Re: Relayd and SSL - signed certificate problems

[Claus Larsen]

Thank you for your input, it is working now.

I forgot that I had also recieved the BundledRootCA.crt file.

The following did the job:
cat yourcert.crt  combinedcert.crt
cat BundledRootCA.crt  combinedcert.crt
mv combinedcert.crt /etc/ssl/xxx.xxx.xxx.xxx.crt

regards,
Claus


On Thu, Feb 12, 2009 at 3:39 PM, Johan Strvm jo...@stromnet.se wrote:

 On Feb 12, 2009, at 15:29 , Claus Larsen wrote:

  I am having some problems with a SSL proxy like the one described on
 https://calomel.org/relayd.html

 No problems getting it up and running, but the browser cannot verify the
 signed certificates.

 Internet Explorer says:
 The security certificate presented by this website was not issued by a
 trusted certificate authority.

 Safari says:
 www.x.com
 Issued by: Comodo Class 3 Security Services CA
 Expires: .
 This certificate was signed by an unknown authority

 My certificates works fine when running on apache.

 Research tells me that I need a chain/intermediate certificate to get
 things
 working.

 But I have not been able to find any info about this with relayd.

 I have recieved the following files with my certifcate:
 AddTrustExternalCARoot.crt
 UTNAddTrustServerCA.crt


 cat yourcert.crt  combinedcert.crt
 cat UTNAddTrustServerCA.crt  combinedcert.crt
 cat AddTrustExternalCARoot.crt  combinedcert.crt

 not sure about the order though.. But I'm quite sure your own cert goes
 first, and then the others should go with the master last. I think. :)

 Make sure there are a newline at the end of each file first, or at least
 that the resulting file have a newline between each cert (not a blank line,
 but just so they dont get mixed up on the same lines)

 When all are added, use combinedcert.crt in /etc/ssl for your IP.

 Good luck :)

Re: dmesg reporting wrong CPU

[Jasper Bal]

Daniel Bolgheroni schreef:

Hi,

my dmesg is reporting a wrong CPU.

OpenBSD 4.5-beta (GENERIC) #1676: Tue Feb 10 07:49:40 MST 2009
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 769 
MHz


(...)

Actually it's a Celeron. Is this expected?
  
Actually, a Celeron is a Pentium on wich the cache didn't work all that 
well after baking the chip. Intel then shut down most of the cache and 
packaged it as a Celeron. So maybe its in the chip, not the driver? 
Can't imagine it would give you any problems.


Jasper

Re: Nvidia bug

[Ioan Nemes]

nVidia hardware goes to /dev/null, i.e. recycle bin!  I am closely
watching all our suppliers for ANY new hardware with built in nVidia
components (including Sun hardware with built in nVidia NICs).  They
will not pass the tendering stage.  User base around 1500 heads.
Number of servers around 50 (including DR), half Micro$haft half
*NIX.  We soon will be nVidia free!

Ioan



 Christiano Farina Haesbaert christiano...@gmail.com 13/02/2009 01:16

Can anyone tell me if that bug in the nv driver is applicable to every
nvidia card ?
I had a FX7500LE on my desktop and openbsd was quite
slow, I remembered I have an old geforce 32mb, would it work ? or I
would probably have the same results.

Best regards.
--
Christiano Farina Haesbaert




This e-mail is intended for the addressee(s) named and may contain
confidential and/or privileged information. If you are not the intended
recipient, please delete it immediately and notify the sender. Any views
expressed in this email are those of the individual sender except where the
sender expressly and with authority states them to be the views of Fairfield
City Council.

Re: OT: Free, online backup service provider compatible with BSD

[jmc]

--- Dieter [Thu, Feb 12, 2009 at 02:43:24PM +]: --- 
  :Amen to backups, but why trust some company far away to handle things?
  :How do you know your data is in good hands, and that they won't slip up
  :let others see it?  I won't mention the concept of the place going under,
  :financially.
  :
  
  at one job we rented a PO Box, and drove the tapes there on our way home
  from work.  Since stealing from the Post Office was a Federal Offense,
  it was somewhat safe.
 
 Interesting use for a PO box.  You can also rent a safety deposit box,
 and there are companies that store media for off site backups.
 These are off site, but not very far off site.  Think Katrina scale
 disaster.  Several hundred miles away would be better.  Which involves
 either shipping media or having a T1 line.  And you'd want this to
 have serious encryption in any case.

i also think it's a good idea to make sure the truck/van they use to
come fetch your offsites shouldn't advertise (for stealing) who they are
or what they do. i'm thinking of the big trucks i've seen that have to
do with a big mountain and a ferromagnetic element.

i just recently hired one of these companies for $work, and wasn't too
comfortable with the mobile advertisements.

Re: SOCKS proxy

[Tony Berth]

On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com wrote:

 On Wed, 11 Feb 2009, Tony Berth wrote:

  Hi Diana,

 this is a 'dumb' proxy and allows http/https traffic only. So ports 80 and
 443!

 What I'm after is the ssh command I have to issue in order to open a
 connection from 'a1' to 'a3'! If I read correctly, in case I would have
 used
 putty on 'a1' I should do the following:


 http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

 I was wondering if ssh flag '-L' is doing the same job.

 By 'httptunnel' you mean the following:

 http://www.jumperz.net/index.php?i=2a=0b=0

 Thanks

 Tony


 httptunnel nows refers to more than one software project to tunnel tcp
 traffic via an http proxy.

 take a look at SSH(1) -C
 and   SSH_CONFIG(5)   LocalCommand


if I'm reading correctly, ssh -C requests compression of the data and
ssh_config LocalCommand specifies a command AFTER I was able to make the
connection!

Sorry, but I don't understand how this 2 things are related to my problem!

The proxy is blocking me before any connection can be stablished. I want to
include the data of that proxy in my ssh command in order to make the
connection but how can I achieve that?

Thanks for your help

Tony

Re: SOCKS proxy

[Pete Vickers]

Hi,


If your just trying to do an SSH connect via a http proxy, then I do  
something like this:


[p...@air] ~ cat  ~/.ssh/pconn.sh
#!/bin/bash
# pconn.sh

LF=$'\015'

CMD=CONNECT $1:$2 HTTP/1.0
echo yyy${CMD}yyy 2

(echo $CMD$LF
echo
cat ) |
nc proxy_server_ip_address 8080 | (
while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done
cat )



[p...@air] ~ cat  ~/.ssh/config
#
#
Host my-server-via-proxy
Hostname my-server.com
ProxyCommand ~/.ssh/pconn.sh %h %p
TCPKeepAlive yes
ServerAliveInterval 30
#
#



and then just
[p...@air] ~ ssh my-server-via-proxy
to connect


but be aware it only works if the proxy admin has not restricted the  
proxy to prevent CONNECT method to ports other than 443.


/Pete




On 13 Feb 2009, at 12:34, Tony Berth wrote:

On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com  
wrote:



On Wed, 11 Feb 2009, Tony Berth wrote:

Hi Diana,


this is a 'dumb' proxy and allows http/https traffic only. So  
ports 80 and

443!

What I'm after is the ssh command I have to issue in order to open a
connection from 'a1' to 'a3'! If I read correctly, in case I would  
have

used
putty on 'a1' I should do the following:


http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

I was wondering if ssh flag '-L' is doing the same job.

By 'httptunnel' you mean the following:

http://www.jumperz.net/index.php?i=2a=0b=0

Thanks

Tony



httptunnel nows refers to more than one software project to tunnel  
tcp

traffic via an http proxy.

take a look at SSH(1) -C
and   SSH_CONFIG(5)   LocalCommand



if I'm reading correctly, ssh -C requests compression of the data and
ssh_config LocalCommand specifies a command AFTER I was able to make  
the

connection!

Sorry, but I don't understand how this 2 things are related to my  
problem!


The proxy is blocking me before any connection can be stablished. I  
want to

include the data of that proxy in my ssh command in order to make the
connection but how can I achieve that?

Thanks for your help

Tony

Re: hoststated status ?

[Xavier Beaudouin]

Hello :)

Just to say thank you about all replys I got :p

Relayd is marvelous :)

/Xavier
Le 9 fivr. 09 ` 00:26, Xavier Beaudouin a icrit :


Hello,

Just a quick question, what is the status of hoststated ?

I ran into http://www.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/
 and I found that a quite exiting projet.

Unfortunalty it doesn't seems to be into 4.4 or even on snapshots...

Is there any replacements ? drawbacks or anything that explain it is
not yet supported by stable releases?

Thanks;
/Xavier

Re: SOCKS proxy

[Tony Berth]

Hi Pete,

by http proxy you mean your proxy sitting in your machine where you do the
ssh to?

In my case I want to include the proxy which allows Internet access sitting
on the clients terminal and not in the remore machine.

Thanks

Tony

On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no wrote:

 Hi,


 If your just trying to do an SSH connect via a http proxy, then I do
 something like this:

 [p...@air] ~ cat  ~/.ssh/pconn.sh
 #!/bin/bash
 # pconn.sh

 LF=$'\015'

 CMD=CONNECT $1:$2 HTTP/1.0
 echo yyy${CMD}yyy 2

 (echo $CMD$LF
 echo
 cat ) |
 nc proxy_server_ip_address 8080 | (
 while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done
 cat )



 [p...@air] ~ cat  ~/.ssh/config
 #
 #
 Host my-server-via-proxy
 Hostname my-server.com
 ProxyCommand ~/.ssh/pconn.sh %h %p
 TCPKeepAlive yes
 ServerAliveInterval 30
 #
 #



 and then just
 [p...@air] ~ ssh my-server-via-proxy
 to connect


 but be aware it only works if the proxy admin has not restricted the proxy
 to prevent CONNECT method to ports other than 443.

 /Pete





 On 13 Feb 2009, at 12:34, Tony Berth wrote:

  On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com
 wrote:

  On Wed, 11 Feb 2009, Tony Berth wrote:

 Hi Diana,


 this is a 'dumb' proxy and allows http/https traffic only. So ports 80
 and
 443!

 What I'm after is the ssh command I have to issue in order to open a
 connection from 'a1' to 'a3'! If I read correctly, in case I would have
 used
 putty on 'a1' I should do the following:



 http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

 I was wondering if ssh flag '-L' is doing the same job.

 By 'httptunnel' you mean the following:

 http://www.jumperz.net/index.php?i=2a=0b=0

 Thanks

 Tony


 httptunnel nows refers to more than one software project to tunnel tcp
 traffic via an http proxy.

 take a look at SSH(1) -C
 and   SSH_CONFIG(5)   LocalCommand


  if I'm reading correctly, ssh -C requests compression of the data and
 ssh_config LocalCommand specifies a command AFTER I was able to make the
 connection!

 Sorry, but I don't understand how this 2 things are related to my problem!

 The proxy is blocking me before any connection can be stablished. I want
 to
 include the data of that proxy in my ssh command in order to make the
 connection but how can I achieve that?

 Thanks for your help

 Tony

Re: SOCKS proxy

[Pete Vickers]

Hmm, I can't grok you problem description, since it's ambiguous.


there are serveral devices here:

A. ssh client
B. ssh server
C. http(s) proxy server
D. http(s) proxy client (web browser)


I thought you mean A+D were one device, C was an interim device, and B  
was the remote device.

Do you instead mean A+C are the same device ? or that B+C are the same  
device ?

B+C on the same device seems to make the most sense, I guess. - eg.  
you want the tunnel your http sessions over your ssh sessions, and use  
a proxy server (e.g. squid) on your ssh server device. in which case a  
line like this in the relevant line in your client's ~/.ssh/config  
would do it:

LocalForward 8080 127.0.0.1:8080

and then set your web browser to use a proxy at 127.0.0.1:8080



/Pete




On 13 Feb 2009, at 13:45, Tony Berth wrote:

 Hi Pete,

 by http proxy you mean your proxy sitting in your machine where  
 you do the ssh to?

 In my case I want to include the proxy which allows Internet access  
 sitting on the clients terminal and not in the remore machine.

 Thanks

 Tony

 On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no  
 wrote:
 Hi,


 If your just trying to do an SSH connect via a http proxy, then I do  
 something like this:

 [p...@air] ~ cat  ~/.ssh/pconn.sh
 #!/bin/bash
 # pconn.sh

 LF=$'\015'

 CMD=CONNECT $1:$2 HTTP/1.0
 echo yyy${CMD}yyy 2

 (echo $CMD$LF
 echo
 cat ) |
 nc proxy_server_ip_address 8080 | (
 while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2;  
 done
 cat )



 [p...@air] ~ cat  ~/.ssh/config
 #
 #
 Host my-server-via-proxy
 Hostname my-server.com
 ProxyCommand ~/.ssh/pconn.sh %h %p
 TCPKeepAlive yes
 ServerAliveInterval 30
 #
 #



 and then just
 [p...@air] ~ ssh my-server-via-proxy
 to connect


 but be aware it only works if the proxy admin has not restricted the  
 proxy to prevent CONNECT method to ports other than 443.

 /Pete





 On 13 Feb 2009, at 12:34, Tony Berth wrote:

 On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com  
 wrote:

 On Wed, 11 Feb 2009, Tony Berth wrote:

 Hi Diana,

 this is a 'dumb' proxy and allows http/https traffic only. So ports  
 80 and
 443!

 What I'm after is the ssh command I have to issue in order to open a
 connection from 'a1' to 'a3'! If I read correctly, in case I would  
 have
 used
 putty on 'a1' I should do the following:


 http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

 I was wondering if ssh flag '-L' is doing the same job.

 By 'httptunnel' you mean the following:

 http://www.jumperz.net/index.php?i=2a=0b=0

 Thanks

 Tony


 httptunnel nows refers to more than one software project to tunnel tcp
 traffic via an http proxy.

 take a look at SSH(1) -C
 and   SSH_CONFIG(5)   LocalCommand


 if I'm reading correctly, ssh -C requests compression of the data and
 ssh_config LocalCommand specifies a command AFTER I was able to make  
 the
 connection!

 Sorry, but I don't understand how this 2 things are related to my  
 problem!

 The proxy is blocking me before any connection can be stablished. I  
 want to
 include the data of that proxy in my ssh command in order to make the
 connection but how can I achieve that?

 Thanks for your help

 Tony

Pošalji najoriginalnije čestitke za Dan zaljubljenih

[Top Shop]

Top Shop

NajluDe D
estitke

Napravi sebi nj...

luDu, otkaD
eniju, duhovitiju, originalniju e-D
estitku

iz ljubavi ili iz D
iste zabave

Klikni ovde i pokuE!aj!

NajotkaD
enije

Dragi D
itaoD
e e-novosti,

Na www.ecestitke.tv sada moEeE! napraviti ubedljivo najposebniju
D
estitku za Dan zaljubljenih ove godine.

PoE!alji je svom partneru za praznik ljubavi ili napravi jednu posebno
otkaD
enu D
estitku za sve svoje prijatelje. PokaEi im svoju kreativnost
jednog Pikasa, pa neka se, kada je vide valjaju po podu od smeha.Poseti
www.ecestitke.tv i super se zabavi.

Sve ovo za Tebe je potpuno BESPLATNO! Klikni ovde i poEeli svima
neE!to sasvim posebno.

A E!ta sa poklonom? Mislili smo i na to!
Uz svaku porudEbinu iznad 5.000 RSD, do 28. februara - dobijaE! knjigu
B.T.Griva Jednostavna istina o ljubavi. Proveri ponudu za Dan
zaljubljenih klikom ovde.

Ako si saD
ekao/saD
ekala poslednji momenat za poklone - imamo reE!enje i
za to:

Ili, ako Ti ponos dozvoljava da zakasniE!, neka poklon stigne
u toku februara... Neki od specijalno odabranih proizvoda De sigurno
obradovati partnera dovoljno da se ne naljuti zbog malog zakaE!njenja. Sa
samo par klikova moEeE! poruD
iti bilo koji - baE! tvom partneru ili
partnerki.

Za siguran pogodak - idi na sigurno i opredeli se za neki od
najpopularnijih proizvoda. MoEda Orbitrek Platinum za savrE!eno telo ili
Celluless za lep izgled. Tu su i ostali hit proizvodi za lepotu, dobru
formu, jednostavniji Eivot ...

E=elimo Ti lep i zabavan Dan zaljubljenih - u dvoje ili u dobrom provodu
sa prijateljima.

Ova e-poruka je poslata na adresu: m...@openbsd.org. Dobili ste ga jer
ste uD
estvovali u nagradnoj igri Moj Favorit, poklon igrama Poklon za
znanje..., ili u drugim kvizovima ili poklon igrama na www.e-topshop.tv.

Ukoliko viE!e ne Eelite da primate e-mailove od nas, kliknite ovde. U
formular na stranici upiE!ite svoju taD
nu e-mail adresu (onu/one koje
ste registrovali na naE!im sajtovima) i odjavu potvrdite.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Srbija,
tel: +381 21 489 2900, fax: +381 21 489 2908

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

Re: SSH cipher preference change (was: Re: CVS: cvs.openbsd.org: src)

[Theo de Raadt]

 Damien Miller d...@cvs.openbsd.org wrote:
 
  Modified files:
  usr.bin/ssh: myproposal.h 
  
  Log message:
  prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC
  modes; ok markus@
 
 This means that ssh's default cipher will no longer profit from
 hifn(4) or glxsb(4) acceleration.

Or via C3 crypto.  Their chip has a broken CTR mode.

I think it actually now means that no hardware will be used for ssh.

But oh well, that's life.

Re: SOCKS proxy

[Diana Eichert]

On Fri, 13 Feb 2009, Tony Berth wrote:


if I'm reading correctly, ssh -C requests compression of the data and
ssh_config LocalCommand specifies a command AFTER I was able to make the
connection!

Sorry, but I don't understand how this 2 things are related to my problem!

The proxy is blocking me before any connection can be stablished. I want to
include the data of that proxy in my ssh command in order to make the
connection but how can I achieve that?

Thanks for your help

Tony


Sorry, my bad, meant to type ~C , not -C , quite a bit of difference
when you're trying to setup theuse of a local command.

diana

Re: SOCKS proxy

[Stuart Henderson]

On 2009-02-13, Pete Vickers p...@systemnet.no wrote:
 If your just trying to do an SSH connect via a http proxy, then I do  
 something like this:

 [p...@air] ~ cat  ~/.ssh/pconn.sh
 #!/bin/bash
 # pconn.sh

 LF=$'\015'

 CMD=CONNECT $1:$2 HTTP/1.0
 echo yyy${CMD}yyy 2

 (echo $CMD$LF
 echo
 cat ) |
 nc proxy_server_ip_address 8080 | (
 while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done
 cat )

Related; people behind MS proxies that need auth might want to look
at ports/www/ntlmaps.

 but be aware it only works if the proxy admin has not restricted the  
 proxy to prevent CONNECT method to ports other than 443.

Unless the SSH server is running on an acceptable port, of course...

scp bandwidth DEFAULT limit

[Paolo Di Francesco]

Hi all,

I was wondering if there is a default limit value for the scp file
transfer. I am doing some speed test over the internet so I was
wondering if the limit is the bandwidth or there is default value.

Thank you in advance.


-- 

Ciao Ciao

_
  -B-   All Recycled Bytes Message ...
~

Re: wpa2 and osx

[Tim Saueressig, thepixelz.com]

damien.bergam...@free.fr schrieb:

| hi list,
| i have a problem with wpa2 and osx. i could connect to the ap
| if i force it to use wpa1 only. all other wpaprotos gives a :
| WPA2(PSK,unknown/TKIP,AES/TKIP)
| while scanning with airport and the association failed. the test
| cases and dmesg could be found here:
| http://sumi.thepixelz.com/obsd/wpa-openbsd.txt

The unknown comes from the PSK-SHA-256 authentication protocol
supported by OpenBSD (this is a protocol defined in Draft 802.11w
that has a stronger key derivation function than the legacy
PSK-SHA1).  Unfortunately, some broken (non standard compliant)
supplicants are confused by unknown authentication protocols
and try to associate using 802.1X in this case.
I've seen this with Intel PRO/Set on XP too.
  

thx, this explains the behaviour

I'm not quite sure what to do since it's not OpenBSD fault at
all.  The current approach is that if a user specifies psk
with the wpaakms ifconfig command, both PSK-SHA1 and PSK-SHA-256
are advertised by the AP.  Maybe I should add psk-sha256 to the
list of supported values for wpaakms so that people who have
interoperability problems can disable PSK-SHA-256 with
wpaakms psk.  The default setting would be psk,psk-sha256.
  
that would be great but i should hammer on apple to get psk-sha-256 
working ;)

Because we are approaching release, I will probably stop
advertising PSK-SHA-256 by default for 4.5 (AFAIK, only OpenBSD
clients are currently capable of selecting this authentication
protocol, although some very recent versions of wpa_supplicant
may support it too.)
  

as for 4.5, imho just leave it as is. no one has cared so far.
maybe some sort of documentation/caveat in man ifconfig would help other 
users.

Damien

  

thx again
tim


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: wpa2 and osx

[Stefan Sperling]

On Fri, Feb 13, 2009 at 05:12:06PM +0100, Tim Saueressig, thepixelz.com wrote:
 damien.bergam...@free.fr schrieb:
 Because we are approaching release, I will probably stop
 advertising PSK-SHA-256 by default for 4.5 (AFAIK, only OpenBSD
 clients are currently capable of selecting this authentication
 protocol, although some very recent versions of wpa_supplicant
 may support it too.)
   
 as for 4.5, imho just leave it as is. no one has cared so far.
 maybe some sort of documentation/caveat in man ifconfig would help other  
 users.

I had to 'ifconfig ral0 wpaakms psk' to remove 802.1x from the
akm list, so a MacBook could manage to associate with my network.

The MacBook would always try to use WPA Enterprise no matter what.
There was no apparent way (at least in the GUI) to convince the
thing to just do WPA PSK instead.

Once I had made the change on my router, it automatically
went for WPA PSK and things just worked.

We might also want to document that somewhere?
I don't know where an appropriate place would be though.
Man page? FAQ? Just leave it here in the list archive?

Or maybe make even default to 'wpaakms psk' if PSK is configured,
until OpenBSD supports 802.1x properly?

Stefan

Re: boot halts halfway after fresh install, bsd.rd boots fine...

[Owain Ainsworth]

On Thu, Feb 12, 2009 at 08:56:15PM +0100, Jasper Bal wrote:
 As I was able to pull the dmesg with a serial console and found a floppy  
 after turning upside down the entire office, I now give you, as  
 promised, the dmesg in question. First one is regular boot. It halts at  
 agp0 at vga1:. I found an old 4x/2x AGP videocard and switched it with  
 the one present. Same difference. I also immediately installed a second  
 copy of 4.4 on the second disk. Again, same difference. bsd.rd boots  
 fine. dmesg included.

 Any ideas? Don't know where to start.

boot -c
disable agp

Alternatively, could you try and boot -current on that machine? Quite
some things have changed in that area.

Cheers,

-0-
-- 
Since we have to speak well of the dead, let's knock them while they're
alive.
-- John Sloan

Re: wpa2 and osx

[Tim Saueressig, thepixelz.com]

Stefan Sperling schrieb:

On Fri, Feb 13, 2009 at 05:12:06PM +0100, Tim Saueressig, thepixelz.com wrote:
  

damien.bergam...@free.fr schrieb:


Because we are approaching release, I will probably stop
advertising PSK-SHA-256 by default for 4.5 (AFAIK, only OpenBSD
clients are currently capable of selecting this authentication
protocol, although some very recent versions of wpa_supplicant
may support it too.)
  
  

as for 4.5, imho just leave it as is. no one has cared so far.
maybe some sort of documentation/caveat in man ifconfig would help other  
users.



I had to 'ifconfig ral0 wpaakms psk' to remove 802.1x from the
akm list, so a MacBook could manage to associate with my network.
  

this did not the trick for me, even if i force it with the airport util[1].
i have a black macbook3,1 with broadcom airport-xtream, and a newer 
macpook pro.

both behave in the same way...

The MacBook would always try to use WPA Enterprise no matter what.
There was no apparent way (at least in the GUI) to convince the
thing to just do WPA PSK instead.
  
ot: there is a way, go to the top airport icon, at the pulldown select 
join othe network
even when your network shows up in the list,  type your nwid and select 
your wpa or

wpa2 personal from the security dropdown.

regards
tim

[1] 
http://osxdaily.com/2007/01/18/airport-the-little-known-command-line-wireless-utility/


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: kernel freeze randomly

[Dan Harnett]

On Wed, Feb 11, 2009 at 08:09:16PM +0100, Markus Bergkvist wrote:
 I get kernel freeze randomly on Compaq 6710b with -CURRENT synced today.  
 It is best reproduced by keeping the system busy, such as building  
 userland, but there are no guarantees.

 I've been running memtester and also memory and hd test in bios, no  
 errors were found.

 I get no ddb or any other output on terminal, it just freezes up. What  
 can I do to retrieve information so I can file a proper bug report?  
 There is no DE-9 contact but the serial port is enabled in BIOS and I do  
 have a uftdi-device, if that might be useful. Any help is appreciated.

I'm seeing the same issue on any amd64 machine I've tried.  The i386
snapshot from the same date works fine on the same machines.  I'm not
even able to invoke ddb from the console.  I've been able to trigger it
with a lot of disk activity (dd, scp or rsync of large files, etc).
Sometimes they lock up immediately, sometimes it takes a fews minutes,
but that always seems to trigger it for me.

Re: wpa2 and osx

[Stefan Sperling]

On Fri, Feb 13, 2009 at 05:39:24PM +0100, Tim Saueressig, thepixelz.com wrote:
 Stefan Sperling schrieb:
 The MacBook would always try to use WPA Enterprise no matter what.
 There was no apparent way (at least in the GUI) to convince the
 thing to just do WPA PSK instead.
   
 ot: there is a way, go to the top airport icon, at the pulldown select  
 join othe network
 even when your network shows up in the list,  type your nwid and select  
 your wpa or
 wpa2 personal from the security dropdown.

Right. We never tried to join an other network because we wanted
to join the network it was already showing us.
Not a very intuitive UI.

Anyway, Damien just committed a change to CVS so that just 'psk'
will be the wpaakms default in 4.5. Since we don't yet support
anything else anyway that makes sense.

Stefan

Re: kernel freeze randomly

[Marco Peereboom]

I think we have narrowed this down to acpicpu + apmd.  Do you run both
as well?

On Fri, Feb 13, 2009 at 11:42:34AM -0500, Dan Harnett wrote:
 On Wed, Feb 11, 2009 at 08:09:16PM +0100, Markus Bergkvist wrote:
  I get kernel freeze randomly on Compaq 6710b with -CURRENT synced today.  
  It is best reproduced by keeping the system busy, such as building  
  userland, but there are no guarantees.
 
  I've been running memtester and also memory and hd test in bios, no  
  errors were found.
 
  I get no ddb or any other output on terminal, it just freezes up. What  
  can I do to retrieve information so I can file a proper bug report?  
  There is no DE-9 contact but the serial port is enabled in BIOS and I do  
  have a uftdi-device, if that might be useful. Any help is appreciated.
 
 I'm seeing the same issue on any amd64 machine I've tried.  The i386
 snapshot from the same date works fine on the same machines.  I'm not
 even able to invoke ddb from the console.  I've been able to trigger it
 with a lot of disk activity (dd, scp or rsync of large files, etc).
 Sometimes they lock up immediately, sometimes it takes a fews minutes,
 but that always seems to trigger it for me.

Re: kernel freeze randomly

[Dan Harnett]

On Fri, Feb 13, 2009 at 11:46:37AM -0600, Marco Peereboom wrote:
 I think we have narrowed this down to acpicpu + apmd.  Do you run both
 as well?

Yes, I do.

 On Fri, Feb 13, 2009 at 11:42:34AM -0500, Dan Harnett wrote:
  On Wed, Feb 11, 2009 at 08:09:16PM +0100, Markus Bergkvist wrote:
   I get kernel freeze randomly on Compaq 6710b with -CURRENT synced today.  
   It is best reproduced by keeping the system busy, such as building  
   userland, but there are no guarantees.
  
   I've been running memtester and also memory and hd test in bios, no  
   errors were found.
  
   I get no ddb or any other output on terminal, it just freezes up. What  
   can I do to retrieve information so I can file a proper bug report?  
   There is no DE-9 contact but the serial port is enabled in BIOS and I do  
   have a uftdi-device, if that might be useful. Any help is appreciated.
  
  I'm seeing the same issue on any amd64 machine I've tried.  The i386
  snapshot from the same date works fine on the same machines.  I'm not
  even able to invoke ddb from the console.  I've been able to trigger it
  with a lot of disk activity (dd, scp or rsync of large files, etc).
  Sometimes they lock up immediately, sometimes it takes a fews minutes,
  but that always seems to trigger it for me.

NFS or SAMBA ?

[Jean-François]

Hi All,

I am mounting network drives. Would you recommand the use of NFS or
SAMBA for home use ?
For both performance and security, please advise your recommandations.

Thank you.
Regards,
J-F

Re: OT: NFS or SAMBA ?

[johan beisser]

On Feb 13, 2009, at 11:41 AM, Jean-Frangois wrote:

I am mounting network drives. Would you recommand the use of NFS or
SAMBA for home use ?


What would you be serving to? PC Boxen? MacOS X? Linux? Another
OpenBSD box?

Both protocols are appropriate for similar - but not entirely the same
- setups.


For both performance and security, please advise your recommandations.


NFS is horribly insecure. By default it's just bad with little to no
authentication for the user outside of standard UNIX permissions. It's
fairly fast though, limited more by the capability of your network
than by the protocol itself.

Samba, while somewhat more secure than NFS, is very slow. While I
don't like it, I do use it very heavily since it's supported by all
OSs and all systems I have to interact with on the IT side of things.

Re: NFS or SAMBA ?

[Guillermo Bernaldo de Quiros Maraver]

if you have a shared network between WINDOWS and OpenBSD i recommend
Samba if not, NFS 

NFS = Insecure 
SAMBA = Have a problems, but, it's more secure.

2009/2/13, Jean-Frangois jfsimon1...@gmail.com:
 Hi All,

 I am mounting network drives. Would you recommand the use of NFS or
 SAMBA for home use ?
 For both performance and security, please advise your recommandations.

 Thank you.
 Regards,
 J-F

Expresscard re(4) cards

[Theo de Raadt]

It would be nice if either Mark Kettenis or I could get an Expresscard
re(4) card (for testing).  Thanks.

Re: NFS or SAMBA ?

[Jean-François]

Hi,

It's for sharing btw Linux / OpenBSD. Last one is server. Probably other
than Linux client one day. However for Windowd there are ways to install
NFS client.
I'm not speaking about network bandwith limitations but about the
efficiency of the protocol which sometimes might be preventing from
going fast on fast networks.
About security this is an internal network for the moment but it might
also be accessible from the net later on.

Thanks for your advises ...

J-F


Le vendredi 13 fC)vrier 2009 C  11:59 -0800, johan beisser a C)crit :
 On Feb 13, 2009, at 11:41 AM, Jean-FranC'ois wrote:
  I am mounting network drives. Would you recommand the use of NFS or
  SAMBA for home use ?
 
 What would you be serving to? PC Boxen? MacOS X? Linux? Another  
 OpenBSD box?
 
 Both protocols are appropriate for similar - but not entirely the same  
 - setups.
 
  For both performance and security, please advise your recommandations.
 
 NFS is horribly insecure. By default it's just bad with little to no  
 authentication for the user outside of standard UNIX permissions. It's  
 fairly fast though, limited more by the capability of your network  
 than by the protocol itself.
 
 Samba, while somewhat more secure than NFS, is very slow. While I  
 don't like it, I do use it very heavily since it's supported by all  
 OSs and all systems I have to interact with on the IT side of things.

dmesglog

[Theo de Raadt]

I want to remind everyone of two things

First, it is nice if you mail a dmesglog entry once in a while.

   (dmesg | sysctl hw.sensors) | mail -s type of machine dm...@openbsd.org

Secondly, if you send the message as a MIME attachment, sorry, but it gets
deleted.  We do not read the MIME attachment messages.  We despam, and then
developers (and developers only) get to read it in a flat file.

Thanks.

umsm: Option GlobeTrotter HSDPA ICON225 not working (was: usb hsdpa modem not working)

[demonsonly]

Same situation here. This seems not to work, at least not
with this version of the modem (see below, I tried it on
several 4.4 release boxes).

Exactly the same behaviour as described by the OP.

The third serial port is just missing so I could not set
up ppp (see man 4 umsm for details on 3rd serial port).

BTW, the name of the supported device given in man 4 umsm
(Device: Option GlobeTrotter HSDPA ICON225 Bus: USB)
might be wrong.

I could not verify that Option use names like GlobeTrotter
or GlobeSurfer for this item themselves.

Option seem to call this device just iCON 225.

GlobeTrotter and GlobeSurfer might be names of different
products (while used for iCON 225 by some resellers).

In Germany, this item seems to be available branded as
web'n'walk Stick from T-Mobile.

I think this is the same as the iCON 225 (see text taken
from bottom label below - and it looks the same).

You might want to make sure it actually works with your setup
before purchasing it.

Text from bottom sticker:
FCC ID NCMOGI0225
Model GI0225
QUALCOMM 3G CDMA
Designed in E. U. by Option

A few tags for those trying to find information on
this item:
openbsd misc
umsm Qualcomm MSM modem device
umsm0 umsm1 umsm2
ucom ucom0 ucom1 ucom2
/dev/cuaU0 /dev/cuaU1 /dev/cuaU2
GI0225-11095 (found on the net, manufacturer ref.
according to AMZN or AMZN reseller)
USB UMTS EDGE GPRS HSDPA wireless
ppp pppd /etc/ppp/ppp.conf



 Hi!
 
 I'm having the same problem, no reply from the ucom0 or ucom 1.
 Did you have any luck getting it to work?
 (same HW btw)
 
 Regs, Daniel.
 
 
  -Original Message-
  From: bdz [mailto:b...@fokazsir.hu]
  Sent: Thursday, November 13, 2008 12:44 PM
  To: misc@openbsd.org
  Subject: usb hsdpa modem not working
 
  hi list,
 
  i have a t-mobile usb web'n'walk stuff for testing. i attached it to a
  4.4 GENERIC and
  realized that first it attaches umsm0 and then immediately deattaches
  it. then umsm0
  and umsm1 attached along with ucom0 and ucom1. i can open the
  /dev/ttyU[01] but
  they don't respond to any AT commands.
 
  from umsm(4) man page:
  The Option GlobeTrotter HSDPA modem has three serial ports,
  but only the last port can be used to make PPP connections.
 
  i guess i am missing the third serial port (maybe related to the first
  attach/deattach?)
  to be able to open the ppp connection.
 
  any idea?
 
  bdz
 
  usbdevs -v:
  addr 1: high speed, self powered, config 1, EHCI root hub(0x),
  Intel(0x8086), rev 1.00
   port 1 powered
   port 2 powered
   port 3 powered
   port 4 powered
   port 5 powered
   port 6 powered
  Controller /dev/usb2:
  addr 1: full speed, self powered, config 1, UHCI root hub(0x),
  Intel(0x8086), rev 1.00
   port 1 powered
   port 2 addr 2: full speed, power 100 mA, config 1, Fingerprint
  Sensor(0x2016), TouchStrip(0x147e), rev 0.01
  Controller /dev/usb3:
  addr 1: full speed, self powered, config 1, UHCI root hub(0x),
  Intel(0x8086), rev 1.00
   port 1 addr 2: low speed, power 100 mA, config 1, Optical USB
  Mouse(0xc016), Logitech(0x046d), rev 3.40
   port 2 powered
  Controller /dev/usb4:
  addr 1: full speed, self powered, config 1, UHCI root hub(0x),
  Intel(0x8086), rev 1.00
   port 1 addr 2: low speed, power 100 mA, config 1, Type 6
  Keyboard(0x0005), Sun Microsystems(0x0430), rev 1.02
   port 2 addr 3: full speed, power 500 mA, config 1, Globetrotter HSDPA
  Modem(0x6971), Option N.V.(0x0af0), rev 0.00, iSerialNumber
  Serial Number
  Controller /dev/usb5:
  addr 1: full speed, self powered, config 1, UHCI root hub(0x),
  Intel(0x8086), rev 1.00
   port 1 powered
   port 2 powered
 
 
  dmesg:
  real mem  = 2145669120 (2046MB)
  avail mem = 2066345984 (1970MB)
  mainbus0 at root
  bios0 at mainbus0: AT/286+ BIOS, date 08/22/07, BIOS32 rev. 0
  @ 0xfdc70,
  SMBIOS rev. 2.4 @ 0xe0010 (71 entries)
  bios0: vendor LENOVO version 7KET71WW (1.21 ) date 08/22/2007
  bios0: LENOVO 8918B8G
  acpi0 at bios0: rev 2
  acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT
  SSDT SSDT SSDT
  acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) IGBE(S4)
  EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4)
  USB0(S3) USB1(S3)
  USB2(S3) USB3(S3) USB4(S3) EHC0(S3) EHC1(S3) HDEF(S4)
  acpitimer0 at acpi0: 3579545 Hz, 24 bits
  acpihpet0 at acpi0: 14318179 Hz
  acpiprt0 at acpi0: bus 0 (PCI0)
  acpiprt1 at acpi0: bus 1 (AGP_)
  acpiprt2 at acpi0: bus 2 (EXP0)
  acpiprt3 at acpi0: bus 3 (EXP1)
  acpiprt4 at acpi0: bus 4 (EXP2)
  acpiprt5 at acpi0: bus 5 (EXP3)
  acpiprt6 at acpi0: bus 13 (EXP4)
  acpiprt7 at acpi0: bus 21 (PCI1)
  acpiec0 at acpi0
  acpicpu0 at acpi0: C3, C2
  acpitz0 at acpi0: critical temperature 127 degC
  acpitz1 at acpi0: critical temperature 100 degC
  acpibtn0 at acpi0: LID_
  acpibtn1 at acpi0: SLPB
  acpibat0 at acpi0: BAT0 model 42T4513 serial  5561 type
  LION oem SANYO
  acpibat1 at acpi0: BAT1 not present
  acpiac0 at acpi0: AC unit online
  acpithinkpad0 at acpi0
  acpidock at acpi0 not configured

Re: dmesglog

[Hannah Schroeter]

Hi!

On Sat, Feb 14, 2009 at 09:47:38AM +0900, Jordi Beltran Creix wrote:
[...]

Hello,

Forgive me, but wouldn't
(echo Subject: type of machine ; dmesg ; sysctl hw.sensors) |
sendmail -f$YOUR_EMAIL dm...@openbsd.org
be better?
Else, if the hostname is not a valid domain, the mail does not get through.

Your gripe is valid a bit.  Your command doesn't work either, though.

1. it misses a blank line after the subject header.
2. it doesn't set the envelope from if your user isn't in the trusted
   users list.

Better once and for all setup your mail system to send out mail with a
valid email address and host name (or use a smarthost to circumvent
the latter).  See masquerading for sendmail.

Kind regards,

Hannah.

Re: dmesglog

[Brian Keefer]

On Feb 13, 2009, at 4:47 PM, Jordi Beltran Creix wrote:


Hello,

Forgive me, but wouldn't
   (echo Subject: type of machine ; dmesg ; sysctl hw.sensors) |
sendmail -f$YOUR_EMAIL dm...@openbsd.org
be better?
Else, if the hostname is not a valid domain, the mail does not get  
through.


Regards,


I did get a bounce because my internal hostnames are not in external  
DNS.  I guess I have to cut and paste :(



--
bk

Getting dmesg out [was: dmesglog]

[Darrin Chandler]

For those of you who:
  * have a machine not set up for mail
  * have ssh to a machine that CAN send mail

Here's an easy way to get your dmesg without copying files around or
whatever...

$ dmesg | ssh myhost.com mail -s type of machine dm...@openbsd.org

--
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG
Federation

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: OT: Free, online backup service provider compatible with BSD

[Travers Buda]

* jmc j...@cosmicnetworks.net [2009-02-13 06:08:41]:

 --- Dieter [Thu, Feb 12, 2009 at 02:43:24PM +]: --- 
   :Amen to backups, but why trust some company far away to handle things?
   :How do you know your data is in good hands, and that they won't slip up
   :let others see it?  I won't mention the concept of the place going under,
   :financially.
   :
   
   at one job we rented a PO Box, and drove the tapes there on our way home
   from work.  Since stealing from the Post Office was a Federal Offense,
   it was somewhat safe.
  
  Interesting use for a PO box.  You can also rent a safety deposit box,
  and there are companies that store media for off site backups.
  These are off site, but not very far off site.  Think Katrina scale
  disaster.  Several hundred miles away would be better.  Which involves
  either shipping media or having a T1 line.  And you'd want this to
  have serious encryption in any case.
 
 i also think it's a good idea to make sure the truck/van they use to
 come fetch your offsites shouldn't advertise (for stealing) who they are
 or what they do. i'm thinking of the big trucks i've seen that have to
 do with a big mountain and a ferromagnetic element.
 
 i just recently hired one of these companies for $work, and wasn't too
 comfortable with the mobile advertisements.
 
 

Use some simple crypto on your backups?

-- 
Travers Buda

Re: Nvidia bug

[Travers Buda]

* Marco Peereboom sl...@peereboom.us [2009-02-12 20:39:37]:

 Trash it and buy something that doesn't suck.
 
 On Fri, Feb 13, 2009 at 12:16:50AM -0200, Christiano Farina Haesbaert wrote:
  Can anyone tell me if that bug in the nv driver is applicable to every
  nvidia card ? 
  I had a FX7500LE on my desktop and openbsd was quite
  slow, I remembered I have an old geforce 32mb, would it work ? or I
  would probably have the same results.
  
  Best regards.
  -- 
  Christiano Farina Haesbaert
 
 

I've got several matrox G450's that broke with libpciaccess in X.
I could (if the antispam were not so aggressive) send in a bug
report or I could just get some new hardware.  What's the consensus
here?  

-- 
Travers Buda