Oddness with pkg_add

2016-11-02 Thread Chris Huxtable 
OpenBSD Community,

I upgraded my OpenBSD router from 5.9 to 6.0 by clean install and copied a
number of my old configs to the new install. I have almost everything in a
working state except one program, pkg_add. I have tried to sort this out, done
another clean install, reviewed all my configs, and reached the end of my
understanding. Below are tests I have preformed and their output and configs I
think may be relevant.

# pkg_add nano
Error from http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
ftp: ftp.openbsd.org: no address associated with name
http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ is empty
Error from http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/
ftp: openbsd.cs.toronto.edu: no address associated with name
http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/ is empty
Error from http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/
ftp: athena.caslab.queensu.ca: no address associated with name
http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/ is empty
Can't find nano

$ uname -a
OpenBSD xyz.abc.def 6.0 GENERIC.MP#2319 amd64

$ host ftp.openbsd.org
ftp.openbsd.org is an alias for openbsd.sunsite.ualberta.ca.
openbsd.sunsite.ualberta.ca has address 129.128.5.191

$ dig ftp.openbsd.com
[…]
;; ANSWER SECTION:
ftp.openbsd.com.21599   IN  CNAME   openbsd.sunsite.ualberta.ca.
openbsd.sunsite.ualberta.ca. 21599 IN   A   129.128.5.191

;; Query time: 789 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
[…]

$ ping -c 1 google.com
PING google.com (172.217.0.174): 56 data bytes
64 bytes from 172.217.0.174: icmp_seq=0 ttl=59 time=5.488 ms
--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.488/5.488/5.488/0.000 ms

$ cat /etc/resolv.conf
search abc.def ghi.jkl mno.pqr
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
lookup bind file

$ cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em1 authproto pap \
authname 'thisIsNotMyAuthName' authkey 'thisIsNotMyAuthKey' up
dest 0.0.0.1

group egress

!/sbin/route add default -ifp pppoe0 0.0.0.1

$ cat /etc/hostname.em1
group egress

up

$ ftp -o /tmp/test.html
http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
Trying 129.128.5.191...
Requesting http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
100% |**|  1171 KB00:02
1199135 bytes received in 2.65 seconds (441.42 KB/s)


Would anyone have insight as to why everything works except pkg_add? Any help
would be appreciated.

Regards,

Chris

Building electron on OpenBSD

2016-11-02 Thread Ax0n 
In talking to some folks at SpiderOak few months ago, their technical
co-founder said that the ability to get Go 1.6+ and Electron working on
OpenBSD are the major technical hurdles to getting Semaphor (which is a
privacy-friendly, security-minded collaborative platform one might compare
to Slack or HipChat) running on our favorite operating system.

https://spideroak.com/solutions/semaphor/
https://spideroak.com/solutions/semaphor/source/

I'm running current, and I see we have Go 1.7 in ports, and in binary
packages for some platforms. Electron's a different story. It's built on
nodejs and requires python 2.7 (both of which I've also already installed)
but it looks like the build scripts don't even take *BSD into consideration
and I'm at a dead end.

Electron:
https://github.com/electron/electron/

"Build Instructions":
https://github.com/electron/electron/blob/master/docs/development/build-instructions-linux.md

I am not a developer. At best, I'm an excited end-user that's got a lot of
sysadmin experience. I can apply patches to programs, compile basic stuff
if the Makefiles aren't totally hosed, and maybe sometimes tweak code a
bit, but this stuff really isn't my strong suit at all. I can sometimes get
things to work. This isn't one of them. Anyone have some pointers for me?
Would ports@ be a better place for this?

Re: Serverkeybits, protocol 2

2016-11-02 Thread Darren Tucker 
On Thu, Nov 3, 2016 at 8:14 AM, Jonathan Paquet 
wrote:

> Ok, so for protocol 2, what is used by default?


There is no exact equivalent of ServerKeyBits in ssh Protocol 2.

In Protocol 1 the server generates an ephemeral RSA key that is
ServerKeyBits in size when it starts up, and regenerates it every ~1h if it
has been used.  That key is used to encrypt the SSH session key sent to the
client.

In Protocol 2 the session key is derived from a Diffie-Hellman[1] exchange
at the beginning of each connection, which produces a shared secret that
both sides contribute to but neither controls.

> > The minimum key encryption that we want to allow is 1024, and the
> version
> > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.
>

Short answer: OpenSSH's Protocol 2 doesn't support anything weaker than
1024 bits.

Long answer:

The absolute minimum strength key exchange in the SSHv2 spec is
diffie-hellman-group1-sha1, which is specified as 1024 bits.  It is
considered weak and has been disabled by default since OpenSSH 7.0.  There
is another set of Diffie-Hellman algorithms where the server picks the
group (diffie-hellman-group-exchange-sha{1,256}) and in OpenSSH those are
picked from the moduli file.  OpenSSH hasn't ever shipped a moduli file
with groups <1k bits, 1k bit groups were removed around 7.0 as well, then
1.5kbit groups some time later.

[1] Actually there are several supported key exchange algorithms (see
KexAlgorithms in sshd_config(8)), and exactly which one gets used will
depend on what the client and server support and/or have enabled.  They all
have the same security properties, though.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Serverkeybits, protocol 2

2016-11-02 Thread Jonathan Paquet 
Ok, so for protocol 2, what is used by default?

On Nov 2, 2016 3:29 PM, "Raf Czlonka"  wrote:

> On Wed, Nov 02, 2016 at 06:39:59PM GMT, Jonathan Paquet wrote:
> > Hi,
> >  I am working as VMware SME, and I need to update the security
> template
> > that we are using.
> >
> > One of the settings that we have is the Serverkeybits. By default this
> > setting is not present on the sshd config file.
> >
> > The protocol is set to 2 by default.
> >
> > I am a little confused, because some website on the net say that
> > serverkeybits only apply when using protocol 1, and other say that it
> apply
> > no matter what.
> >
> > Basically, I would need to know if I need to integrate this setting if we
> > use protocol 2 or if this is not needed?
>
> Hi Jonathan,
>
> No, this setting only applies to protocol version 1.
>
> Regards,
>
> Raf
>
> > The minimum key encryption that we want to allow is 1024, and the version
> > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.
> >
> > Thanks
> >
> > Jonathan

Re: permanent ARP being overwritten by ISP

2016-11-02 Thread Mihai Popescu 
> My question is, why?

Since that is a machine controlled by your ISP, they can do whatever
they want or do not want. Do not believe all ISP are respecting
Internet standards. Are there standards? Maybe it is a mistake in
configuration. If I remember correctly from some time ago when I read
tcp/ip illustrated but not, some kind of ARP server can be set up,
maybe bridge related, but i'm not totally sure.

So, try to bug your ISP with that ARP overwrite.

Re: Serverkeybits, protocol 2

2016-11-02 Thread Raf Czlonka 
On Wed, Nov 02, 2016 at 06:39:59PM GMT, Jonathan Paquet wrote:
> Hi,
>  I am working as VMware SME, and I need to update the security template
> that we are using.
> 
> One of the settings that we have is the Serverkeybits. By default this
> setting is not present on the sshd config file.
> 
> The protocol is set to 2 by default.
> 
> I am a little confused, because some website on the net say that
> serverkeybits only apply when using protocol 1, and other say that it apply
> no matter what.
> 
> Basically, I would need to know if I need to integrate this setting if we
> use protocol 2 or if this is not needed?

Hi Jonathan,

No, this setting only applies to protocol version 1.

Regards,

Raf

> The minimum key encryption that we want to allow is 1024, and the version
> of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.
> 
> Thanks
> 
> Jonathan

Serverkeybits, protocol 2

2016-11-02 Thread Jonathan Paquet 
Hi,
 I am working as VMware SME, and I need to update the security template
that we are using.

One of the settings that we have is the Serverkeybits. By default this
setting is not present on the sshd config file.

The protocol is set to 2 by default.

I am a little confused, because some website on the net say that
serverkeybits only apply when using protocol 1, and other say that it apply
no matter what.

Basically, I would need to know if I need to integrate this setting if we
use protocol 2 or if this is not needed?

The minimum key encryption that we want to allow is 1024, and the version
of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.

Thanks

Jonathan