pf_query error

[Glenn Faustino]

Hi,

I'm using pfstat to generate pf statistics for my home firewall. But after
upgrading to -current snapshot this error starts to appear. I did run
sysmerge and pkg_add -uv after the upgrade. Any ideas how to resolve this
issue? Thanks in advance.

[x220@OpenBSD.domain.local:~]$ doas pfstat -q -d /var/db/pfstat.db
doas (x220@OpenBSD.domain.local) password:
ioctl: DIOCGETSTATUS: Permission denied
pf_query: query_counters() failed
[x220@OpenBSD.domain.local:~]$


Here's the dmesg:

OpenBSD 6.1-current (GENERIC) #5: Tue Aug 15 19:29:42 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056817152 (1007MB)
avail mem = 1017929728 (970MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68f0 (9 entries)
bios0: vendor SeaBIOS version "
rel-1.10.1-0-g8891697-prebuilt.qemu-project.org" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Virtual CPU a7769a6388d5, 2394.81 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0700" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int
9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 56:00:00:7c:b5:7b
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 25600MB, 512 bytes/sector, 52428800 sectors
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio3
virtio3: apic 0 int 10
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet"
rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (2719ba15e0dec7c1.a) swap on sd0b dump on sd0b


Regards,
Glenn

Re: Question about httpd tls config

[Andreas Thulin]

Ah. Thank you! :-)
tis 15 aug. 2017 kl. 14:06 skrev Ronan Viel :

> Hi,
>
> SSL Labs don’t like 3DES whose key length is considered 112 bits and not
> 168 bits because it may be subject to meet-in-the-middle attack.
> Remove it by adding the line below to your server definition:
> tls cipher "HIGH:!aNULL:!3DES"
>
> Ronan
>
> > Le 15 août 2017 à 09:54, Andreas Thulin  a
> écrit :
> >
> > Hi!
> >
> > I run httpd on 6.1-stable (thanks to all of you who make that possible!),
> > with a pretty vanilla tls setup. When testing the server on ssllabs.com,
> > results say that
> >
> > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> >
> > is considered weak. How should I interpret that information, as you see
> it?
> > And shouldn't default cipher strengths be >= 128? I have probably
> > misunderstood something, so any pointers in the right direction would be
> > lovely.
> >
> > Link to my test result:
> > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se
> >
> > My httpd.conf (which I'd like to keep very simple):
> > # www.andreasthulin.se - HTTP
> > server "www.andreasthulin.se" {
> >alias "esoteric.andreasthulin.se"
> >hsts subdomains
> >listen on * port 80
> >listen on * tls port 443
> >tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem"
> >tls key "/etc/ssl/private/esoteric.andreasthulin.se.key"
> >root "/htdocs/andreasthulin.se"
> >location "*.php" {
> >fastcgi socket "/run/php-fpm.sock"
> >}
> >location "/.well-known/acme-challenge/*" {
> >root "/acme"
> >root strip 2
> >}
> >directory { index "index.php" }
> > }
> >
> > BR, Andreas
>
>

Re: lock X on suspend

[Grégoire Jadi]

Jeremie Courreges-Anglas  writes:
Hello,

> On Tue, Aug 15 2017, Stuart Henderson  wrote:
>> On 2017-08-15, Jeremie Courreges-Anglas  wrote:
>>> On Tue, Aug 15 2017, tomr  wrote:
>>>
 I've figured out an effective workaround I think, which is to SIGUSR1 my
 running xidle(1) process, which works.
>>>
>>> That's probably less hackish and better on multi-user machines.
>>
>> fwiw, I sometimes had problems with characters from my password going to
>> xterms when I used xidle. I don't know if it was something odd about my
>> setup, but something to watch out for if anyone's changing config as a
>> result of this thread.

I'm stepping in just to mention that I've observed the same behaviour,
though I thought it was because of the locking program that I used
(slock), not xidle.

Since then, I've switched to i3lock and stopped using xidle (I'm locking
manualy) and haven't observed this behaviour.

I'll give xidle a new try and report here if the problem occurs again.

Best.

> Duh, thanks for the heads-up.  This is a bit scary.
>
>> I like the hackish way :)
>
> ;)

Re: lock X on suspend

[Jeremie Courreges-Anglas]

On Tue, Aug 15 2017, Stuart Henderson  wrote:
> On 2017-08-15, Jeremie Courreges-Anglas  wrote:
>> On Tue, Aug 15 2017, tomr  wrote:
>>
>>> I've figured out an effective workaround I think, which is to SIGUSR1 my
>>> running xidle(1) process, which works.
>>
>> That's probably less hackish and better on multi-user machines.
>
> fwiw, I sometimes had problems with characters from my password going to
> xterms when I used xidle. I don't know if it was something odd about my
> setup, but something to watch out for if anyone's changing config as a
> result of this thread.

Duh, thanks for the heads-up.  This is a bit scary.

> I like the hackish way :)

;)

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

On Tue, Aug 15, 2017 at 05:10:00PM +0200, Gilles Chehade wrote:
> On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote:
> > > 
> > >   accept from any for any virtual  [...]
> > > 
> > 
> > Besides, after modifying that rule in the file I also had to change the
> > order.  Since rules below the "catch-all" one never get evaluated, it
> > has forcibly to be the last one:
> > 
> >[...]
> >accept from local for local alias  deliver to mbox
> >accept from local sender  for any relay
> >accept from any for any virtual  deliver to mbox
> ># End of file
> > 
> 
> Not a truth written in stone but, usually, having the "from any for any"
> rule in a config file is a sign that user failed to write ruleset and is
> using this as a fallback.

The word "mastering" I used in the subject may lead to confusion.  I
should've written "starting with" instead. :-)

My smtpd.conf is not a finished work.  Step by step.

> The earliest the rules match the envelope, the
> better, as it indicates that the rule was written to match precisely.
> 

My intention was to find the way to support the "postmaster" address,
that RFC requires to be supported even *with no domain specification.*
I wasn't able to figure out how to solve this while the "domain" table
was included in the rule.  Without that table now I can add to the
"valiases" file this:

postmaster  myuser
s...@site1.com  ...
s...@site2.com  ...

To make available any of this addresses:

postmaster@[IP_ADDRESS]
postmas...@site1.com
postmas...@site2.com

> Most rulesets should finish with a relay (via?) rule from local for any.

That's the way I had it, but I couldn't send mail when preceded by "from
any to any" rule.  I know my current solution is sloppy, I'll try to
study a bit more and improve my configuration.  Thank you for your help.

> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg

Re: lock X on suspend

[Peter Hessler]

I use this, with /etc/apm/hibernate as a symlink.

$ cat /etc/apm/suspend  
#!/bin/sh

pkill -USR1 -x xidle
#EOF

and my .Xdefaults have:

XIdle.timeout: 300
XLock.grabmouse: on
XLock.mode: blank
XLock.mousemotion: on
XLock.usefirst: yes
XLock.lockdelay: 10
XLock.nice: 19
#EOF


On 2017 Aug 15 (Tue) at 09:57:39 +1000 (+1000), tomr wrote:
:I've been struggling to get X to lock by calling xlock(1) from
:/etc/apm/{hibernate,resume,standby,suspend}
:
:Haven't seen a lot of useful debug output from xlock...
:
:# xlock -verbose ; echo $?
:1
:# xlock -verbose -display :0.0 ; echo $?
:No protocol specified
:1
:#
:
:I've figured out an effective workaround I think, which is to SIGUSR1 my
:running xidle(1) process, which works. I'm just wondering if there's a
:better way to get apmd, running /etc/apm/* as root, to do the same. I
:tried calling xlock both as root and as the current X user, no
:noticeable difference in results.
:

-- 
Academic politics is the most vicious and bitter form of politics,
because the stakes are so low.
-- Wallace Sayre

Re: Mastering opensmtpd rules

[Gilles Chehade]

On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote:
> > 
> >   accept from any for any virtual  [...]
> > 
> 
> Besides, after modifying that rule in the file I also had to change the
> order.  Since rules below the "catch-all" one never get evaluated, it
> has forcibly to be the last one:
> 
>[...]
>accept from local for local alias  deliver to mbox
>accept from local sender  for any relay
>accept from any for any virtual  deliver to mbox
># End of file
> 

Not a truth written in stone but, usually, having the "from any for any"
rule in a config file is a sign that user failed to write ruleset and is
using this as a fallback. The earliest the rules match the envelope, the
better, as it indicates that the rule was written to match precisely.

Most rulesets should finish with a relay (via?) rule from local for any.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: doas /usr/bin/vi best practice

[Alessandro DE LAURENZIS]

Hello Nam,

On Sun 13/08/2017 18:09, Nam Nguyen wrote:

If you are trying to avoid that message:

/home/just22/.exrc: not sourced: not owned by you


It could be that you are in that in your home directory and vi is trying
to read the local .exrc script on startup.

In vi(1):

exrc, ex [off]
Read the startup files in the local directory.


To turn off this feature, put "set noexrc" into your ~/.exrc



I was discussing this point privately with Martijn (in CC) and I ended 
up with exactly this conclusion.


I'm trying to sort out a bit the things and summarize what happens, in 
the hope one of the developers has the chance to have a look:


- enable the exrc option ("set exrc") in ${HOME}/.exrc
- from $HOME run: "doas vi "
- the message "/home/just22/.exrc: not sourced: not owned by you" 
 appears;
- despite the error message, the setting in $HOME/.exrc are present in 
 the vi's window, so it seems that it is sourced two times: in one case 
 all goes well, in the other there is a permission problem.


Something weird is happening, but I really don't know where...


The key is to understand what configuration files vi looks for when
starting up. This is mentioned toward the bottom of vi(1). It seems like
the precedence goes (from least to most): /etc/vi.exrc, ~/.exrc,
./.exrc.

(For clarity, I am not including ~/.nexrc and ./.nexrc.)

I used to have "set exrc" and would get the behavior you are describing,
specifically while in my home directory. Disabling that feature with
"set noexrc" removes ./.exrc from what vi scans for at startup.

This is the setup I currently have. I have /etc/vi.exrc as a system-wide
default vi configuration.

In $HOME/.exrc I have general vi macros, and in $HOME/.nexrc I have
programming language specific macros.

Normally, what I will do is update ~/.exrc if I want to add some new
features, and copy that to /etc/vi.exrc to have it available
system-wide.

Another observation I made was that because doas' default behavior is to
reset the environment except for HOME, among others, executing `doas vi`
gives me access to macros defined in both ~/.exrc ~/.nexrc even though I
am root. If I change to root with `su` and then open `vi`, I only get
access to /etc/vi.exrc and lose access to macros defined in ~/.nexrc.

I have been annoyed by this problem, too, because I had to keep pressing
enter to clear that error message, instead of the file instantaneously
opening. I could not be bothered to investigate further until you had
mentioned it.



--
Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis

mount_nfs(8) -b option

[Alessandro DE LAURENZIS]

Dear misc@ readers,


From mount_nfs(8):


-b  If an initial attempt to contact the server fails, fork off a
child to keep trying the mount in the background.  Useful for
fstab(5), where the file system mount is not critical to
multiuser operation.

My understanding is that, in case the server is not reachable when the 
command is run (specifically, at boot, if there is a proper entry in 
fstab(5)), it will be forked and keep trying the mount operation, till 
when the server is back.


I had a look at the code and, if I am not mistaken, the process sleeps 
for 60s, then retries and so on.


Now: this is my fstab:

# Blk dev			Mount point			FS type		Mnt optsDump freq	Pass no.  
 #/dev/sd0a

 ff014e14e96d5c40.a /   ffs 
rw,softdep,noatime  2   1

 #/dev/sd0b
 ff014e14e96d5c40.b noneswap
sw

 #/dev/sd0d
 ff014e14e96d5c40.d /tmpffs 
rw,softdep,noatime,nodev,nosuid 1   2

 #/dev/sd0e
 ff014e14e96d5c40.e /varffs 
rw,softdep,noatime,nodev,nosuid 1   2

 #/dev/sd0f
 ff014e14e96d5c40.f /usrffs 
rw,softdep,noatime,nodev1   2

 #/dev/sd0g
 ff014e14e96d5c40.g /usr/local  ffs 
rw,softdep,noatime,nodev,wxallowed  1   2

 #/dev/sd0h
 ff014e14e96d5c40.h /builds ffs 
rw,softdep,noatime,nodev,nosuid,wxallowed   1   2

 #/dev/sd0i
 ff014e14e96d5c40.i /home   ffs 
rw,softdep,noatime,nodev,nosuid,wxallowed   1   2

 # Network file sharing
 egeo:/vol/datavol01/nfs/egeo/vol/datavol01 nfs 
net,rw,-i,-b0   0
 egeo:/vol/sys_backup   /nfs/egeo/vol/sys_backupnfs 
net,rw,-i,-b0   0
 egeo:/home/export  /nfs/egeo/home  nfs 
net,rw,-i,-b0   0

I observe two unexpected behaviors:

1) when I switch on the machine in an environment without any network 
available, I see the messages "Cannot resolve egeo..." and the boot 
process goes on; but when the server comes back (I simply make a wifi 
network available and run "doas sh /etc/netstart" on the client), 
nothing happens (I was instead expecting that the shares were mounted 
after a minute or so);


2) when I boot without any network available and removing the "-b" 
option from the client's fstab, again I see the messages "Cannot resolve 
egeo...", and again the process continues without lagging...


I probably misunderstood the "-b" meaning. Could anyone give me some 
hints? My goal is to make the NFS shares available as soon as the server 
is reachable (without using amd(8) and possibly making the entire 
process as much transparent for the user as possible).


All the best

--
Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis

Re: Pinebook (if anyones up for it)

[Patrick Wildt]

On Mon, Aug 14, 2017 at 10:08:13PM +0300, valerij zaporogeci wrote:
> 2017-08-14 10:21 GMT+03:00, Alex Naumov :
> > Hello,
> >
> > there is one enthusiast, who wants to make it possible:
> > http://openbsd-archive.7691.n7.nabble.com/Working-on-support-for-Pinebook-td318562.html
> >
> > I don't know the current state, but I also have a Pinebook and would
> > like to run OpenBSD on it.
> >
> >
> > Some info you can find there: https://www.openbsd.org/arm64.html
> > ==
> > The Pine64 currently requires an image based on a non-redistributable
> > boot0 file from Allwinner to be installed on the system disk. This
> > will hopefully be resolved by a replacement in a future U-Boot
> > release. The install media does not include these boot images or a
> > Pine64 device tree. For similar reasons we do not provide install
> > media for the Firefly-RK3399 either.
> > ==

Correction: The problem of the boot0 file has been solved thanks to
changes in u-boot.  Work on install media for the Pine64 is now in
progress, without unredistributable blobs.

> >
> > So, it seems that it's impossible yet.
> >
> >
> > Cheers,
> > Alex
> >
> 
> this boot0 thing is a part of the firmware. why its redistributability
> state should influence an OS support? are x86 BIOS parts all
> redistributable?
> 
> Is it obtainable? This is that "security world" thing and it will be
> anywhere where the Security Extension is implemented. I have Pine64+
> board and am planning to do my project on it, which is a UEFI
> implementation. x^D Will be OpenBSD happy if there were UEFI on it as
> a FW and that boot0 thing is a part of UEFI installation?
> 

Re: Question about httpd tls config

[Andreas Bartelt]

On 08/15/17 09:54, Andreas Thulin wrote:

Hi!

I run httpd on 6.1-stable (thanks to all of you who make that possible!),
with a pretty vanilla tls setup. When testing the server on ssllabs.com,
results say that

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

is considered weak. How should I interpret that information, as you see it?
And shouldn't default cipher strengths be >= 128? I have probably
misunderstood something, so any pointers in the right direction would be
lovely.

Link to my test result:
https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se



at least httpd on current doesn't include any 3DES cipher suites by 
default. I am also not aware of any TLS clients which are TLS 1.2-only 
and would prefer any 3DES cipher suite at the same time. In case your 
server is not required to be interoperable with some very old TLS 
1.0-based legacy clients, you should simply exclude 3DES cipher suites.


From a security perspective, although probably still sufficient for the 
foreseeable future, the 112-bit security level of 3DES looks like the 
weakest link in your specific setup. However, the much bigger problem is 
3DES's 64-bit block length which is inherently prone to collisions 
(so-called SWEET32 attack). In order to mitigate this problem, the 
upcoming recommendation from NIST is to frequently change the key (every 
2^20 64-bit data blocks -- see 
http://csrc.nist.gov/publications/drafts/800-67r2/sp800-67r2-draft.pdf 
). In the context of libssl, BIO_set_ssl_renegotiate_bytes() (see 
BIO_f_ssl(3)) seems to be intended for this purpose. However, it doesn't 
seem to be called anywhere in OpenBSD's src repository. In case any 
developer is reading this -- does libssl/libtls/httpd somehow ensure 
that session keys will be refreshed after a cipher suite's maximum key 
lifetime (or, alternatively, the session gets terminated)? Although the 
recommended limit on the number of TLS records, which could be handled 
with the same session key, is much higher for AES-GCM (i.e., 2^32 
records), there still is a limit.


Best regards
Andreas

Re: Clarification on ksh(1) nohup mechanism

[Alessandro DE LAURENZIS]

Anyone?

On Sat 12/08/2017 18:36, Alessandro DE LAURENZIS wrote:

Dear misc@ readers,

I'm lost with the subject... From the man page I see that, differently 
from standard ksh, OpenBSD implementation by default do *not* send 
SIGHUP signals to child processes when a SIGHUP is received by the 
parent shell and that this mechanism can be changed through:


set +o nohup

So far, so good; now:

[snip]

$ sleep 30 &
[1] 46318
$ pgrep -fl sleep
46318 sleep 30

$ pgrep -fl sleep
46318 sleep 30
[snip]

As expected, the sleep process is still there. But:

[snip]

set +o nohup
$ sleep 30 &
[1] 83071
$ pgrep -fl sleep
83071 sleep 30

$ pgrep -fl sleep
83071 sleep 30
[snip]

Even after having cleared the shell option, the process is not killed.

Just in case, I also tried with:

set -o nohup

observing the same behavior.

Could you please give me some hints?

All the best

-- Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis



--
Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis

Re: lock X on suspend

[Stuart Henderson]

On 2017-08-15, Jeremie Courreges-Anglas  wrote:
> On Tue, Aug 15 2017, tomr  wrote:
>
>> I've figured out an effective workaround I think, which is to SIGUSR1 my
>> running xidle(1) process, which works.
>
> That's probably less hackish and better on multi-user machines.

fwiw, I sometimes had problems with characters from my password going to
xterms when I used xidle. I don't know if it was something odd about my
setup, but something to watch out for if anyone's changing config as a
result of this thread.

I like the hackish way :)

Re: x40 users?

[Michael Plura]

Am Fri, 11 Aug 2017 19:50:05 -0400
schrieb "Ted Unangst" :

> anyone using an x40? what have you set machdep.apmhalt to?

Hi Ted,
I have several old ThinkPads running OpenBSD here. The X40
has the default setting:

 root@x40:~# sysctl machdep.apmhalt
 machdep.apmhalt=0

You probably want to know, if "halt -p" is working. It works. Even

 root@x40:~# sysctl machdep.apmhalt=1
 machdep.apmhalt: 0 -> 1

works. APM power down code correction isn't necessary for my X40.

 Michael


root@x40:~# dmesg
OpenBSD 6.1-current (GENERIC) #50: Fri Aug 11 21:37:40 MDT 2017
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1.40GHz ("GenuineIntel"
686-class) 1.40 GHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,EST,TM2,PERF
real mem  = 1063665664 (1014MB) avail mem = 1029935104 (982MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 01/07/05, BIOS32 rev. 0 @ 0xfd740, SMBIOS rev.
2.33 @ 0xe0010 (56 entries) bios0: vendor IBM version "1UETA5WW (1.55
)" date 01/07/2005 bios0: IBM 2371Y29
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC BOOT
acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) PCI0(S3) PCI1(S4)
DOCK(S4) USB0(S3) USB1(S3) USB2(S3) AC9M(S4) acpitimer0 at acpi0:
3579545 Hz, 24 bits acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PCI1)
acpiprt2 at acpi0: bus -1 (DOCK)
acpicpu0 at acpi0
C1: unknown FFH class 0: !C3(250@85 io@0x1015), !C2(500@1 io@0x1014),
C1(@1 halt!), PSS acpipwrres0 at acpi0: PUBS, resource for USB0, USB1,
USB7 acpitz0 at acpi0: critical temperature is 95 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"IBM3780" at acpi0 not configured
"PNP0400" at acpi0 not configured
"IBM0071" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "IBM-COMPATIBLE" serial 2 type LION
oem "SLN" acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"IBM007A" at acpi0 not configured
acpidock0 at acpi0: GDCK docked (15)
acpivideo0 at acpi0: VID_
bios0: ROM list: 0xc/0xc800! 0xcc800/0x1000 0xcd800/0x1000
0xdc000/0x4000! 0xe/0x1 cpu0: Enhanced SpeedStep 1396 MHz:
speeds: 1400, 1300, 1200, 1100, 1000, 900, 800, 600 MHz pci0 at
mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0
function 0 "Intel 82855GM Host" rev 0x02 "Intel 82855GM Memory" rev
0x02 at pci0 dev 0 function 1 not configured "Intel 82855GM Config" rev
0x02 at pci0 dev 0 function 3 not configured inteldrm0 at pci0 dev 2
function 0 "Intel 82855GM Video" rev 0x02 drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xe000, size 0x800
inteldrm0: apic 1 int 16
error: [drm:pid0:i9xx_set_fifo_underrun_reporting] *ERROR* pipe A
underrun inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82855GM Video" rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: apic 1
int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01:
apic 1 int 19 uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev
0x01: apic 1 int 18 ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB"
rev 0x01: apic 1 int 23 usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BAM
Hub-to-PCI" rev 0x81 pci1 at ppb0 bus 2
2:0:0: mem address conflict 0xb000/0x1000
cbb0 at pci1 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0x8d: apic 1
int 16 sdhc0 at pci1 dev 0 function 1 "Ricoh 5C822 SD/MMC" rev 0x13:
apic 1 int 17 sdhc0: SDHC 1.0, 33 MHz base clock
sdmmc0 at sdhc0: 4-bit
em0 at pci1 dev 1 function 0 "Intel 82541GI" rev 0x00: apic 1 int 20,
address 00:0a:e4:2f:3b:93 iwi0 at pci1 dev 2 function 0 "Intel
PRO/Wireless 2200BG" rev 0x05: apic 1 int 21, address 00:12:f0:05:e4:d8
cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0
cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 38088MB, 78006265 sectors wd0(pciide0:0:0):
using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1
drive 0 scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI
5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB 

Re: DNSSEC solution

[Florian Obser]

On Tue, Aug 15, 2017 at 09:03:26AM +0200, Thuban wrote:
> Hi
> since we have nsd and unbound included in base, I was wondering what
> tool you use to deal with DNSSEC and sign your zone ?
> I use zkt, but your advices would be nice.
> 
> Regards
> -- 
> thuban

I use powerdns from ports as a hidden signer.

This also seems relevant:

https://dnsreactions.tumblr.com/post/162546373232/adding-useless-cron-jobs-to-an-already-fine-signer

-- 
I'm not entirely sure you are real.

Re: DNSSEC solution

[Alarig Le Lay]

On mar. 15 août 09:03:26 2017, Thuban wrote:
> Hi
> since we have nsd and unbound included in base, I was wondering what
> tool you use to deal with DNSSEC and sign your zone ?
> I use zkt, but your advices would be nice.
> 
> Regards
> -- 
> thuban

Hi,

You clould use OpenDNSSEC. It’s written by the same authors than nsd and
unbound.
I wrote an article about this (in french, sorry, but it seems that you
speak it):
https://www.swordarmor.fr/gestion-automatique-de-dnssec-avec-opendnssec-et-nsd.html

-- 
alarig


signature.asc
Description: PGP signature

Re: Question about httpd tls config

[Ronan Viel]

Hi,

SSL Labs don’t like 3DES whose key length is considered 112 bits and not 168 
bits because it may be subject to meet-in-the-middle attack.
Remove it by adding the line below to your server definition:
tls cipher "HIGH:!aNULL:!3DES"

Ronan 

> Le 15 août 2017 à 09:54, Andreas Thulin  a écrit :
> 
> Hi!
> 
> I run httpd on 6.1-stable (thanks to all of you who make that possible!),
> with a pretty vanilla tls setup. When testing the server on ssllabs.com,
> results say that
> 
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> 
> is considered weak. How should I interpret that information, as you see it?
> And shouldn't default cipher strengths be >= 128? I have probably
> misunderstood something, so any pointers in the right direction would be
> lovely.
> 
> Link to my test result:
> https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se
> 
> My httpd.conf (which I'd like to keep very simple):
> # www.andreasthulin.se - HTTP
> server "www.andreasthulin.se" {
>alias "esoteric.andreasthulin.se"
>hsts subdomains
>listen on * port 80
>listen on * tls port 443
>tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem"
>tls key "/etc/ssl/private/esoteric.andreasthulin.se.key"
>root "/htdocs/andreasthulin.se"
>location "*.php" {
>fastcgi socket "/run/php-fpm.sock"
>}
>location "/.well-known/acme-challenge/*" {
>root "/acme"
>root strip 2
>}
>directory { index "index.php" }
> }
> 
> BR, Andreas

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

> 
>   accept from any for any virtual  [...]
> 

Besides, after modifying that rule in the file I also had to change the
order.  Since rules below the "catch-all" one never get evaluated, it
has forcibly to be the last one:

   [...]
   accept from local for local alias  deliver to mbox
   accept from local sender  for any relay
   accept from any for any virtual  deliver to mbox
   # End of file

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

Hi Gilles,

On Tue, Aug 15, 2017 at 11:15:32AM +0200, Gilles Chehade wrote:
> On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote:
> > Hello everyone,
> > 
> > I'd appreciate experienced opensmtpd users tell me if I'm understanding
> > well the mechanism in the following rule.
> > 
> > Currently, in my smtpd.conf I have this line:
> > 
> >   accept from any for domain  virtual  deliver to mbox
> > 
> > But since all keys in my "valiases" table are full email addresses, in
> > the form:
> > 
> >   u...@example.org  user
> > 
> > I'm thinking the use of "vdomains" table is redundant.  I could safely
> > simplify the rule to:
> > 
> >   accept from any for any virtual  deliver to mbox
> > 
> > 
> > Am I wrong in this assumption?
> >
> 
> kind of, smtpd.conf being a first match ruleset it is impossible to make
> this kind of analysis without having your other rules too.

Sorry, I should've added it's the only "from any" rule I have:


# /etc/mail/smptd.conf

egress_int="em0"
server="server.roquesor.com"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/server.crt"
pki $server key "/etc/ssl/private/server.key"

listen on lo0
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth \
senders  masquerade

accept from local for local alias  deliver to mbox
accept from any for domain  virtual  deliver to mbox
accept from local sender  for any relay

# End of file


> 
> in this case, this may or may not give the desired behavior depending on
> rules following it because envelope matching happens _before_ virtual is
> even evaluated.
> 
> with:
> 
> accept from any for domain  [...]
> 
> you will only match envelopes for the domains in , it allows a
> different rule to match other domains:
> 
> accept from any for domain  [...]
> accept from any for domain foobar.org [...]
> 
> with:
> 
> accept from any for any [...]
> 
> you will match all envelopes so you're essentially creating a catch-all.
> 
> 
> virtual happens AFTER a rule has been matched so if you recipient is not
> found the RCPT will be rejected, smtpd will not search for another rule.

If I'm understanding you well then it's what I want.

My question was if the "virtual" entry in the rule is enough to reject
not matching recipients.  For example, having this rule:

  accept from any for any virtual  [...]

and a "valiases" file containing only this line:

  l...@foobar.org   user

will messages sent to i.e. l...@foobar2.org or l...@foobar3.org be
rejected?



> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg

Re: Mastering opensmtpd rules

[Gilles Chehade]

On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> I'd appreciate experienced opensmtpd users tell me if I'm understanding
> well the mechanism in the following rule.
> 
> Currently, in my smtpd.conf I have this line:
> 
>   accept from any for domain  virtual  deliver to mbox
> 
> But since all keys in my "valiases" table are full email addresses, in
> the form:
> 
>   u...@example.orguser
> 
> I'm thinking the use of "vdomains" table is redundant.  I could safely
> simplify the rule to:
> 
>   accept from any for any virtual  deliver to mbox
> 
> 
> Am I wrong in this assumption?
>

kind of, smtpd.conf being a first match ruleset it is impossible to make
this kind of analysis without having your other rules too.

in this case, this may or may not give the desired behavior depending on
rules following it because envelope matching happens _before_ virtual is
even evaluated.

with:

accept from any for domain  [...]

you will only match envelopes for the domains in , it allows a
different rule to match other domains:

accept from any for domain  [...]
accept from any for domain foobar.org [...]

with:

accept from any for any [...]

you will match all envelopes so you're essentially creating a catch-all.


virtual happens AFTER a rule has been matched so if you recipient is not
found the RCPT will be rejected, smtpd will not search for another rule.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Question about httpd tls config

[Andreas Thulin]

Hi!

I run httpd on 6.1-stable (thanks to all of you who make that possible!),
with a pretty vanilla tls setup. When testing the server on ssllabs.com,
results say that

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

is considered weak. How should I interpret that information, as you see it?
And shouldn't default cipher strengths be >= 128? I have probably
misunderstood something, so any pointers in the right direction would be
lovely.

Link to my test result:
https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se

My httpd.conf (which I'd like to keep very simple):
# www.andreasthulin.se - HTTP
server "www.andreasthulin.se" {
alias "esoteric.andreasthulin.se"
hsts subdomains
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem"
tls key "/etc/ssl/private/esoteric.andreasthulin.se.key"
root "/htdocs/andreasthulin.se"
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
directory { index "index.php" }
}

BR, Andreas

Mastering opensmtpd rules

[Walter Alejandro Iglesias]

Hello everyone,

I'd appreciate experienced opensmtpd users tell me if I'm understanding
well the mechanism in the following rule.

Currently, in my smtpd.conf I have this line:

  accept from any for domain  virtual  deliver to mbox

But since all keys in my "valiases" table are full email addresses, in
the form:

  u...@example.org  user

I'm thinking the use of "vdomains" table is redundant.  I could safely
simplify the rule to:

  accept from any for any virtual  deliver to mbox


Am I wrong in this assumption?

DNSSEC solution

[Thuban]

Hi
since we have nsd and unbound included in base, I was wondering what
tool you use to deal with DNSSEC and sign your zone ?
I use zkt, but your advices would be nice.

Regards
-- 
thuban


signature.asc
Description: PGP signature