Re: Random PID implementation and security
On 05/27/15 10:18, Simon wrote: Le 2015-05-26 16:25, Theo de Raadt a écrit : Le 2015-05-26 00:10, Miod Vallat a =C3=A9crit=C2=A0: It is not the responsibility of the operating system to protect its users against software which assumes using the pid as a random source= =20 is a bright and wise idea. =20 Isn't this the whole goal of random PIDs, to put a defense at OS level=20 protecting software against themselves when they make wrong assumption=20 regarding the PID and use it for wrong purposes? A 16 bit PID is suppsed to provide true safety? Please. The problem is people who believe that shoving a 16 bit value into a deterministic function gets them somewhere. So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. I could also easily imagine that PID have been randomized just because it was allowed to do so and that it was interesting from the coding perspective as showing up software bugs that sequential PID would hardly uncover (I'm mainly referring here to Ted Unangst's talk: http://www.openbsd.org/papers/dev-sw-hostile-env.html, see randomization section, backed by the philosophy section: The sooner we can break it, the sooner we can fix it). Having PID's that are not easily predicable helps to reduce the attack surface. IMO that is a security measure, but YMMV. Fred
Re: simple maiserver fail (postfix dovecot)
it is hard to understand even for me only to follow thread . so i write down at http://openbsd-akita.blogspot.jp/2015/05/wifi-router-run0-192.html if there are mistakes , please point them . --- regards
Re: Random PID implementation and security
Le 2015-05-26 16:25, Theo de Raadt a écrit : Le 2015-05-26 00:10, Miod Vallat a =C3=A9crit=C2=A0: It is not the responsibility of the operating system to protect its users against software which assumes using the pid as a random source= =20 is a bright and wise idea. =20 Isn't this the whole goal of random PIDs, to put a defense at OS level=20 protecting software against themselves when they make wrong assumption=20 regarding the PID and use it for wrong purposes? A 16 bit PID is suppsed to provide true safety? Please. The problem is people who believe that shoving a 16 bit value into a deterministic function gets them somewhere. So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. I could also easily imagine that PID have been randomized just because it was allowed to do so and that it was interesting from the coding perspective as showing up software bugs that sequential PID would hardly uncover (I'm mainly referring here to Ted Unangst's talk: http://www.openbsd.org/papers/dev-sw-hostile-env.html, see randomization section, backed by the philosophy section: The sooner we can break it, the sooner we can fix it).
Re: Dual-NSD setup management
On 2015-05-26, Felipe Scarel fbsca...@gmail.com wrote: after reading some documentation on the NSD manpage and online, it seems there's no support for views as offered with BIND. I've gathered that the general suggestion is to run two separate instances (running on 127.0.0.1, for example), and divert traffic from pf depending on the connecting source-address. What are you using views *for*? If it's to present some internal-only hosts to a trusted network that is also using you as a resolver, just use local-data entries in unbound for internal use, and run NSD facing external hosts. Simple setup and fairly easy to use. If it's something more complex (i.e. where you have other resolvers querying you and need to present different views to these based on IP address etc) then yes you will need two separate authoritative servers (or you could keep using BIND for this job of course).
Re: Random PID implementation and security
On Tue, May 26, 2015 at 9:50 PM, Simon openbsd.li...@whitewinterwolf.com wrote: [...] Unless specific cases, I do not think that programmers assume that PID are especially sequential or not, but merely rely on the hypothesis that: - PID are unguessable, - PID will not be reused quickly. And yes, it seems possible to fulfill these two properties by providing unguessable and not quickly reusable PID instead of pure random PID. But not in 16 bits. To a patient remote attacker, the difference between 2 minutes and 2 days is not significant. 64 bit PIDs anyone? High 16 and low sixteen randomized and the middle 32 backwards sequential, just to really throw the unwary attacker off the trail? ;-/ -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
Re: Random PID implementation and security
A 16 bit PID is suppsed to provide true safety? Please. Having PID's that are not easily predicable helps to reduce the attack surface. IMO that is a security measure, but YMMV. Random PIDs is that plastic part, not the padlock. -- May the most significant bit of your life be positive.
Re: cvs fingerprint for anonvs.jp.openbsd.org
On Wed, 27 May 2015, Joel Rees wrote: Currently, when I connect to the server via the usual cvs command, it responds with an ssh256 fingerprint. For some reason, my brain is not helping me find a way to ask the server to give me md5 fingerprints. Is there a way? From what I've tried, the variable CVS_RSH won't pass options on to ssh. But you can force MD5 hashes in ssh_config using FingerprintHash for that particular host for all occasions including cvs use. regards, /Lars
installing stable failed
Hi folks,
stable built fine, but make install failed with
:
cc -Werror -Wall -Wimplicit-function-declaration -Wno-main -Wno-uninitialized
-Wframe-larger-than=2047 -mcmodel=kernel -mno-red-zone -mno-sse2 -mno-sse
-mno-3dnow -mno-mmx -msoft-float -fno-omit-frame-pointer -fno-builtin-printf
-fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log
-fno-builtin-log2 -fno-builtin-malloc -fno-pie -O2 -pipe -nostdinc
-I../../../.. -I. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING
-DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT
-DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT
-DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DTMPFS -DFUSE -DSOCKET_SPLICE
-DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DINET6 -DIPSEC -DPPP_BSDCOMP
-DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DAPERTURE
-DMTRR -DNTFS -DHIBERNATE -DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL
-DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6
-DWSDISPLAY_COMPAT_PCVT -DX!
86EMU
-DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -c vers.c
ld -T ../../../../arch/amd64/conf/ld.script -X --warn-common -nopie -S -x -o
bsd ${SYSTEM_HEAD} vers.o ${OBJS}
textdatabss dec hex
8836020 248296 598016 9682332 93bd9c
cmp -s bsd /bsd || ln -f /bsd /obsd
ln: /bsd: No such file or directory
*** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:904
'install-kernel-gate5c.example.com.')
I have rebuilt it *because* /bsd was deleted by accident. A
little bit more clever code here would be highly appreciated.
Thanx in advance
Harri
Re: Random PID implementation and security
On Wed, May 27, 2015 at 5:18 AM, Simon openbsd.li...@whitewinterwolf.com wrote: So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. language isn't an exact thing. words can mean different things to different people, or different things to the same people in different contexts. I would consider PID randomization to be a security measure, although I would not consider it a solution or fix to the problem it addresses. rather, it is a mitigation that reduces the severity of a problem without actually fixing it. whether you think of it as a security measure depends on whether you define a measure as a fix, or a mitigation, or as either/both. where we get into trouble is when people mistake it for a fix and believe that they no longer need to worry about this problem. that is false. -ken
Re: Random PID implementation and security
Le 2015-05-27 11:53, Fred a écrit : On 05/27/15 10:18, Simon wrote: Le 2015-05-26 16:25, Theo de Raadt a écrit : A 16 bit PID is suppsed to provide true safety? Please. The problem is people who believe that shoving a 16 bit value into a deterministic function gets them somewhere. So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. I could also easily imagine that PID have been randomized just because it was allowed to do so and that it was interesting from the coding perspective as showing up software bugs that sequential PID would hardly uncover (I'm mainly referring here to Ted Unangst's talk: http://www.openbsd.org/papers/dev-sw-hostile-env.html, see randomization section, backed by the philosophy section: The sooner we can break it, the sooner we can fix it). Having PID's that are not easily predicable helps to reduce the attack surface. IMO that is a security measure, but YMMV. Fred There is a difference between having random PIDs and having PIDs which are not easily predictable. For instance, dividing the 16 bits of the PID to make the 8 lower bits as a counter and 8 higher bits as a random value would provide both not easily predictible and not quickly reused PIDs. However, minor the 100 items array, OpenBSD uses random PIDs. While it indeed reduces the attack surface against PID predictions (mostly local exploits) it facilitates attacks relying on PID reuse (includes remote exploits, so attacks with higher risk than local exploits). So all in all I'm not convinced at all that using random PIDs reduces the attack surface, I was actually worrying if it may not be actually counter productive in terms of security.
Re: Random PID implementation and security
Le 2015-05-27 14:01, Janne Johansson a écrit : A 16 bit PID is suppsed to provide true safety? Please. Having PID's that are not easily predicable helps to reduce the attack surface. IMO that is a security measure, but YMMV. Random PIDs is that plastic part, not the padlock. You mean it's just decorative ;) ?
Re: Random PID implementation and security
Le 2015-05-27 14:29, Kenneth Gober a écrit : On Wed, May 27, 2015 at 5:18 AM, Simon openbsd.li...@whitewinterwolf.com wrote: So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. language isn't an exact thing. words can mean different things to different people, or different things to the same people in different contexts. I would consider PID randomization to be a security measure, although I would not consider it a solution or fix to the problem it addresses. rather, it is a mitigation that reduces the severity of a problem without actually fixing it. whether you think of it as a security measure depends on whether you define a measure as a fix, or a mitigation, or as either/both. where we get into trouble is when people mistake it for a fix and believe that they no longer need to worry about this problem. that is false. -ken I agree with you Ken. I see PID randomization like stack protection for instance: in the best world a software should have no bug and should not be vulnerable to any buffer overflow, however in a real world there are still vulnerable software around and here such protection may help. The same principle also apply for PID generation method: normally it should not even matter if PID were sequential, fully random or pseudo-random, but the reality is that there are still bugs around and still vulnerable software around, and that the OS may implement systems mitigating such risks.
cvs fingerprint for anonvs.jp.openbsd.org
The fingerprints shown for anoncvs.jp.openbsd.org at http://www.openbsd.org/anoncvs.html are md5. Currently, when I connect to the server via the usual cvs command, it responds with an ssh256 fingerprint. For some reason, my brain is not helping me find a way to ask the server to give me md5 fingerprints. Is there a way? l sent an inquiry to professor Suzuki about the fingerprints, but have received no response yet -- Joel Rees
Re: installing stable failed
On Wed, May 27, 2015 at 03:08:53PM +0200, Harald Dunkel wrote: cmp -s bsd /bsd || ln -f /bsd /obsd ln: /bsd: No such file or directory *** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:904 'install-kernel-gate5c.example.com.') I have rebuilt it *because* /bsd was deleted by accident. A little bit more clever code here would be highly appreciated. You can see what `make install' would have done by using the `-n' switch for make: $ make -n install cmp -s bsd /bsd || ln -f /bsd /obsd cp bsd /nbsd mv /nbsd /bsd $ To fix your machine, either use the cp and mv commands as above or simply issuing # cp bsd /bsd would be enough since `/bsd' isn't in the way.
Re: installing stable failed
Just to be sure, do you have /bsd directory created?
Since the error is:
ln: /bsd: No such file or directory
Since your report is only the make install error and the error is that the
directory does not exist maybe you should start there before making other
assumptions about cleverness. Or maybe start by saying if the directory
already exists or not.
On Wed, May 27, 2015 at 2:08 PM, Harald Dunkel harald.dun...@aixigo.de
wrote:
Hi folks,
stable built fine, but make install failed with
:
cc -Werror -Wall -Wimplicit-function-declaration -Wno-main
-Wno-uninitialized -Wframe-larger-than=2047 -mcmodel=kernel -mno-red-zone
-mno-sse2 -mno-sse -mno-3dnow -mno-mmx -msoft-float
-fno-omit-frame-pointer -fno-builtin-printf -fno-builtin-snprintf
-fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2
-fno-builtin-malloc -fno-pie -O2 -pipe -nostdinc -I../../../.. -I.
-I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS
-DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DFFS
-DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT
-DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DTMPFS -DFUSE -DSOCKET_SPLICE
-DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DINET6 -DIPSEC -DPPP_BSDCOMP
-DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF
-DAPERTURE -DMTRR -DNTFS -DHIBERNATE -DPCIVERBOSE -DUSBVERBOSE
-DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD
-DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DX!
86EMU
-DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -c vers.c
ld -T ../../../../arch/amd64/conf/ld.script -X --warn-common -nopie -S -x
-o bsd ${SYSTEM_HEAD} vers.o ${OBJS}
textdatabss dec hex
8836020 248296 598016 9682332 93bd9c
cmp -s bsd /bsd || ln -f /bsd /obsd
ln: /bsd: No such file or directory
*** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:904
'install-kernel-gate5c.example.com.')
I have rebuilt it *because* /bsd was deleted by accident. A
little bit more clever code here would be highly appreciated.
Thanx in advance
Harri
Re: Dual-NSD setup management
Additionally to all this good advice, you can create multiple loopback interfaces if you did want to use divert-to. 'ifconfig create lo1' then you don't need to use weird ports to accomplish things. On Wed, May 27, 2015 at 4:06 AM, Stuart Henderson s...@spacehopper.org wrote: On 2015-05-26, Felipe Scarel fbsca...@gmail.com wrote: after reading some documentation on the NSD manpage and online, it seems there's no support for views as offered with BIND. I've gathered that the general suggestion is to run two separate instances (running on 127.0.0.1, for example), and divert traffic from pf depending on the connecting source-address. What are you using views *for*? If it's to present some internal-only hosts to a trusted network that is also using you as a resolver, just use local-data entries in unbound for internal use, and run NSD facing external hosts. Simple setup and fairly easy to use. If it's something more complex (i.e. where you have other resolvers querying you and need to present different views to these based on IP address etc) then yes you will need two separate authoritative servers (or you could keep using BIND for this job of course).
Re: Dual-NSD setup management
Thanks for the input Stuart and Bryan, I think the dual-authoritative setup might indeed be overkill. I'll look into unbound local-data options, hadn't considered that. On Wed, May 27, 2015 at 3:10 PM, Bryan Irvine sparcta...@gmail.com wrote: Additionally to all this good advice, you can create multiple loopback interfaces if you did want to use divert-to. 'ifconfig create lo1' then you don't need to use weird ports to accomplish things. On Wed, May 27, 2015 at 4:06 AM, Stuart Henderson s...@spacehopper.org wrote: On 2015-05-26, Felipe Scarel fbsca...@gmail.com wrote: after reading some documentation on the NSD manpage and online, it seems there's no support for views as offered with BIND. I've gathered that the general suggestion is to run two separate instances (running on 127.0.0.1, for example), and divert traffic from pf depending on the connecting source-address. What are you using views *for*? If it's to present some internal-only hosts to a trusted network that is also using you as a resolver, just use local-data entries in unbound for internal use, and run NSD facing external hosts. Simple setup and fairly easy to use. If it's something more complex (i.e. where you have other resolvers querying you and need to present different views to these based on IP address etc) then yes you will need two separate authoritative servers (or you could keep using BIND for this job of course).
Re: Logjam Attack: is OpenIKED and OpenSMTPD vulnerable?
On 25 May 2015 at 14:33, Pablo Méndez Hernández pabl...@gmail.com wrote: Hi, Any statement for iked? iked implements IKEv2 which doesn't use SSL/TLS. So this attack doesn't directly apply to IKEv2. However we would accept MODP 1024 and better by default. Perhaps we should bump it to 2048 minimum.
Re: Openbsd 5.7 and sendmail
Thanks I managed to miss noting that I should look at /usr/local/share/doc/pkg-readmes/sendmail-* -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John Merriam Sent: Tuesday, May 26, 2015 12:20 PM To: Peter Fraser Cc: 'misc@openbsd.org' Subject: Re: Openbsd 5.7 and sendmail On Tue, 26 May 2015, Peter Fraser wrote: I put OpenBSD 5.7 up, but because we make use of the SpamHaus I didn't want to move to smtpd. It was easy enough to put sendmail in but I found I could not rebuild my /etc/mail/access.db makemap did not like the To: prefix in the /etc/mail/access file. being somewhat slow to took me a couple of days to realize that there are now 2 makemap's /usr/libexec/smtpd/makemap and /usr/local/libexec/sendmail/makemap using the right one for sendmail fixed my problem. You may need to edit your /etc/mailer.conf file. See the mailer.conf(5) man page and /usr/local/share/doc/pkg-readmes/sendmail-* -- John Merriam
Re: Random PID implementation and security
On Wed, May 27, 2015 at 02:34:43PM +0200, Simon wrote: Le 2015-05-27 11:53, Fred a écrit : On 05/27/15 10:18, Simon wrote: Le 2015-05-26 16:25, Theo de Raadt a écrit : A 16 bit PID is suppsed to provide true safety? Please. The problem is people who believe that shoving a 16 bit value into a deterministic function gets them somewhere. So do you confirm that random PID is actually not a security measure? It is often presented as is, but it would not be the first time that some wrong rumors get widespread enough to become accepted as a truth by most people. I could also easily imagine that PID have been randomized just because it was allowed to do so and that it was interesting from the coding perspective as showing up software bugs that sequential PID would hardly uncover (I'm mainly referring here to Ted Unangst's talk: http://www.openbsd.org/papers/dev-sw-hostile-env.html, see randomization section, backed by the philosophy section: The sooner we can break it, the sooner we can fix it). Having PID's that are not easily predicable helps to reduce the attack surface. IMO that is a security measure, but YMMV. Fred There is a difference between having random PIDs and having PIDs which are not easily predictable. For instance, dividing the 16 bits of the PID to make the 8 lower bits as a counter and 8 higher bits as a random value would provide both not easily predictible and not quickly reused PIDs. However, minor the 100 items array, OpenBSD uses random PIDs. While it indeed reduces the attack surface against PID predictions (mostly local exploits) it facilitates attacks relying on PID reuse (includes remote exploits, so attacks with higher risk than local exploits). So all in all I'm not convinced at all that using random PIDs reduces the attack surface, I was actually worrying if it may not be actually counter productive in terms of security. Please go troll somewhere else. Software that breaks if a PID is reused too soon is inherently broken and the operating system should not try to protect these broken programs. Please put your effort into fixing those broken programs instead of spreading FUD here. -- :wq Claudio
Re: Random PID implementation and security
Sorry for interruption. I have sent the message by mistake, please ignore it. 2015ë 5ì 27ì¼ (ì) 23:17, yjh0...@gmail.comëì´ ìì±: hi
Re: Random PID implementation and security
2015-05-27 15:42 GMT+02:00 Joel Rees joel.r...@gmail.com: On Tue, May 26, 2015 at 9:50 PM, Simon openbsd.li...@whitewinterwolf.com wrote: [...] Unless specific cases, I do not think that programmers assume that PID are especially sequential or not, but merely rely on the hypothesis that: - PID are unguessable, - PID will not be reused quickly. And yes, it seems possible to fulfill these two properties by providing unguessable and not quickly reusable PID instead of pure random PID. But not in 16 bits. To a patient remote attacker, the difference between 2 minutes and 2 days is not significant. 64 bit PIDs anyone? High 16 and low sixteen randomized and the middle 32 backwards sequential, just to really throw the unwary attacker off the trail? ;-/ Having a part of the PID being sequential and a part being random is non-sense. The more bit you throw in the random part, the less chance you have to have collision. The more bit you throw in the sequential part, the more time you have before you start to have a chance to have a collision. Problem is, those bit turn into power of two. So going from 16bit to 8bit is the same as going from 65,536 to 256. OpenBSD found a way out of this problem. All the bits used in a PID are random and you have to wait for an arbitrary 100 PID before you start to have a chance to get duplicate. But like Theo said, the problem is that PID shouldn't have been used in the first place.
Re: Random PID implementation and security
hi
Re: HP LaserJet 1100 lpr printing?
On 2015-05-22 Fri 17:11 PM |, Antoine Jacoutot wrote: On Fri, May 22, 2015 at 04:08:20PM +0100, Craig Skinner wrote: On 2015-05-22 Fri 17:01 PM |, Antoine Jacoutot wrote: What is the version of the cups package you are running? $ pkg_info -I cups cups-filters foomatic-db-engine hplip-common dbus cups-1.7.4p0Common Unix Printing System Yeah that's probably the reason, you are not running the latest stable cups package. You need at least p1. Thanks Antoine for the updated packages from mTier: $ uname -msrv OpenBSD 5.6 GENERIC.MP#299 i386 $ pkg_info -I cups cups-filters cups-libs hpcups \ foomatic-db foomatic-db-engine \ hplip hplip-common hpijs hpaio dbus cups-1.7.4p3Common Unix Printing System cups-filters-1.0.54p3 OpenPrinting CUPS filters cups-libs-1.7.4 CUPS libraries and headers hpcups-3.14.6 HP native CUPS driver foomatic-db-4.0.20131218 Foomatic PPD data foomatic-db-engine-4.0.11 Foomatic PPD generator hplip-3.14.6HP Linux Imaging and Printing hplip-common-3.14.6 HPLIP applications common files hpijs-3.14.6HP ghostscript driver (spooler independent) hpaio-3.14.6HP sane(7) scanner backend dbus-1.8.8v0message bus system $ dmesg | egrep 'lpt|ugen' ugen0 at uhub1 port 2 Pr?lific Technology Inc. IEEE-1284 Controller rev 1.00/2.00 addr 3 $ usbdevs -f /dev/usb1 addr 1: UHCI root hub, Intel addr 2: Usb Mouse, SIGMACHIP addr 3: Parallel printer, Prolific Technology $ usbdevs -d -v -f /dev/usb1 Controller /dev/usb1: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel(0x8086), rev 1.00 uhub1 port 1 addr 2: low speed, power 98 mA, config 1, Usb Mouse(0x0034), SIGMACHIP(0x1c4f), rev 1.10 uhidev0 port 2 addr 3: full speed, power 100 mA, config 1, Parallel printer(0x2305), Prolific Technology(0x067b), rev 2.00 ugen0 $ fgrep 1100 /etc/cups/ppd/LJ1100.ppd * PPD file for HP LaserJet 1100 with CUPS. *PCFileName: hp-laserjet_1100.ppd *Product: (HP LaserJet 1100 Printer) *Product: (HP LaserJet 1100se Printer) *Product: (HP LaserJet 1100xi Printer) *ModelName: HP LaserJet 1100 *ShortNickName: HP LaserJet 1100 *NickName: HP LaserJet 1100, hpcups 3.14.6 *1284DeviceID: MFG:HP;MDL:hp laserjet 1100;DES:hp laserjet 1100; *% End of hp-laserjet_1100.ppd, 15203 bytes. DeviceURI's tried in printers.conf: usb:/dev/usb1 usb://HP/LaserJet%201100 usb://HP%20LaserJet%201100 usb://HP/hp%20laserjet%201100 usb://HP/hp laserjet 1100 usb://Parallel%20printer,%20Prolific%20Technology usb://Parallel printer, Prolific Technology usb://Parallel printer file:///dev/usb1 file:/dev/usb1 $ lpc status LJ1100: printer is on device 'usb' speed -1 queuing is enabled printing is disabled 1 entries daemon present $ lpq -a RankOwner Job File(s) Total Size 1st root4 Test Page 1024 bytes When setting the DeviceURI to file:/dev/usb1, the CUPS web admin print test page thinks the page gets printed, but no printer lights/paper movement: https://bbs.archlinux.org/viewtopic.php?id=79352 $ sudo diff cups-files.conf.0 cups-files.conf 27c27 #FileDevice No --- FileDevice Yes $ sudo cupsctl FileDevice=yes I've tried these 3 drivers, with various DeviceURI's: Description:Ye olde Lazar Jet Location: Front room Driver: HP LaserJet 1100, hpcups 3.14.6 (color, 2-sided printing) Connection: usb:/dev/usb1 Defaults: job-sheets=none, none media=iso_a4_210x297mm sides=one-sided Waiting for printer to become available. Description:Ye olde Lazar Jet - Foomatic-lj4dith Location: Front room Driver: HP LaserJet 1100 Foomatic/lj4dith (grayscale, 2-sided printing) Connection: usb:/dev/usb1 Defaults: job-sheets=none, none media=iso_a4_210x297mm sides=one-sided Waiting for printer to become available. Description:Ye olde Lazar Jet - HPIJS Location: Front room Driver: HP LaserJet 1100 hpijs, 3.14.6 (color, 2-sided printing) Connection: usb:/dev/usb1 Defaults: job-sheets=none, none media=iso_a4_210x297mm sides=one-sided Waiting for printer to become available. Suggestions welcome. -- Never underestimate the bandwidth of a station wagon full of tapes. -- Dr. Warren Jackson, Director, UTCS
NATing out enc0 traffic
Greetings everyone I am playing with amazon virtual private clouds (VPC). I have set a few up. I have no issues connecting ipsec from openbsd - amazon VPC. All of these VPCs so far have their own internet connection going out from amazon that works fine. [OpenBSD]ipsec-[VPC]-Internet Next I am setting up a VPC that has no internet gateway. Instead the default gateway is the vpn and all traffic is sent back through the ipsec tunnel and then out the local network gateway. [Internet] ^ | | | [OpenBSD]---ipsec--[VPC] I added these relevant lines to pf.conf Match out on $ext_if from !($ext_if:network) nat-to ($ext_if) pass quick on enc0 keep state (if-bound) With tcpdump and pfctl I can tell that traffic from the vpc (10.0.0.0/8) comes across the tunnel and gets NATed out. I can see that traffic leave the external interface and I can see the reply come back to the external interface. The reply never hits enc0 though and never makes it back to the client. Is there another piece to the setup I am missing? I assume what I am trying to do is possible. I would appreciate any insight or advice anyone may have in regards to this type of setup. J
Re: booting OpenBSD with grub
You can also use kopenbsd to load an OpenBSD kernel directly in grub, I did just this to install OpenBSD from a previous Debian install (just downloaded bsd.rd, rebooted, used grub to boot bsd.rd) --- âLanie, Iâm going to print more printers. Lots more printers. One for everyone. Thatâs worth going to jail for. Thatâs worth anything.â - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html On Thu, May 28, 2015 at 1:44 AM, Josh Grosse j...@jggimi.homeip.net wrote: On Wed, May 27, 2015 at 07:48:49AM -0400, cobalt wrote: any idea on the the proper way to get grub to boot openbsd: set root=(hd1,4) is what i have, but i am missing something and i do not know what. any thoughts would help. regards. gilles I have an old netbook with sysutils/grub installed. That's v1, and I provision the chainloader. Here's my menu.lst: default 0 timeout 5 title OpenBSD root (hd0,3) chainloader +1 title WinXP root (hd0,0) chainloader +1 WXP is retained for a few select applications: firmware installation on peripherals, WebRTC applications ... and that's it.
Re: httpd authenticate option usage
How does the httpd authenticate option work? from httpd.conf(5):
[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the credentials
against the user authentication file htpasswd. The file name is
relative to the chroot and must be readable by the www user. Use
the no authenticate directive to disable authentication in a
location.
what's realm? It shows up twice in the man page, both times in that
paragraph. Googling was not overly productive due to that other web
server that also uses the file name httpd.conf and htpasswd. :-/
Check RFC 2617:
http://tools.ietf.org/html/rfc2617#page-3
Or just Google it via http realm query and check Stack Overflow:
http://stackoverflow.com/questions/12701085/what-is-the-realm-in-basic-authentication
What I'm trying to do is have one user/pw protected directory on a web
server. Most of the server is open to all (and of interest to very
few), but this one directory should be letting basically no one in
without authentication.
No prob, just follow the instructions. I've just tested them on OpenBSD 5.7
release.
1. Put something like this in your /etc/httpd.conf:
server default {
listen on egress port 80
location /priv* {
authenticate with /htpasswd
}
}
2. Now use htpasswd to create a htpasswd file. Swap example with your user
name:
$ sudo htpasswd /var/www/htpasswd example
Password:
Retype Password:
$
3. Now make it readable for user www group daemon by issuing this command:
$ sudo chown www:daemon /var/www/htpasswd
4. Enjoy.
P.S: I believe httpd should say something explicitly if it fails to load
htpasswd file.
Currently it just silently fails. Should be at least a warning.
Lenovo T450s status
Hello Misc I'm looking at purchasing a Lenovo T450s as my main laptop, but I wanted to find out if anyone has hit any major roadblocks using obsd 5.7 with this model. I know this is a fairly new machine and support is always hit and miss, but any guidance on this machine would help. Biggest concerns are battery life and fan noise. Thanks. -- Shaun Ars longa, vita brevis, occasio praeceps, experimentum periculosum, iudicium difficile - Hippocrates (c. 400BC)
Re: installing stable failed
Hi Theo, On 05/27/15 15:37, Theo Buehler wrote: To fix your machine, either use the cp and mv commands as above or simply issuing # cp bsd /bsd would be enough since `/bsd' isn't in the way. The point is that make install didn't, because it expected a previous /bsd in the destination directory. Should be easy to fix. The workaround is obvious, but thanx anyway Regards Harri
Re: Lenovo T450s status
Hi Shaun, On 05/28/15 01:48, Shaun Reiger wrote: Hello Misc I'm looking at purchasing a Lenovo T450s as my main laptop, but I wanted to find out if anyone has hit any major roadblocks using obsd 5.7 with this model. I know this is a fairly new machine and support is always hit and miss, but any guidance on this machine would help. Biggest concerns are battery life and fan noise. I have a T440s. Battery life and fan noise are excellent (using Linux, though). A major issue with this device is: Its highly painful to open the case for a hard disk replacement or to extend RAM. You have to be extremely careful to not break a latch. According to its Hardware Maintenance Manual http://download.lenovo.com/pccbbs/mobiles_pdf/t450s_hmm_en_sp40g54937.pdf (page 62) the T450s has the same design problem. Hope this helps Harri
Re: booting OpenBSD with grub
On Wed, May 27, 2015 at 07:48:49AM -0400, cobalt wrote: any idea on the the proper way to get grub to boot openbsd: set root=(hd1,4) is what i have, but i am missing something and i do not know what. any thoughts would help. regards. gilles I have an old netbook with sysutils/grub installed. That's v1, and I provision the chainloader. Here's my menu.lst: default 0 timeout 5 title OpenBSD root (hd0,3) chainloader +1 title WinXP root (hd0,0) chainloader +1 WXP is retained for a few select applications: firmware installation on peripherals, WebRTC applications ... and that's it.
httpd authenticate option usage
ok, I'm probably being overly dense here, but ...
How does the httpd authenticate option work? from httpd.conf(5):
[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the credentials
against the user authentication file htpasswd. The file name is
relative to the chroot and must be readable by the www user. Use
the no authenticate directive to disable authentication in a
location.
what's realm? It shows up twice in the man page, both times in that
paragraph. Googling was not overly productive due to that other web
server that also uses the file name httpd.conf and htpasswd. :-/
What I'm trying to do is have one user/pw protected directory on a web
server. Most of the server is open to all (and of interest to very
few), but this one directory should be letting basically no one in
without authentication.
Adding
authenticate with /htpasswd
to the server section works to protect the entire page (expected that --
though the error handling here isn't my favorite -- produces syntax
error when /htpasswd exists but is not readable by web server user).
Adding it to a location section like this:
server njh.example.com {
listen on $ext_addr port 80
root /njh.example.com
location /* {
directory auto index
log style combined
}
location /priv/* {
authenticate with /htpasswd
}
}
seems to be a no op -- never seems to prompt for the uid/pw.
I'm sure whatever I'm missing is stupidly simple, but not sure what it
is ...
Nick.
Re: httpd authenticate option usage
On 05/27/15 22:42, Yegor Timoschenko wrote: How does the httpd authenticate option work? from httpd.conf(5): [no] authenticate [realm] with htpasswd Authenticate a remote user for realm by checking the credentials against the user authentication file htpasswd. The file name is relative to the chroot and must be readable by the www user. Use the no authenticate directive to disable authentication in a location. what's realm? It shows up twice in the man page, both times in that paragraph. Googling was not overly productive due to that other web server that also uses the file name httpd.conf and htpasswd. :-/ Check RFC 2617: http://tools.ietf.org/html/rfc2617#page-3 Or just Google it via http realm query and check Stack Overflow: http://stackoverflow.com/questions/12701085/what-is-the-realm-in-basic-authentication oh standard term, eh? whooda thunk? Well, obviously you, obviously not me. :-/ What I'm trying to do is have one user/pw protected directory on a web server. Most of the server is open to all (and of interest to very few), but this one directory should be letting basically no one in without authentication. No prob, just follow the instructions. I've just tested them on OpenBSD 5.7 release. gah. Knew it would be easy. Your sample works, mine had the 'location /*' before the 'location /priv/*, and apparently it's first match, not last match (or most specific or ...). Swapping the order of my location statements (or as you did, just leaving the root one out) solved my problem. (and for a few other related reasons, my example config was pretty dumb, so thanks for deleting my example!). P.S: I believe httpd should say something explicitly if it fails to load htpasswd file. Currently it just silently fails. Should be at least a warning. send diff. :D But yeah, I found lots of ways to make errors and get unexpected results from those errors. On the other hand, the apache config file and I never were best of buddies, either. Thanks! Nick.
booting OpenBSD with grub
any idea on the the proper way to get grub to boot openbsd: set root=(hd1,4) is what i have, but i am missing something and i do not know what. any thoughts would help. regards. gilles
Re: building mp userland?
I built the userland with a GENERIC kernel. Then I looked at the dmesg and realized I had wanted the GENERIC.MP kernel. I'm going to re-build userland anyway, but how different is the resulting userland? Not a single bit different.
building mp userland?
I built the userland with a GENERIC kernel. Then I looked at the dmesg and realized I had wanted the GENERIC.MP kernel. I'm going to re-build userland anyway, but how different is the resulting userland? Joel Rees Computer memory is just fancy paper, CPUs just fancy pens. All is a stream of text flowing from the past into the future.
