thought someone mentioned an
open source Flash plugin, possibly Gnash, a couple of months ago but I
may have hallucinated it.

Greg

pciutils - writing with setpci doesn't work on an Apple Mac mini (Intel)

2006-11-24 Thread Tasmanian Devil


Hello! :-)

I try to set a register using the package pciutils-2.2.1.tgz to switch
server mode on (automatic reboot after power failture) on an Apple
Mac mini (Intel), though it doesn't work so far.

Basically I use -current with a GENERIC.MP kernel, but with ACPI enabled:

# cat /usr/src/sys/arch/i386/conf/GENERIC.ACPI
#   $OpenBSD$
#
#   GENERIC.ACPI - sample ACPI kernel
#

include arch/i386/conf/GENERIC

option  MULTIPROCESSOR  # Multiple processor support
option  MPVERBOSE

cpu*at mainbus?
ioapic* at mainbus?

option  ACPIVERBOSE
option  ACPI_ENABLE

acpi0   at mainbus?
acpitimer*  at acpi?
acpihpet*   at acpi?
acpiac* at acpi?
acpibat*at acpi?
acpibtn*at acpi?
acpicpu*at acpi?
acpiec* at acpi?
acpitz* at acpi?
acpimadt*   at acpi?
acpiprt*at acpi?

I tried it also with a -release installation with GENERIC kernel and a
-current installation with GENERIC kernel, both with the same results.
machdep.allowaperture is set to 2 in /etc/sysctl.conf as it should be.

lspci works fine:

# lspci
00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and
945GT Express Memory Controller Hub (rev 03)
00:02.0 VGA compatible controller: Intel Corporation Mobile
945GM/GMS/940GML Express Integrated Graphics Controller (rev 03)
00:07.0 Performance counters: Intel Corporation Unknown device 27a3 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High
Definition Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express
Port 1 (rev 02)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express
Port 2 (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB
UHCI #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB
UHCI #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB
UHCI #3 (rev 02)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB
UHCI #4 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2
EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface
Bridge (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE
Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family)
Serial ATA Storage Controller IDE (rev 02)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 02)
01:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053
PCI-E Gigabit Ethernet Controller (rev 22)
02:00.0 Ethernet controller: Atheros Communications, Inc. Unknown
device 001c (rev 01)
03:03.0 FireWire (IEEE 1394): Agere Systems FW323 (rev 61)

Reading the register works also fine:

# setpci -v -s 0:1f.0 a4
00:1f.0:a4 = 01

But if I try to write to the register, I get this error:

# setpci -v -s 0:1f.0 a4=0
setpci: obsd_write: ioctl(PCIOCWRITE) failed

I also compiled the pciutils-2.2.4 from the ports tree using this
patch: http://marc.theaimsgroup.com/?l=openbsd-portsm=116423351620351w=2

# setpci --version
setpci version 2.2.4

Again, same results. Reading works fine, writing doesn't work. What
did I miss? Does anybody of you uses the pciutils and knows this
error? What could I try to make writing to the register work?

Thank you in advance for your help!

Tas.


My DMESG (with ACPI enabled):

OpenBSD 4.0-current (GENERIC.ACPI) #0: Fri Nov 24 22:24:04 CET 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.ACPI
cpu0: Genuine Intel(R) CPU 1400 @ 1.83GHz (GenuineIntel 686-class) 1.84 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2
real mem  = 2114367488 (2064812K)
avail mem = 1920389120 (1875380K)
using 4256 buffers containing 105840640 bytes (103360K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 07/29/05, SMBIOS rev. 2.4 @
0xe73f0 (39 entries)
bios0: Apple Computer, Inc. Macmini1,1
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xe600!
acpi0 at mainbus0: rev 0
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpi device at acpi0 from table DSDT not configured
acpi device at acpi0 from table FACP not configured
acpihpet0 at acpi0 table HPET: 14318179 Hz
acpimadt0 at acpi0 table APIC addr 0xfee0: PC-AT compat
LAPIC: acpi_proc_id 0, apic_id 0, flags 0x1
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: calibrating local timer
cpu0: apic clock running at 166 MHz
cpu0: kstack at 0xeb62c000 for 8192 bytes
cpu0: idle pcb at 0xeb62c000, idle sp at 0xeb62df98
LAPIC: acpi_proc_id 1, apic_id 1, flags 0x1
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Genuine Intel(R) CPU 1400 @ 1.83GHz (GenuineIntel 686-class) 1.84 GHz
cpu1:

Re: New Article

2006-11-24 Thread Sylwester S. Biernacki

On Friday, November 24, 2006, at 22:43:18, Chris wrote:

 This site is a riot! it makes fun of all the OS's

i.e. NetBSD:
http://uncyclopedia.org/wiki/NetBSD
NetBSD (interNET Bourne Sexual Disease) is a computer virus :-P

Anyway, I think real men write their own device drivers should be
motto of the next -stable release of OpenBSD :)

-- 
Sylwester S. Biernacki [EMAIL PROTECTED]
X-NET, http://www.xnet.com.pl/

Software License

2006-11-24 Thread Gustavo Rios


Dear list members,

i am planning to write a software system and would like to release it
for the community. But, i would like to promote, some how, people
usage of OpenBSD operating system, no one else.

My ideia is to elaborate a license that allows only for openbsd
installation to have installed my sources. Any other operating system
would need (must) download only the *.o object code and clue them
together.

Is there the possibility that such would be seen with bad ideia from
the openbsd community (i don't care for now on concerns about other
OSes).

thanks in advance.

best regards.

dns working but problem w etherape

2006-11-24 Thread steve szmidt

I thought I'd check to see if anyone here have been here...

OK, having gotten X up, etherape installed, I'm getting a complaint that No 
nameservers defined. I've tested the local dns every way but Sunday, and it 
all seem to work just fine. 

I got a local LAN under RFC1918. I can do both forward and reverse lookups on 
local and external addresses. Both named-checkconf and named-checkzone passes 
fine. 

I got caching on and master of my third level subdomain (to separate from the 
ISP hosted 2nd level domain). 

Obviously etherape is trying to do some lookup and fails, but I've got no idea 
where... If I start etherape without name resolution it works, so it seems
to be a dns problem. :(

Running on a LAN machine it works fine, the problem is only when run on the 
dns server.

(Running OBSD 3.9)

-- 

Steve Szmidt

To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Software License

2006-11-24 Thread Reyk Floeter

this sounds like a really bad joke to me...

On Fri, Nov 24, 2006 at 08:49:43PM -0200, Gustavo Rios wrote:
 Dear list members,
 
 i am planning to write a software system and would like to release it
 for the community. But, i would like to promote, some how, people
 usage of OpenBSD operating system, no one else.
 
 My ideia is to elaborate a license that allows only for openbsd
 installation to have installed my sources. Any other operating system
 would need (must) download only the *.o object code and clue them
 together.
 
 Is there the possibility that such would be seen with bad ideia from
 the openbsd community (i don't care for now on concerns about other
 OSes).
 
 thanks in advance.
 
 best regards.
 

http://www.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD

Re: Software License

2006-11-24 Thread Darrin Chandler

On Fri, Nov 24, 2006 at 08:49:43PM -0200, Gustavo Rios wrote:
 Dear list members,
 
 i am planning to write a software system and would like to release it
 for the community. But, i would like to promote, some how, people
 usage of OpenBSD operating system, no one else.
 
 My ideia is to elaborate a license that allows only for openbsd
 installation to have installed my sources. Any other operating system
 would need (must) download only the *.o object code and clue them
 together.
 
 Is there the possibility that such would be seen with bad ideia from
 the openbsd community (i don't care for now on concerns about other
 OSes).

You are free to do whatever you want with your code. I won't use it if
it has such a restrictive license.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

RFC on XMLSysInfo, and Thanks for the joyride!

2006-11-24 Thread Moritz Grimm


Hi,


many moons ago, I mentioned the system monitor I wrote in some thread 
here on misc@, as it was possibly useful for someone then. I continued 
working on it, and it has come a long way since. Initially written on 
and for OpenBSD, it now also runs on FreeBSD, NetBSD, Linux, Solaris, 
and a bit of Mac OSX, too, and also has a whole bunch of new features. 
Here is XMLSysInfo (aka XSI), including lots of additional information 
on it: http://xsi.kolabore.ath.cx/ (There's also an OpenBSD port there.)


I am now at the point where I would change its alpha status to beta. 
However, that would also mean no new features and only important bug 
fixes for the XML Schema allowed. Because of this, I am making this 
request for comments and feedback. If you're interested in a system 
monitor like XSI, please check it out and let me know if there's some 
feature that you'd need, and whether you can find inconsistencies or 
something that seems illogical in the output or the schema.


Your help (and, of course, any other kind of feedback as well) is very, 
very much appreciated. Please be so kind to not bother this mailing list 
with replies to the off-topic parts of the mail.



Now ...

So I wrote a system monitor, and ported it to a bunch of operating 
systems. This means, I got to learn and deal with a lot of 
kernel-userland APIs.


Almost every OS had few or more parts that were fun to implement. In 
that regard, OpenBSD clearly stands out as the pure-fun operating 
system, with no nasty surprises whatsoever. After years of using 
OpenBSD, I became spoiled of how everything Just Works, and started to 
take all the goodness for granted. My recent programming, however, 
reminded me of why I actually like OpenBSD -- the consistency, excellent 
documentation, and ease-of-use is everywhere[1], including API-land. 
There was no half-baked crap to be found, and what I wrote was 
immediately architecture-independent. Thanks for the joyride!


[1]: For various meanings of everywhere. As in most and all 
important areas. A year ago, I stumbled a bit through PPP-related code 
in both kernel- and userland ... that was irritating.


Or, in retrospect, looking at my OpenBSD-specific code, it's boring: 
sysctl(3) in most places, no kludges ... all the interesting information 
is readily available. Luckily, it was the first thing I wrote, so it was 
still very interesting at the time. :-)


About the others ... well, here's the list of ports I wrote, ordered by 
my personal sanity level, from high to (very) low, while writing them 
(might apply to API quality as well ;-)):


  OpenBSD
  FreeBSD (*)
  Solaris
  NetBSD (*)
  Linux

(*) means that I was surprised by the result.

Enough praise for OpenBSD ... there's nits to pick! Boohoo, I need to 
try and look at an arbitary number of sysctls to get all sensors (I went 
with 256 like sensorsd(8).) On the other hand, I'm pretty sure that 
doing it like this simplyfies a lot of other code, so all is well. 
Still, a HW_SENSORS_NUM sysctl would be nice to get the number of 
sensors that I should try to read. That, and ... hm, nothing. The code 
to get the default routes looks scary, but that's scary everywhere all 
the same.


FreeBSD surprised me a bit, as I expected it to be quite different. 
Turns out it actually is different, but most things (at least those it 
actually supports) were pretty easy to do. Only mild inconsistencies wrt 
reading the CPU frequency, and, like on OpenBSD, I can get all that 
stuff while being confined in a chroot with minimal privileges.


Solaris doesn't have sysctl(3), but a comprehensive sysinfo() that 
helps. The ioctl(2) stuff about networking stats is crazy and 
complicated. Fortunately, talking to the kernel directly isn't needed in 
most other cases, as there are some libraries for this kind of stuff 
that have well thought-out and properly documented APIs. On the other 
hand, what these libraries actually return seems to be neither 
standardized nor documented anywhere. There's some guesstimating going 
on, so I'll have to see how that port fares over time ... On Solaris, it 
is impossible to be chroot()'ed as a system monitor like XSI. Oh, and 
heed the warning about evolving APIs. They like to make really 
pointless changes to them between releases.


NetBSD was rather disappointing, from my point of view. Thanks to the 
common heritage with OpenBSD, some copy+paste was possible. Where they 
diverged over the years, things get interesting. Being able to get the 
CPU frequency depends both on the architecture and whether one or 
another LKM is loaded. Then, there's that weird security feature that 
the kernel seems to actively hide insensitive information about 
filesystems mounted outside the chroot. That's nonsense, and means that 
I can't chroot() here, either. Enter the big, non-backwards compatible 
API changes between releases wrt disk I/O. This shall be forgiven, 
however, since the old structure and sysctl names would have made

tampering with suspect's cars

2006-11-24 Thread james dandey

In the San Francisco bay area the F--B-I tamper with suspects cars. They put an 
oily substance in my windshield waasher, loosened suspension components, 
removed wheel weights, put nails in tires,etc..
 
 Has any of his happened in Huntsville alabama? I have often warned the corrupt 
tails that tampering with my car is going to lead to the injury/death of 
non-involved people.
 
 
 The F-B-I poison the pets owned by suspects.
  The F-B-I steal from suspects.
  The F-Bi use gang members to harras suspects.
 

-
Everyone is raving about the all-new Yahoo! Mail beta.

Re: Java firefox plugin

2006-11-24 Thread Marc Ravensbergen

On Fri, 2006-24-11 at 14:29 -0800, Greg Thomas wrote:
 On 11/24/06, ICMan [EMAIL PROTECTED] wrote:
  Hello,
 
  When I compiled the JDK 1.5 in ports, it did not create a plugin for
  Firefox, or if it did, I can't find it.  Can anyone help?  I would like
  to install the plugin for my Firefox implementation
 
 pkg_info -M jdk
 
 
  Also, is there any information about other plugins for Firefox which
  have been ported to OpenBSD?  in particular, I would like to find
  Macromedia Flash and Shockwave plugins if they are available.
 
 
 http://www.openbsd.org/faq/faq13.html#flashplugin
 
 Also check the mailing list archives.  I thought someone mentioned an
 open source Flash plugin, possibly Gnash, a couple of months ago but I
 may have hallucinated it.
 
 Greg
 


You have to create a link: 

source: /usr/local/jdk1.5/jre/plugin/i386/ns7/libjavaplugin_oji.so
dest: /home/.../.mozilla/plugins/libjavaplugin_oji.so


Marc

SiS 964 ethernet with sis(4)?

2006-11-24 Thread Soner Tari

I'm planning to purchase a motherboard with SiS 661FX/964 chipset. Can I
assume sis(4) driver on OpenBSD 4.0 amd64 supports the ethernet on SiS
964? (In other words, sis(4) mentions SiS 900, does it mean 9xx?)

Thanks,

Re: SiS 964 ethernet with sis(4)?

2006-11-24 Thread Stuart Henderson

On 2006/11/25 03:55, Soner Tari wrote:
 I'm planning to purchase a motherboard with SiS 661FX/964 chipset. Can I
 assume sis(4) driver on OpenBSD 4.0 amd64 supports the ethernet on SiS
 964?

Looks like it probably does.
http://archives.neohapsis.com/archives/openbsd/2006-06/1627.html

Don't know about anything else though. Generally, you get to try it out,
and work out what to do if something doesn't work satisfactorily (disks,
usb, blah blah...). If you mention the motherboard model, you might be
lucky and find someone else who already has one who could let you
know more...or then again, you might not.

Re: Can OpenBSD rfmon WLans

2006-11-24 Thread pedro la peu

 i actually never tested it with openbsd (why? i can use tcpdump and
 hostapd(8) for wireless monitoring).

Really?

Re: Software License

2006-11-24 Thread Ray Percival


On Nov 24, 2006, at 6:28 PM, Joel Goguen wrote:


It seems to me that such a license would be too restrictive for many.
The goal of OpenBSD (AFAIK) is not to force or coerce lock-in to a
single OS - that's Microsoft's turf :)


Theo said it best.
But software which OpenBSD uses and redistributes must be free to all  
(be they people or companies), for any purpose they wish to use it,  
including modification, use, peeing on, or even integration into baby  
mulching machines or atomic bombs to be dropped on Australia.


[EMAIL PROTECTED] mailing list, May 29, 2001

snip

They do not preach that their God will rouse them a little before the  
nuts work loose.

japanese input method uim anth

2006-11-24 Thread LinuxUser

Hi , all .

i express heartly thanks for the man who Add uim anthy to ports
http://ports.openbsd.nu/manageaccount.php?item=3083 .
i now input japanese on konqueror .

i simply write down my doing .


/etc/rc.local
---
echo -n 'starting local daemons:'
echo '.'
/usr/local/sbin/cupsd




.xinitrc
--
export LANG=ja_JP.eucJP
export LC_ALL=ja_JP.eucJP
export LC_CTYPE=ja_JP.eucJP
uim-xim 
startkde



# pkg_info
uim-1.2.1p1 multilingual input method library
anthy-7900p1 japanese input method


the example is on the last part on http://nakajin.dyndns.org/40.html .
again i express thanks to openbsd .
--
takesima

Re: pciutils - writing with setpci doesn't work on an Apple Mac mini (Intel)

2006-11-24 Thread Tasmanian Devil


Sorry to answer myself, but I've found a solution already, thanks to
the really perfect OpenBSD documentation (and I'm still quite a
beginner). Here's the solution for all who read this list and who want
to switch on what the Apple documentation calls server mode, which
is getting a Mac Mini (Intel Core Duo) to power on automatically after
a power cut. Can be very useful if the Mac mini is far away in a data
center!

The setpci command from the pciutils package didn't work for me, but
I've found out that the pcitweak command does exactly what I need. You
can switch the server mode on with:

# pcitweak -w 00:1f:0 -b 0xa4 0x00

and you can check if it's on with:

# pcitweak -r 0:1f:0 -b 0xa4
0x00 (would be 0x01 if it's still off)


From an info page: However, note that in either case the setting is

not preserved across boots. Mac OS X handles this by saving the
power-management settings on disk and automatically restoring them at
boot; OpenBSD (or Linux) doesn't do that for you, so you will need to
arrange to run the appropriate command on boot. Obviously it is
important to do this as early in the boot process as possible, so that
if the machine hangs or crashes while booting, you can still reboot
it.

I hope this helps somebody as the Mac mini with its Intel Core Duo
makes an excellent server, faster than you'd expect, especially with
OpenBSD! :-)

Tas.

Re: powerpc package updates

2006-11-24 Thread Peter Valchev

I replied to Ben privately already, but the lack of powerpc package
snapshots is due to a short term problem with the machine that should
get resolved soon... in case others wonder.

Problems using a Powerware 5110 (with nut 2.0.3)

2006-11-24 Thread Guido Tschakert

Hello,

I'm trying to connect to my Eaton Pwoerware 5110 with usb.

I have installed OpenBSD 4.0 and nut-2.0.3.

The dmesg part for the UPS reads:

ugen0 at uhub0 port 2
ugen0: Powerware Powerware UPS, rev 0.20/0.50, addr 6

I tried to configure /etc/nut/ups.conf

[UPS]
driver = bcmxcp_usb
port = /dev/ugen0.00
desc = Eaton PW 5110

like it is described on the nut homepage.
Then I regocnized that there is no bcmxcp_usb driver in my system ;-(

So i want to ask, if (why?) the usb device of such an ups isn't
supported yet or if I can use the bcmxcp driver instead (which I tried
but I was out of luck)?

Another question come to me while looking through the ugen manual:
/dev/ugenN.EE Endpoint EE of device N
What is the endpoint EE compared to my dmesg? Port2 or addr 6 or
something else?

thanks for your time

guido

Java firefox plugin

2006-11-24 Thread ICMan


Hello,

When I compiled the JDK 1.5 in ports, it did not create a plugin for 
Firefox, or if it did, I can't find it.  Can anyone help?  I would like 
to install the plugin for my Firefox implementation


Also, is there any information about other plugins for Firefox which 
have been ported to OpenBSD?  in particular, I would like to find 
Macromedia Flash and Shockwave plugins if they are available.


Thank you.

Why does Anthy dependon emacs? (was Re: japanese input method uim anth )

2006-11-24 Thread Ben Calvert

Your timing is excelent - i was literally just starting to look into
setting up japanese input on OpenBSD when this message came through.

However, I have a question for the maintaner ( ports@ ? )

Why does anthy depend on emacs?  On FreeBSD  Linux it certainly
doesn't, and I have no interest in compiling emacs for the next week
just to get anthy running ( yes, my machine is slow.  I spilled
beer in the other one )

Thanks,

Ben


On Sat, 25 Nov 2006 12:57:00 +0900
LinuxUser [EMAIL PROTECTED] wrote:

 Hi , all .
 
 i express heartly thanks for the man who Add uim anthy to ports
 http://ports.openbsd.nu/manageaccount.php?item=3083 .
 i now input japanese on konqueror .
 
 i simply write down my doing .
 
 
 /etc/rc.local
 ---
 echo -n 'starting local daemons:'
 echo '.'
 /usr/local/sbin/cupsd
 
 
 
 
 .xinitrc
 --
 export LANG=ja_JP.eucJP
 export LC_ALL=ja_JP.eucJP
 export LC_CTYPE=ja_JP.eucJP
 uim-xim 
 startkde
 
 
 
 # pkg_info
 uim-1.2.1p1 multilingual input method library
 anthy-7900p1 japanese input method
 
 
 the example is on the last part on http://nakajin.dyndns.org/40.html .
 again i express thanks to openbsd .
 --
 takesima
 


-
   Calvin: Sometimes when I'm talking, my words can't keep up with my
thoughts. I wonder why we think faster than we speak.  Hobbes: Probably
so we can think twice.

Re: Why does Anthy dependon emacs? (was Re: japanese input method uim anth )

2006-11-24 Thread Ben Calvert

On Sat, 25 Nov 2006 14:20:12 +0900
[EMAIL PROTECTED] (Mathieu Sauve-Frankel) wrote:


 You will notice that emacs is only a BUILD_DEPENDS. It is needed to
 build the anthy module for emacs. The ports tree is intended for 
 BUILDING PACKAGES. If you are not interested to install what is
 required in order to build the packages, then by all means install
 the binary package, it does not depend on emacs. 

I can't, as the machine used to build powerpc packages is currently off-
line, so there is no package for my arch.

Instead, As I percieve an obvious need to seperate anthy out from anthy-
emacs i'll work on hacking the port so emacs isn't a build dependency.

Unless someone else gets there first ( my previous message was a poorly-
managed attempt to determine if someone was already doing this )

 
 -- 
 Mathieu Sauve-Frankel

Ben

74 matches

Mail list logo