Oddness with pkg_add
OpenBSD Community, I upgraded my OpenBSD router from 5.9 to 6.0 by clean install and copied a number of my old configs to the new install. I have almost everything in a working state except one program, pkg_add. I have tried to sort this out, done another clean install, reviewed all my configs, and reached the end of my understanding. Below are tests I have preformed and their output and configs I think may be relevant. # pkg_add nano Error from http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ ftp: ftp.openbsd.org: no address associated with name http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ is empty Error from http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/ ftp: openbsd.cs.toronto.edu: no address associated with name http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/ is empty Error from http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/ ftp: athena.caslab.queensu.ca: no address associated with name http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/ is empty Can't find nano $ uname -a OpenBSD xyz.abc.def 6.0 GENERIC.MP#2319 amd64 $ host ftp.openbsd.org ftp.openbsd.org is an alias for openbsd.sunsite.ualberta.ca. openbsd.sunsite.ualberta.ca has address 129.128.5.191 $ dig ftp.openbsd.com [â¦] ;; ANSWER SECTION: ftp.openbsd.com.21599 IN CNAME openbsd.sunsite.ualberta.ca. openbsd.sunsite.ualberta.ca. 21599 IN A 129.128.5.191 ;; Query time: 789 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) [â¦] $ ping -c 1 google.com PING google.com (172.217.0.174): 56 data bytes 64 bytes from 172.217.0.174: icmp_seq=0 ttl=59 time=5.488 ms --- google.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 5.488/5.488/5.488/0.000 ms $ cat /etc/resolv.conf search abc.def ghi.jkl mno.pqr nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 8.8.4.4 lookup bind file $ cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev em1 authproto pap \ authname 'thisIsNotMyAuthName' authkey 'thisIsNotMyAuthKey' up dest 0.0.0.1 group egress !/sbin/route add default -ifp pppoe0 0.0.0.1 $ cat /etc/hostname.em1 group egress up $ ftp -o /tmp/test.html http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ Trying 129.128.5.191... Requesting http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ 100% |**| 1171 KB00:02 1199135 bytes received in 2.65 seconds (441.42 KB/s) Would anyone have insight as to why everything works except pkg_add? Any help would be appreciated. Regards, Chris
Building electron on OpenBSD
In talking to some folks at SpiderOak few months ago, their technical co-founder said that the ability to get Go 1.6+ and Electron working on OpenBSD are the major technical hurdles to getting Semaphor (which is a privacy-friendly, security-minded collaborative platform one might compare to Slack or HipChat) running on our favorite operating system. https://spideroak.com/solutions/semaphor/ https://spideroak.com/solutions/semaphor/source/ I'm running current, and I see we have Go 1.7 in ports, and in binary packages for some platforms. Electron's a different story. It's built on nodejs and requires python 2.7 (both of which I've also already installed) but it looks like the build scripts don't even take *BSD into consideration and I'm at a dead end. Electron: https://github.com/electron/electron/ "Build Instructions": https://github.com/electron/electron/blob/master/docs/development/build-instructions-linux.md I am not a developer. At best, I'm an excited end-user that's got a lot of sysadmin experience. I can apply patches to programs, compile basic stuff if the Makefiles aren't totally hosed, and maybe sometimes tweak code a bit, but this stuff really isn't my strong suit at all. I can sometimes get things to work. This isn't one of them. Anyone have some pointers for me? Would ports@ be a better place for this?
Re: Serverkeybits, protocol 2
On Thu, Nov 3, 2016 at 8:14 AM, Jonathan Paquetwrote: > Ok, so for protocol 2, what is used by default? There is no exact equivalent of ServerKeyBits in ssh Protocol 2. In Protocol 1 the server generates an ephemeral RSA key that is ServerKeyBits in size when it starts up, and regenerates it every ~1h if it has been used. That key is used to encrypt the SSH session key sent to the client. In Protocol 2 the session key is derived from a Diffie-Hellman[1] exchange at the beginning of each connection, which produces a shared secret that both sides contribute to but neither controls. > > The minimum key encryption that we want to allow is 1024, and the > version > > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p. > Short answer: OpenSSH's Protocol 2 doesn't support anything weaker than 1024 bits. Long answer: The absolute minimum strength key exchange in the SSHv2 spec is diffie-hellman-group1-sha1, which is specified as 1024 bits. It is considered weak and has been disabled by default since OpenSSH 7.0. There is another set of Diffie-Hellman algorithms where the server picks the group (diffie-hellman-group-exchange-sha{1,256}) and in OpenSSH those are picked from the moduli file. OpenSSH hasn't ever shipped a moduli file with groups <1k bits, 1k bit groups were removed around 7.0 as well, then 1.5kbit groups some time later. [1] Actually there are several supported key exchange algorithms (see KexAlgorithms in sshd_config(8)), and exactly which one gets used will depend on what the client and server support and/or have enabled. They all have the same security properties, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Serverkeybits, protocol 2
Ok, so for protocol 2, what is used by default? On Nov 2, 2016 3:29 PM, "Raf Czlonka"wrote: > On Wed, Nov 02, 2016 at 06:39:59PM GMT, Jonathan Paquet wrote: > > Hi, > > I am working as VMware SME, and I need to update the security > template > > that we are using. > > > > One of the settings that we have is the Serverkeybits. By default this > > setting is not present on the sshd config file. > > > > The protocol is set to 2 by default. > > > > I am a little confused, because some website on the net say that > > serverkeybits only apply when using protocol 1, and other say that it > apply > > no matter what. > > > > Basically, I would need to know if I need to integrate this setting if we > > use protocol 2 or if this is not needed? > > Hi Jonathan, > > No, this setting only applies to protocol version 1. > > Regards, > > Raf > > > The minimum key encryption that we want to allow is 1024, and the version > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p. > > > > Thanks > > > > Jonathan
Re: permanent ARP being overwritten by ISP
> My question is, why? Since that is a machine controlled by your ISP, they can do whatever they want or do not want. Do not believe all ISP are respecting Internet standards. Are there standards? Maybe it is a mistake in configuration. If I remember correctly from some time ago when I read tcp/ip illustrated but not, some kind of ARP server can be set up, maybe bridge related, but i'm not totally sure. So, try to bug your ISP with that ARP overwrite.
Re: Serverkeybits, protocol 2
On Wed, Nov 02, 2016 at 06:39:59PM GMT, Jonathan Paquet wrote: > Hi, > I am working as VMware SME, and I need to update the security template > that we are using. > > One of the settings that we have is the Serverkeybits. By default this > setting is not present on the sshd config file. > > The protocol is set to 2 by default. > > I am a little confused, because some website on the net say that > serverkeybits only apply when using protocol 1, and other say that it apply > no matter what. > > Basically, I would need to know if I need to integrate this setting if we > use protocol 2 or if this is not needed? Hi Jonathan, No, this setting only applies to protocol version 1. Regards, Raf > The minimum key encryption that we want to allow is 1024, and the version > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p. > > Thanks > > Jonathan
Serverkeybits, protocol 2
Hi, I am working as VMware SME, and I need to update the security template that we are using. One of the settings that we have is the Serverkeybits. By default this setting is not present on the sshd config file. The protocol is set to 2 by default. I am a little confused, because some website on the net say that serverkeybits only apply when using protocol 1, and other say that it apply no matter what. Basically, I would need to know if I need to integrate this setting if we use protocol 2 or if this is not needed? The minimum key encryption that we want to allow is 1024, and the version of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p. Thanks Jonathan