Re: Guidance for booting NanoPi R6S?
On Tue, 16 Apr 2024, Stephan Somogyi wrote: > Given that it appears that R6S > > https://www.mail-archive.com/ports@openbsd.org/msg123717.html > > and R6C support > > https://www.mail-archive.com/ports@openbsd.org/msg124138.html > > are in the ports version of uboot, I was interested in trying to make it > work. Unfortunately, I'm not having any luck via the trial and error method, > so was hoping someone could provide pointers. The R6S commit suggests > erasing eMMC, but I haven't yet worked out how to do that. I don't have a R6P but I am interested in how to get ARM devices that need u-boot going. It looks like a few devices have explicit support in sysutils/uboot but there's a bit of documentation gap on how to actually use this to get a system booting. This probably also applies to RISC-V boards, though they are less common. -d
Re: ssh: probable bug in ssh -current
On Fri, 31 Jan 2020, Aham Brahmasmi wrote: > Bug: > When the client connects to the server, they use the ed25519-cert to > establish the connection. After the ssh session is established, the > server sends the "hostkeys...@openssh.com" message with the server's > ed25519 host public key. > > This results in the client looping over the keys in known hosts file, > and deciding that the @cert-authority host certificate authority public > key is "deprecated", because it was not sent by the server [1]. The > client then informs the user: > " > The server has updated its host keys. > These changes were verified by the server's existing trusted key. > Deprecating obsolete hostkey: ED25519 SHA256: > Accept updated hostkeys? (yes/no): > " Could you plesse try this patch? Index: clientloop.c === RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.338 diff -u -p -r1.338 clientloop.c --- clientloop.c30 Jan 2020 07:20:57 - 1.338 +++ clientloop.c3 Feb 2020 02:27:18 - @@ -1856,13 +1859,25 @@ hostkeys_find(struct hostkey_foreach_lin /* Mark off keys we've already seen for this host */ for (i = 0; i < ctx->nkeys; i++) { - if (sshkey_equal(l->key, ctx->keys[i])) { + if ((l->marker & MRK_CA) != 0) { + if (!sshkey_is_cert(ctx->keys[i])) + continue; + if (!sshkey_equal(ctx->keys[i]->cert->signature_key, + l->key)) + continue; + debug3("%s: found %s CA key at %s:%ld", __func__, + sshkey_ssh_name(ctx->keys[i]), l->path, l->linenum); + ctx->keys_seen[i] = 1; + return 0; + } else if (sshkey_equal(l->key, ctx->keys[i])) { debug3("%s: found %s key at %s:%ld", __func__, sshkey_ssh_name(ctx->keys[i]), l->path, l->linenum); ctx->keys_seen[i] = 1; return 0; } } + if ((l->marker & MRK_REVOKE) != 0) + return 0; /* This line contained a key that not offered by the server */ debug3("%s: deprecated %s key at %s:%ld", __func__, sshkey_ssh_name(l->key), l->path, l->linenum); @@ -1961,10 +1976,11 @@ update_known_hosts(struct hostkeys_updat if (stat(options.user_hostfiles[i], ) != 0) { if (errno == ENOENT) { debug("%s: known hosts file %s does not exist", - __func__, strerror(errno)); + __func__, options.user_hostfiles[i]); } else { - error("%s: known hosts file %s inaccessible", - __func__, strerror(errno)); + error("%s: known hosts file %s inaccessible: " + "%s", __func__, options.user_hostfiles[i], + strerror(errno)); } continue; }
Re: [SUSPECTED SPAM] SSH disconnects right after accepting
On Fri, 8 Feb 2019, Lars Bonnesen wrote: > OpenBSD 6.4 > > Putty just reports "Authenticating with public key "XXX" from agent" and > then I am disconnected. If I run sshd with -ddd, I get the following > output. I can't seem to get any error, and therefor I can't tell what is > wrong. Anyone has any idea? Thanks Darren has been unable to replicate this problem using PuTTY as a client. Could you please try to see whether sshd is dumping core? You can follow the instructions at the end of "man sysctl" - search for "nosuidcoredump" to enable coredumps for the sshd process. Once that is done, you can try to reproduce your problem and then check the /var/crash/sshd directory. -d
pf: matching untagged traffic
Hi, Is it possible for pf to match traffic that has not been tagged? It seems possible to match a tag, or traffic that lacks a particular tag but I can't see any way to match traffic that has no tag at all? Any clues? Context: I'd like to tag at input particular traffic for specific outbound processing but have a catch-all for everything else. -d
Re: OpenSSH 7.7 default ciphers
Thanks - I just committed a fix (having missed that Otto already included a patch beyond the bottom of my xterm -- sorry) On Thu, 5 Apr 2018, Otto Moerbeek wrote: > On Thu, Apr 05, 2018 at 01:51:51PM +0200, Renaud Allard wrote: > > > Hello, > > > > The man page for openssh 7.7 for Ciphers specifications mentions: > > > > The default is: > > chacha20-poly1...@openssh.com, > > aes128-ctr,aes192-ctr,aes256-ctr, > > aes128-...@openssh.com,aes256-...@openssh.com, > > aes128-cbc,aes192-cbc,aes256-cbc > > > > > > However, ssh doesn't use the last line in that list: > > $ ssh -G 127.0.0.1 |grep ciphers > > ciphers > > chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com > > > > The changelog doesn't mention any change in the ciphers either. > > > > > > > > Regards > > > > The man ssh_config page is wrong (sshd_config is right). > > -Otto > > Index: ssh_config.5 > === > RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v > retrieving revision 1.268 > diff -u -p -r1.268 ssh_config.5 > --- ssh_config.5 23 Feb 2018 07:38:09 - 1.268 > +++ ssh_config.5 5 Apr 2018 12:08:36 - > @@ -425,8 +425,7 @@ The default is: > .Bd -literal -offset indent > chacha20-poly1...@openssh.com, > aes128-ctr,aes192-ctr,aes256-ctr, > -aes128-...@openssh.com,aes256-...@openssh.com, > -aes128-cbc,aes192-cbc,aes256-cbc > +aes128-...@openssh.com,aes256-...@openssh.com > .Ed > .Pp > The list of available ciphers may also be obtained using >
Re: openssh
On Tue, 1 Jul 2014, Gregory Edigarov wrote: Hello, Just out for curiosity. what is the fastest and lightest in cpu terms algorithm in ssh? In recent OpenSSH, chacha20-poly1...@openssh.com is what you want. -d
Re: ED25519 SSHFP in OpenSSH IETF
On Wed, 9 Apr 2014, Loganaden Velvindron wrote: Maybe the OpenSSH community needs to get involved, so that we can get work done :-) ? I think getting involved will be a matter of us acting unilaterally and just committing support for the new SSHFP code point. -d
Re: snapshot ssh: ChrootDirectory sftp Connection closed
On Wed, 17 Apr 2013, Darren Tucker wrote: On Tue, Apr 16, 2013 at 12:25:54PM +0800, f5b wrote: the user share can not sftp to the server, but same config in Mar 1 snapshot, sftp is ok. it's caused by this change (feed it to patch -R to revert it), and it's because the uid has already been set at this point. I haven't figured out the right way to fix it, though. For now, I think we should revert this. djm? ok -d
Re: vmmap: bad software everywhere
On Wed, 1 Jun 2011, Ariane van der Steldt wrote: The recent trend of forking another process for a tab instead of a monolithic single process for the whole browser is a way of extending the time required to clean up this mess? Or there is no relation between them? I cannot look into the heads of the chrome devs. There's no technical reason why the tabs can't run in the same process. No technical reason if you exclude isolating mutually-distrusting data origins from each other. It is similar to the privilege separation we do in most OpenBSD network-facing daemons - it is pretty much the only way to do sandboxing on Unix. -d
Re: Should the ecdsa fingerprint always and only be offered?
On Tue, 17 May 2011, Kevin Chadwick wrote: If the client has no known_hosts files and only an RSA key. Only the ecdsa fingerprint is given to be confirmed before connection. Should administrators make sure the ecdsa fingerprint is always given out or posted even to already issued RSA key users or should the RSA fingerprint or the fingerprint matching the key to be used be shown in the ssh dialog? If you are using recent OpenSSH (5.7+) then ssh will automatically prefer known host keys when connecting, so you should never be asked to learn a new hostkey type unless the old ones are no longer offered. If you prefer to use ECDSA keys, then you may like to copy them manually from the server or use ssh-keyscan (and check the fingerprints). -d
Re: Linux-2.6.36-libre: turning Linux's Free Bait into Free Software
obvious troll is obvious. On Tue, 9 Nov 2010, Gjones wrote: Linux-2.6.36-libre: turning Linux's Free Bait into Free Software http://www.fsfla.org/svnwiki/anuncio/2010-11-Linux-2.6.36-libre-debait.en
OpenBSD-capable, fanless, diskful computer with ECC RAM
Hi, Can anyone recommend a small, fanless computer that will accept a HD (perhaps a 2.5 drive) that uses ECC RAM? Needless to say, it must run OpenBSD. Being 64 bit, having accellerated crypto and/or supporting multiple drives would be bonus points, but are not required. -d
Re: undeadly article
On Mon, 16 Aug 2010, Mihai Popescu B.S. wrote: Hello, I have read the undeadly.org article about how to play with airport security. I don't know who is the guy acting like this on an airport, but my brain triggered something I read in the past, about a well known guy from open source who was throw out from an airplane by the security team. Just my thought, maybe not related to misc ... but I think this story is not in the line of good old undeadly. What? I think you are blaming the victim here. The perpetrators are the pinheads who think laptops are dangerous goods and people who carry more than one are probable terrorists. -d
Re: Same shit all over again
On Sun, 15 Aug 2010, David Hill wrote: Well, tinyurl redirects to my box which redirects to trollaxer. Here is the culprit log for falling for such a silly trick. You should have finished the job by redirecting to the goatse.cx guy :)
Re: PTY allocation error
On Sun, 11 Jul 2010, Peter Bako wrote: I'm setting up (well, trying to I guess :-) ) a read-only OpenBSD system to run off a small CF card. Never having done this before, I found an excellent article written by Daniele Mazzocchio (http://www.kernel-panic.it/openbsd/embedded/) to use as my guide. I had a few minor issues crop up, but have been able to work my way through them. However I finally got to one that I am stumped with. Basically once I boot of my new image, I am able to log into it on the serial console and things look ok. I can also ping the IP address of the unit, but when I try to SSH into it I get the following message: Server refused to allocate pty I've checked over my setup and all seems fine as per the instructions. I have all the pty* devices from /dev (which is RO) linked to /var/run/dev (which is in memory), so the problem cannot be that these devices are not writeable. (Actually /var is linked to /tmp/var, where the /tmp directory is in memory and populated by the image from a directory called /template.) Unfortunately this goes a bit beyond my current skill set, so if anyone has any suggestions I really would appreciate the help. Since you are have broken your system by running something very non standard you get the pleasure of keeping both broken pieces :) That being said, you should start your debugging with sshd. Follow the trail from src/usr.bin/ssh/session.c:session_pty_req(). Running sshd in debug mode (sshd -ddd), ktrace and adding a few debug(XXX) logs in there can be enormously illuminating. -d
Re: tcpdump no output on stdout
On Thu, 8 Jul 2010, Marian Hettwer wrote: Hi all, I'm experiencing a rather strang behaviour with tcpdump on OpenBSD 4.7 i386 running on a vmware esx vsphere 4. My tcpdump gives no output at all on stdout, but if I use the very same command with -w foobar it actually does dump packages. I know that esx server are probably not supported, however, does anybody know a work around this behavior? Or out of curiosity, where is this behaviour coming from? See below: [r...@openlb38-1] ~ # tcpdump tcpdump: listening on em0, link-type EN10MB ^C 198 packets received by filter 0 packets dropped by kernel aah, 198 packets I couldn't see... hm hm... Could be blocked on looking up hostnames. Try tcpdump -n
Re: Why I left OpenBSD
On Thu, 10 Jun 2010, Samuel Baldwin wrote: Those who taste the de Raadt wrath, however, always run in the end. A friend of mine once incurred his ire by asking the wrong question at the wrong time, and Theo de Raadt hacked his router and remotely remapped his keyboard! hahahahahaha, slander? Hilarious either way. Please, someone do an image macro. I'm in ur router, remappin' yar keyz
Re: Chromium port [?]
On Wed, 9 Dec 2009, Andrej Elizarov wrote: Just wonder, does anyone know about Chromium browser port for openbsd? I had tried it on Windows box and seems it's much faster than FF (in fact, not Chromium - Chrome based on sources' one). And google sad that it's ported on freebsd and there floating around patches specially for openbsd ( like this http://osdir.com/ml/chromium-reviews/2009-11/msg06625.html). If Chromium performance on obsd will be good, it can be alternative to lazy firefox. If you look carefully at that patch, you will notice that the author is an OpenBSD developer (pvalchev). I'm sure he will announce something when he is ready. -d
Re: apachectl and/or /etc/rc
why not just fix mod_php? (or avoid it altogether) On Sat, 26 Sep 2009, frantisek holop wrote: hi there, given that apache is often re-started using apachectl and that apache/mod_php leaks environment variables and that mostly sudo is used in this process as well, i thought it would make good security sense to start httpd with env -i so that the admin's environment doing the restart is not exposed for all the world to see... i am not going to restart my production machine for this to make sure, but i guess root's environment is also leaked when starting at bootup from /etc/rc. --- /usr/sbin/apachectl Sat Sep 26 21:04:28 2009 +++ apachectl Sat Sep 26 21:06:57 2009 @@ -25,7 +25,7 @@ PIDFILE=/var/www/logs/httpd.pid # # the path to your httpd binary, including options if necessary -HTTPD=/usr/sbin/httpd +HTTPD=/usr/bin/env -i /usr/sbin/httpd # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other arguably, there could be some important env variables used for modifying apache/php's behaviour but probably the admin is aware of these and handles them accordingly, but i think the default should be more conservative. -f -- i promise not to let it happen again - until next time.
Re: encryption
On Wed, 26 Aug 2009, My List Mail wrote: Been waiting for a while to see some current encryption added to openbsd. [...] I realise that I'm probably replying to a troll, but on the small chance that you are actually serious: please spend some of the effort you put in to ranting into reading the release notes and/or manual pages. You might find yourself pleasantly surprised. -d
Re: tmux vs screen questions
On Mon, 13 Jul 2009, Nicholas Marriott wrote: What does echo $TERM show before you attach tmux? again, this seems to be a putty specific issue. no problems whatsoever on local terminal. TERM is set to xterm before i run tmux, then it changes to screen. The xterm terminal description does not support colour so tmux does not attempt to use it, use a terminal description that does have it such as xterm-color or xterm-xfree86. This causes problems fora lot of people, I don't think there are any bw xterms out there and recent ncurses does have setaf/setab in its xterm description... so I don't see a reason we shouldn't just have a quirk to override it. Could you try this please? Shouldn't we consider updating our terminfo/termcap too? -d
Re: man softraid improvement
On Tue, 28 Apr 2009, Sebastian Rother wrote: it is not a blanket thing - not all archs use it. the disklabel stuff well, we expect people to know how to use disklabel anyway. if they don;t, they can read the man page. The method I descriped is NOT mentioned anywhere. People have to assume that softraid just works with WHOLE disks. People who _don't understand disklabel_ assume that softraid just works with whole disks. It is quite clear what is going on if you get disklabel. -d
Re: Padlock accelerated SHA on Via C7
On Tue, 14 Apr 2009, Theo de Raadt wrote: Has anybody been able to get Padlock accelerated SHA1 working on a C7 or is this not currently possible? It isn't worth using it. The overhead is too high. Specifically: Via botched the implementation - their instruction set does not allow the data to be hashed to be fed in multiple chunks, which is how most applications work. There are ways around this but they are too ugly to mention. -d
Re: European orders
On Thu, 9 Apr 2009, ropers wrote: [citation needed] http://bit.ly/3dMFBs
Re: OpenSSH release CDS
On Wed, 11 Mar 2009, patric conant wrote: I've repeatedly been in a position where we weren't making direct use of OpenBSD, but were using OpenSSH, and if there were a recurring cost associated with it (like purchasing a semi-annual CD) it would have been relatively painless to get a rubber stamp approval of such a cost, whereas purchasing an OS we weren't using would've been a much more difficult sell. Since there is already regular ssh art, (that could be used for the next several releases), how much further effort/money would it take to release OpenSSH on CD? Also of the people on misc@ how many would think they'd have an easier time convincing bosses/clients/others to buy a single CD for say $25 then they would getting an OS purchased. Just a thought, for these trying economic times and whatnot. Thanks for the voice of support, but I think that most people get OpenSSH from their OS vendor. Furthermore, for a CD to be worthwhile, we would need to provide binary releases for a number of operating systems. The infrastructure and effort required to build and verify binary releases across even a few of the popular platforms (also: how do we choose? whatever we do, we would offend someone) would make a slightly onerous release process a complete impossibility given our current pool of active developers -- like building OpenBSD release CDs, it isn't something that can be outsourced to the community. The best way to support OpenSSH is through donations to OpenBSD. For those who are concerned about the money so donated not actually benfitting OpenSSH, I offer the number of commits to OpenSSH made at the last two OpenBSD hackathons (n2k8 and c2k8) as proof that such donations do improve OpenSSH. -d
Re: openssl freezes ssh and entire inet service
On Sun, 1 Mar 2009, Vivek Ayer wrote: Hi, I'm not sure why it happens, but I tried running: openssl genrsa -out /etc/ssl/private/server.key 1024 over an ssh connection to a web server that I wanted to setup as https. Believe it or not, it froze while it was running openssl. Now I can't ping it or do anything. Could this be because http was already running on the machine? Do I have to disable http before I setup SSL. I still can't understand why it would kill the entire inet service. I'm not near the machine right now, but if there's a way to reboot the machine, how would I go about it considering ssh is completely dead. Is openssl not supposed to be run over ssh? You machine probably crashed while you were running openssl. In all likelihood, this has zero to do with you running it over ssh. When you go to reboot it, see if it has paniced and capture the panic, trace and ps output via a serial console, or a digital camera if you don't have serial hooked up. -d
Re: openssl freezes ssh and entire inet service
On Sun, 1 Mar 2009, Vivek Ayer wrote: why would this occur? Without you looking at the console, who knows? I thought openssl was stable. It is. It almost certainly isn't OpenSSL that has crashed, but rather your host. Does it have to do with the key length? No. -d
Re: ssh VisualHostKey
On Wed, 4 Feb 2009, Chris wrote: I've recently enabled VisualHostKey yes in my .ssh/config file. I would like to hear from people who are using it and how they are finding it useful. the undead orc hits, you die.
Re: Python in base?
On Sat, 27 Dec 2008, Jordi Espasa Clofent wrote: Hi misc@, ?Are there some plans to include python in base system (as Perl is at present)? No. We only need one such language in base and perl got there first. -d
Re: package integrity, security and checks. .... where are they ?
On Sun, 14 Dec 2008, spamtester spamtester wrote: It does not matter what faith one places in the pki or webs of trust (gpg/pgp style). Most linux distributions have had their packages signed for years (for example at ruxcon - an australian security conference a large number of participants had openbsd t-shirts stickers etc - if one had a sig / link to a chain it could have been spread / if it was on a cd -- key could be compared to what others had) . Why not openbsd ? Because nobody has implemented it yet. This seems trivial to me. Excellent! We look forward to your patches. -d
Re: offtopic - postfix book/doc recommendation
On Sat, 6 Dec 2008, Gilles Chehade wrote: On Sun, Dec 07, 2008 at 12:30:32AM +0100, Jesus Sanchez wrote: I want to start learning about postfix running on OpenBSD for a serious pourpose than home services. Think I'm not familiar with the mail servers concepts and I'm starting from cero knowledge about the issue. wich book or documentation do you recommend me? Actually, postfix's configuration file are pretty well-documented and do not require a long learning curve. You can basically start from the ones provided and build your custom configuration by reading the comments on top of each directive. I'd agree with this, having set up some fairly complex Postfix configurations and needing anything more than the Postfix website and Google. -d
Re: Ellipitc Curves: off-topic
On Thu, 27 Nov 2008, John Nietzsche wrote: Does anybody know a tutorial on implementing such curves in ANSI C? src/sbin/isakmpd/math_ec2n.{c,h}
Re: Multiple ssl servers on one external IP by using internal addresses?
On Sat, 8 Nov 2008, Jeff Ross wrote: My ssl hosts work.openvistas.net and cvs.work.openvistas.net resolve to the same IP address as everything else from the internet, but to different internal IP addresses beginning at 10.30.50.1 with a split horizon DNS setup. These two use two different self-signed certs, each with the correct server name in the cert. You can't do this reliably without TLS SNI (Server Name Identification): http://en.wikipedia.org/wiki/Server_Name_Indication Basically, without SNI the TLS connection is established and the server certificate is sent before the client sends the hostname. The server therefore has no way of knowing which certificate to send to the client. SNI allows the client to request a specific host as part of the TLS handshake, so the server can select a certificate to send. Source code to implement SNI is present in OpenBSD -current's OpenSSL but is disabled. I'll look at turning it on when OpenSSL makes a stable release with it enabled. SNI in OpenSSL is only one prerequisite though, it also need to be supported by Apache or whatever HTTP server you are using. The in-tree Apache doesn't support SNI, but perhaps apache2 in ports does. Another problem is that only relatively new browsers support SNI. Firefox 3 does, but I'm not sure about IE. Non-webkit mobile browsers are not likely to support it at all. If you care about supporting a diverse range of clients then SNI may not help you. -d
Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?
no On Sat, 25 Oct 2008, Neko wrote: so there can be an end to this retard cant write on the file system bs http://www.ntfs-3g.org/ so will it be merged in the next obsd release ? this is the future. people use multiple os on their machine, not just vm , they will local install too, so action should be taken to have a filesystem stream that can be viewed by anyone, neko
Re: eSATA support?
On Sun, 21 Sep 2008, Brian wrote: I'm thinking about picking up an eSATA pci card and backing up my data to an external hd over eSATA using rsync. Is this supported? eSATA is a conector, cable and electrical specification and otherwise is identical to regular SATA. If the particular adapter's chipset you have chosen is supported for SATA then it will work for eSATA. -d
Re: Patching a SSH 'Weakness'
On Thu, 11 Sep 2008, [EMAIL PROTECTED] wrote: Just off the top of my head (I have to check the SSH protocol yet): Why not encipher all accumulated keystrokes up to the Enter key as a block send them instead of sending each keystroke as it is typed? This shrouds the typist's characteristics. Then we wouldn't be able to play nethack over ssh. In addition, if the cipher is a block cipher, padding is added to make the number of bits a multiple of the block size. Mandatory padding with a nonce may help to shroud the number of keystrokes. We already pad, and add extra random padding when echo is off - which is when a user is most likely to be typing in a password. The drawback is that the padding part could mean that we are no longer compatible with the SSH protocol. Actually we are. -d
Re: Patching a SSH 'Weakness'
On Fri, 12 Sep 2008, johan beisser wrote: On Sep 12, 2008, at 3:12 PM, Philip Guenther wrote: On Fri, Sep 12, 2008 at 2:05 PM, johan beisser [EMAIL PROTECTED] wrote: This about security. Being realistic means *not* being optimistic that extracting data will be too hard, too unlikely, only applicable to a subset of people [and certainly not me], etc. Have you not read enough papers that start with something like It was previously thought that attack [foo] was impractical for the following reasons: [blah blah blah]. This paper demonstrates practical circumstances under which those reasons fail or don't apply and the attack succeeds? Sure, against SSH1. http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis/ The ACM paper was also published in 2001, same time frame. There's more padding (see the TCPDump output I provided) in SSH2. Also, take a look at what Damien Miller responded with: OpenSSH is applying extra padding. SSH2 is the default these days. I won't say it's impossible to do keystroke analysis, it's just going to be difficult to know if what two letters were typed and when. Frankly, I've given you ssh2 packet dump (i'll happily provide raw tcpdump output, if you want it). There is no reason to believe that keystroke timing attacks will be impossible against protocol 2 where they work against protocol 1. They might just be a little more tricky. Pointing at the paper and discounting it because it is ssh1 only is sticking your head in the sand. It is usually easier to research attacks on simpler protocols and work up to more complicated ones later. -d
Re: Patching a SSH 'Weakness'
On Wed, 10 Sep 2008, STeve Andre' wrote: On Wednesday 10 September 2008 15:58:03 Kevin Neff wrote: Hi, Some secure protocols like SSH send encrypted keystrokes as they're typed. By doing timing analysis you can figure out which keys the user probably typed (keys that are physically close together on a keyboard can be typed faster). A careful analysis can reveal the length of passwords and probably some of password itself. This is nearly complete bullshit. For any individual, learning their characteristics could give rise to being able to know a great deal about what they are doing, but hardly for the general case. These two sentences contradict one another.
Re: Patching a SSH 'Weakness'
On Wed, 10 Sep 2008, Kevin Neff wrote: Hi, Some secure protocols like SSH send encrypted keystrokes as they're typed. By doing timing analysis you can figure out which keys the user probably typed (keys that are physically close together on a keyboard can be typed faster). A careful analysis can reveal the length of passwords and probably some of password itself. The paper: http://portal.acm.org/citation.cfm? id=1267612.1267637coll=Portaldl=GUIDECFID=1943417C FTOKEN=28290455 I'm seriously considering implementing a fix for this weakness. Is there any interest in incorporating this sort of thing into openBSD? Be warned: implementing any sort of time-based events in the current SSH mainloop is annoyingly difficult. If you can do it cleanly, then we are interested. -d
Re: Does this look like SSP to you? (Vista)
On Thu, 14 Aug 2008, Sunnz wrote: Hi, I am just curious, have Vista implemented something similar to Stack-Smashing Protector as in OpenBSD's GCC? http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html I don't really know that much, so I am just asking here... if those things can be bypassed, would a same type of attack be threatening to OpenBSD systems? The actual paper is here and it is very good - well worth reading for anyone interested in this stuff: http://taossa.com/archive/bh08sotirovdowd.pdf The described stack protection is quite Propolice-like and I think that a similar attack would work on OpenBSD: corrupt a value in the stack, use it to gain control in the executing function and its antecedents but never return as that would activate the stack canary checks. For this to work, an attacker would need to find 1) a function with a stack-based overflow that 2) has a stack-allocated variable that is amenable to their purpose. I'm sure these exist, but I have no idea how common they are. Note that the attacks in the paper make use of the stack layout used by C++ method calls which makes things quite a bit for the attacker. The thing that struck me most from the paper was how close Microsoft has come to implementing a good set of protections and how they have managed to screw them up by failing to turn them on everywhere. What use if DEP or DLL load address randomisation if it isn't turned on everywhere? What is the point of those (really good) heap consistency checks if you don't abort() when they fail? -d
Re: sub-notebook computers
On Fri, 1 Aug 2008, Anathae Townsend wrote: Besides the ASUS EEEPCs, has anyone tried to get other sub-notebooks working under OpenBSD? http://openbsd.org/zaurus.html -d
Re: free plot software
On Sat, 2 Aug 2008, Pau wrote: PS: Still, a BSD-licensed programme like R or gnuplot seems not to exist, right? It isn't exactly a plotting program, but ports/graphics/py-matplotlib is BSD licensed and has a matlab-like interface. Then again I don't consider gnuplot's license to be particularly pernicious, especially as someone who just wants to use it and has no intention of hacking it. -d
Re: Performance issues with the DNS patch?
On Sat, 26 Jul 2008, J Duke wrote: I realize that the whole fix to this DNS cache poisoning is to have random ports and random query ids, and that generating good, strong, random numbers costs cpu cycles and time. Has anyone else noticed the performance hit? Anything that I can do? Particularly I am open to any suggestions on commands that would help identify if that is really the problem, systat, vmstat, etc. The additional overhead in the fixed bind is due to the need to manange lots of open sockets. Since bind now randomises source ports, it must open, bind and subsequently manage a UDP socket for each query whereas before it only needed a single socket for its single query port. Future releases of bind will reduce this overhead a little, but a good portion of it is intrinsic. That being said, you probably shouldn't be getting failed queries. Make sure that: 1) You aren't running out of file descriptors in bind (check logs and ulimits against fstat -p [named-pid]) 2) Your queries are not being firewalled. There are lots of firewalls that implement restrictions on high-numbered UDP ports. If you have such a firewall then you will cause queries to fail and be retried, which will cause additional load on your name server. -current tries hard to avoid well-known ports, but we can't predict every firewall configuration. -d
Re: bad tcp cksum and odd delay to close a connection on OpenBSD?
On Sat, 26 Jul 2008, Frank Denis wrote: Le Fri, Jul 25, 2008 at 05:54:28PM -0600, Daniel Melameth ecrivait : Can't reproduce on a 4.2 -stable box with fxp NICs: Hello Daniel, Try to with net.inet.tcp.ecn=1 This is ECN blackhole detection at work, making a 2nd ECN-less connection attempt. Just turn ECN off, I don't think anything uses it. -d
Re: failed make on openssh 5.1
I have just updated the patch, please try again once it has hit the ftp server: -rw-r--r-- 1 djm djm 6411 Jul 23 23:31 openbsd42_5.1.patch -rw-r--r-- 1 djm djm 6144 Jul 23 23:31 openbsd43_5.1.patch SHA1 (openbsd42_5.1.patch) = 7ed266a177d09aa67b120b44522f92e1201d34ac SHA1 (openbsd43_5.1.patch) = d45b51c446f08e2f1356ef77c4d004814d27c572 Sorry for the confusion. -d On Wed, 23 Jul 2008, Renaud Allard wrote: Damien Miller wrote: On Tue, 22 Jul 2008, Joel Dinel wrote: To answer my own question, no sooner had I hit 'send' than I noticed the patch number indicated 4.3. I have downloaded OpenSSH 5.0, the appropriate 4.1 - 5.0 patch and all is well. Well I am getting the exact same compilation error as you, on a fresh OpenBSD 4.3 box, when tying to compile OpenSSH 5.1 with the patch for 4.3. cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz -ldes /usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In function `choose_dh': /usr/src/usr.bin/ssh/dh.c:166: undefined reference to `arc4random_uniform' collect2: ld returned 1 exit status *** Error code 1 Oops, I'll prepare a new openssh43_5.1.patch shortly. I don't know if the new patch is already online but I tried with a fresh new 4.3 install from CDs and I get another error due to the fact sys/statvfs.h does not exist. /usr/src/usr.bin/ssh/sftp-server.c:23:25: sys/statvfs.h: No such file or directory /usr/src/usr.bin/ssh/sftp-server.c:479: warning: `struct statvfs' declared inside parameter list /usr/src/usr.bin/ssh/sftp-server.c:479: warning: its scope is only this definition or declaration, which is probably not what you want /usr/src/usr.bin/ssh/sftp-server.c: In function `send_statvfs': /usr/src/usr.bin/ssh/sftp-server.c:484: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:484: error: `ST_RDONLY' undeclared (first use in this function) /usr/src/usr.bin/ssh/sftp-server.c:484: error: (Each undeclared identifier is reported only once /usr/src/usr.bin/ssh/sftp-server.c:484: error: for each function it appears in.) /usr/src/usr.bin/ssh/sftp-server.c:485: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:485: error: `ST_NOSUID' undeclared (first use in this function) /usr/src/usr.bin/ssh/sftp-server.c:490: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:491: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:492: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:493: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:494: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:495: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:496: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:497: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:498: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c:500: error: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/sftp-server.c: In function `process_extended_statvfs': /usr/src/usr.bin/ssh/sftp-server.c:1123: error: storage size of `st' isn't known /usr/src/usr.bin/ssh/sftp-server.c: In function `process_extended_fstatvfs': /usr/src/usr.bin/ssh/sftp-server.c:1140: error: storage size of `st' isn't known *** Error code 1
Re: failed make on openssh 5.1
On Wed, 23 Jul 2008, Joel Dinel wrote: On Wed, Jul 23, 2008 at 9:42 AM, Damien Miller [EMAIL PROTECTED] wrote: I have just updated the patch, please try again once it has hit the ftp server: -rw-r--r-- 1 djm djm 6411 Jul 23 23:31 openbsd42_5.1.patch -rw-r--r-- 1 djm djm 6144 Jul 23 23:31 openbsd43_5.1.patch SHA1 (openbsd42_5.1.patch) = 7ed266a177d09aa67b120b44522f92e1201d34ac SHA1 (openbsd43_5.1.patch) = d45b51c446f08e2f1356ef77c4d004814d27c572 I just downloaded that patch, checked the hash, applied compiled against a freshly extracted openssh-5.1.tar.gz. Sorry, the correct patch should be there now. It is the same as the current openbsd42_5.1.patch. My first problem was that I built against a post-4.3 snapshot from March thinking it was the real 4.3 and my 2nd was not blowing it away and starting with a proper 4.3 at the earliest opportunity... -d
Re: failed make on openssh 5.1
On Tue, 22 Jul 2008, Joel Dinel wrote: To answer my own question, no sooner had I hit 'send' than I noticed the patch number indicated 4.3. I have downloaded OpenSSH 5.0, the appropriate 4.1 - 5.0 patch and all is well. Well I am getting the exact same compilation error as you, on a fresh OpenBSD 4.3 box, when tying to compile OpenSSH 5.1 with the patch for 4.3. cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz -ldes /usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In function `choose_dh': /usr/src/usr.bin/ssh/dh.c:166: undefined reference to `arc4random_uniform' collect2: ld returned 1 exit status *** Error code 1 Oops, I'll prepare a new openssh43_5.1.patch shortly. -d
Re: Postfix race condition at boot
On Sun, 20 Jul 2008, Uwe Dippel wrote: On Mon, 14 Jul 2008 12:47:40 -0500, Karl O. Pinc wrote: I've an OpenBSD box that's been running postfix for a few years, strictly as a send-only mta, and every night the box gets rebooted. Every couple of months postfix does not come up on reboot. All that shows up in the logs is: snip postfix/postfix-script[3005]: fatal: Postfix integrity check failed! My suspicion is that syslogd has not yet finished making the log socket and the postfix check that happens at postfix start fails. That shouldn't happen, because syslogd delays its exit until after its log sockets have been established. Maybe this will help (but I think not): Index: syslogd.c === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.101 diff -u -p -r1.101 syslogd.c --- syslogd.c 21 Apr 2008 22:09:51 - 1.101 +++ syslogd.c 20 Jul 2008 10:18:24 - @@ -485,7 +485,8 @@ main(int argc, char *argv[]) break; default: close(lockpipe[1]); - read(lockpipe[0], c, 1); + while (read(lockpipe[0], c, 1) == -1 errno == EINTR) + ; _exit(0); } }
Re: svnd questions (encrypting all of a partition or disk)
On Sun, 20 Jul 2008, Aaron Stellman wrote: Now, on boot, the softraid0 doesn't attach itself to sd0n, perhaps not implemented yet? I was wondering if there were any plans to create support for crypto devices so that they could be mounted on boot as specified in fstab(5). Yes, but someone needs to wrtie the bits for /etc/rc to implement this. We also plan to add bootloader support for root on softraid, but that will take longer. Also, is there any plans to be able to specify which key size you'd want to use with AES_XTS? The kernel code already mostly support AES-XTS-128, but it can only create the volume with AES-XTS-256 at present. Supporting this will require extending the BIOCCREATERAID ioctl to allow it to specify which algorithm to use. -d
Re: 'Nother broken package - git-1.5.4.2
On Wed, 16 Jul 2008, L. V. Lammert wrote: On Thu, 17 Jul 2008, Marc Espie wrote: On Wed, Jul 16, 2008 at 09:30:02AM -0500, L. V. Lammert wrote: If a command line tool like git has a 'GUI Helper', then that package is broken (which, I believe, is the case in this situation). You don't get it, so I'll explain it. Yes, I DO get it, but, unfortunately, you don't. Having an 'X' version of something as fundamental as a version control system is just plain dumb. That has nothing to do with flavors! What if CVS required X? I doubt it would be in the tree for more than 30 seconds, if it got committed at all. As the maintainer explained some time ago, there has been a no-X11 version of GIT since April, so the question is, really, why that isn't the package. Good suggestion, I think you would agree. You know, if you spent 1/10th of the effort that you have wasted ranting on learning the ports system then you could have modified the port to place the X11-requiring bits in a subpackage already. It isn't hard at all. Nobody cares about your rants, but if you make a patch then you have a solution. -d
Re: 'Nother broken package - git-1.5.4.2
On Tue, 15 Jul 2008, Ted Unangst wrote: try it. install x, then resist the urge to type startx. can you do it? can you ignore the siren song, or do your fingers fly forth of their own volition? I have it on good authority that plugging one's ears with wax helps. -d
Re: developer laptop choices
On Mon, 16 Jun 2008, Brad Walker wrote: FYI, newer Thinkpads have mini-pci cards whitelisted in the BIOS. One can't install a ral(4) in them without hacking the BIOS (not recommended). http://www.thinkwiki.org/wiki/Problem_with_unauthorized_MiniPCI_network_card We have had tools to work around that for several years now. -d
Re: OpenSSL On Openbsd help
On Sat, 14 Jun 2008, Khalid Schofield wrote: Hi, I need to get a proper signed ssl certificate for my ecommerce website hosted on my openbsd box. Getting confused as most websites describe how to do this in many different ways and most refere to self signed certificates. Wanted to ask the experts before I go and throw $100 at the task. First, I'd recommend that you spend a little time reading up on X.509 certificates and how they relate to public key cryptography. There are nasty consequences if you get things wrong that extend well past wasting $100 on a certificate you can't use. So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Certificates don't have passphrases, private keys do. A key passphrase gives some measure of protection should the file containing your key fall into someone else's hands, e.g. by compromising your server. If you private key is disclosed, an attacker could impersonate your sever. Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? Putting it in a configuration file would defeat the purpose, no? Yes, if you use a passphrase then you need to tell Apache about it every time it is reloaded. For this reason, many web servers do not set passphrases on their keys. Also what command do you use to do this? Please tell all :) openssl req OpenSSL is complex and patchily documented, it assumes that its users are quite familiar with x.509 certificates and public key cryptography. There are some frontends that make things more simple, and some good guides on the net. Try typing openssl certificate into your favourite search engine for a few. One last thing who would you recomend to sign my csr? Go for the cheapest certification authority that is supported by Firefox and Internet Explorer. Do not be fooled by any claims of premium certification as the overwhelming majority of users do not check the CA details. Thanks sorry for the stupid questions but I've never done this before and risked my actual money (only the companies). Like I said, risking $100 on a dud cert is the least of your worries. -d
Re: nmeaattach(8) removed in -current, superseeded by ldattach(8)
On Mon, 9 Jun 2008, James Hartley wrote: On Mon, Jun 9, 2008 at 3:36 PM, Marc Balmer [EMAIL PROTECTED] wrote: If you are using a GPS device with nmeaattach(8), please switch to ldattach(8) now. Thanks Marc for passing on this information. Can you describe in short why this change was made? ldattach is more generic; it can handle all existing and future line discliplines
Re: [OT] developers running -current on laptops
On Fri, 23 May 2008, Chris wrote: I can see from the recent undeadly posts and pictures that most developers are using laptops and I know you have to run -current to do development work. I was just wondering if these laptops are for development use only or development+personal use? I know -current can break sometimes and am just curious to know if developers risk putting personal stuff on a laptop that is being used for active development. Unless you are actively developing, it is generally better to run snapshots. That being said, I have run -current on my laptop and some production systems for many years. Over this time, I have never had any userland instability and have had to roll back to a previous /bsd maybe twice. There is a reason for things being this reliable - just ask anyone who has broken the tree :) If you choose to run -current, you need to understand 3 things: - You are responsible for your system; don't expect help if it breaks - Subscribe to source-changes, so you have some idea of flag days and special update requirements - Be careful around the time of hackathons; there are often many large and more risky changes made at this gatherings, as well as protocol/ABI flag days. If you aren't the hackathon or in close contact with the people who are then it is best to wait it out and let the dust settle before updating :) -d
Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]
On Wed, 14 May 2008, chefren wrote: On 5/13/08 7:08 PM, Marc Espie wrote: More details show that someone seriously fucked up in debian. Well, this Kurt has seriously asked for details on the relevant openssl-dev list: http://marc.info/?l=openssl-devm=114651085826293w=2 And see what arrogant as usual Ben Laurie states: http://www.links.org/?p=327 they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. Kurt has clearly done so, No, he hasn't. A question posed to a predominatly users' mailing list is not the same as a proper bug report and patch submission. Vendors, especially the size of Debian, should be held to a high standard of behaviour. Critically, he didn't identify that he was considering removing these lines *for every user of Debian*. and I know personally of another totally ignored patch from our company and I have heard in the past about OpenBSD people trying to send patches to OpenSSL maintainers to no avail. Speaking as someone who has done the last two revs of the OpenBSD libssl, I haven't tried to upstream our changes - they OpenBSD specific things like using /dev/arandom and /dev/crypto. I think that any serious patch we sent would have a good chance of inclusion. The OpenSSL maintainers have proven not to read their mail, they aren't interested in cleaning up their big mess. Laurie also states never fix a bug you dont understand and this OpenSSL hero seems to forget that something that seems smart and OK now and here can be plain bad and ugly when looked at with some more distance or knowledge. No, he is 100% correct. Vendors adding value to security software when they lack basic code comprehension skills is simply dangerous to their users. It is surprising that this should be controversial. His Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. is pure arrogant and shortsighted shit to me. Congratulations, you have just demonstrated youself to be the same category of incomprehension as the Debian developers. -d
Re: tpwireless
On Thu, 8 May 2008, Adam Patterson wrote: Anyone know of any documentation on tpwireless? Specifically how to re-set the bit that it unsets. There isnt a man page and there aren't and switches to cause 'usage' to show up. There are no flags. There is no usage doc. However, if you edit the source and change the line: b |= 0x80; to read: b = ~0x80; recompile and execute tpwireless, then it will clear the magic bit instead of setting it. -d
Re: ssh-keyscan tries protocol 1 and does not rollover to 2
On Wed, 30 Apr 2008, Lars NoodC)n wrote: On OpenBSD 4.2, ssh-keyscan looks like it tries for SSH1 first, rather than SSH2, which is the default[1] for OpenBSD. However, it appears not to retry the scan with SSH2 if SSH1 fails. ssh-keyscan never rolls over to a different protocol unless you have told it to (e.g. ssh-keyscan -t rsa1,rsa,dsa hosts). However, the default of looking for rsa1 keys only is wrong. I have just fixed this :) -d
Re: OpenBSD !GSoC
On Thu, 27 Mar 2008, raven wrote: Hi, like subject, i would to know why OpenBSD do not partecipate to Google Summer of Code. Exist a reasonable reason? I wanted to get some candidate projects proposed for OpenSSH but I wasn't organised in time. -d
Re: AMD Geode
On Mon, 17 Mar 2008, Dimitri wrote: Hello all. My cuestion is simply. OpenBSD run over AMD Geode, Yes. specificly over Packard Bell S18P?. Don't know. -d
Re: FIPS 140-2
On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable? No. Furthermore, there are no FIPS 140-2 certified bits - it is an entire package that is certified, you don't get to pick and choose. -d
Re: sftp logging using chroot internal-sftp in -current
On Wed, 12 Mar 2008, Calomel wrote: Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Yes. You should be able to have syslogd(8) listen on /dev/log inside the chroot to make messages from the internal sftp-server visible. -d
Re: Cold Boot Attacks on Encryption Keys
On Fri, 22 Feb 2008, Brett Lymn wrote: On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote: Let me give you an engineering opinion: bwahahahahahaha this is retarded. Well, let me give you another engineering opinion based on actual experience working on a machine with a custom graphics system - it is not 100% reliable but DRAM can show a surprising amount of remanence even without power/refresh. We used to see parts of the display come up even after the machine had been down for hours. Yeah, I recall this from one of the first computers I had as a child. A recognisable amount of screen contents were briefly visible at power on, even if the machine had been left overnight. It is kind of obvious in hindsight that this could be turned to an attack, but lots of things are only obvious in hindsight :) As far as this related to OpenBSD, the main attack that we care about is against laptops that have been suspended, and there are some concerns there (especially if your threat model includes thieves with LN2). We are already pretty careful about zeroising secrets from RAM on program close or system shutdown. Any failures to do this should be reported as bugs. -d
Re: ssh complaining about bad file descriptor on 4.3beta.
On Fri, 22 Feb 2008, Chris Smith wrote: On Thursday 21 February 2008, Allie D. wrote: I'm getting bad file descriptor errors on every ssh connection on a box that I built from source on 4.3 beta last night. Anyone else seeing this as well ? Feb 21 09:54:43 crusty sshd[21741]: error: getsockname failed: Bad file descriptor Wanted to see if anyone else is seeing it as well before I send a bug report. Yes, get them here as well in authlog. my bad; fixed in session.c revision 1.230 -d
Re: Real men don't attack straw men
On Fri, 14 Dec 2007, Richard Stallman wrote: It also seems silly to me this idea between tainted and clean oses, such as Open and gNewSense, respectively. Take for example a user that runs Ubuntu [GNU/]Linux but proscribes to your free-only philosophy. They don't have to install the adobe flash plugin (which I believe is still a binary of sorts.) They can choose not to. The Adobe flash plug-in is non-free software, and people should not install it, or suggest installing it, or even tell people it exists. That Firefox offers to install it is a very bad thing. I've been trying for a couple of years to get going a modified version of Firefox that won't offer to install any non-free plug-ins, but we don't have enough people to make this work very well. If you would like to help, please let me know. It is an important project. This incredibly misguided. People won't switch to free software because of hectoring and hamfisted attempts to frustrate their choices, but they instantly switch when free software becomes a compelling replacement - look at Apache or OpenSSH. Rather than wasting effort trying to make firefox unusable for an unfortunately large proportion of its userbase and on insulting OpenBSD developers with spurious accusations, why not spend the energy on making a usable flashplayer replacement? or on getting Adobe to open their source/specifications? -d
Re: Real men don't attack straw men
On Fri, 14 Dec 2007, Richard Stallman wrote: You said Real men don't attack straw men. Yet this is *EXACTLY* what you are now doing. You continue to repeatedly write that OpenBSD recommends the ports system to its users, *which it does not*. Let me say that once again: OpenBSD recommends that EVERYBODY USE PACKAGES, NOT THE PORTS TREE. OpenBSD distributes the ports tree. In my book, that's recommending all the programs that are in it, referring people to those programs. GNU software includes compatibility support for Windows. In my book, that's recommending Windows, encouraging users to use it in favour of free systems. It is quite easy to make such absurd statements when one is willing to dilute the meaning of words like recommend beyond recognition, but what is the point? By doing this you are traducing the work of a project that takes software freedom extremely seriously, and insulting the developers who put in the work to make it this way. -d
Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?
On Mon, 3 Dec 2007, Andris wrote: I was reading about Hiawatha security features, and seems like a perfect fit for OpenBSD goals. I'd volunteer to talk to Hugo Leisink (the developer) and see if the code could be relicensed if the project has interest in it. IMHO, replacing forked software with actively developed one is a good idea. Firstly, forked software isn't necessarily undesirable so long as the people maintaining it are motivated and clueful (in this case, they are). Secondly, I don't think anyone in OpenBSD would display as much hubris as this claim on the Hiawatha home page: Hiawatha's source code is free of security-bugs. -d
Re: removing sendmail
On Sun, 2 Dec 2007, Douglas A. Tutty wrote: Why is everyone trying to come up with a solution to a problem that doesn't exist? The 'problem' is a piece of software installed on the box that some of us don't use. It takes up space (how much?). Each MTA has its champions and its detractors. The Solomonesque solution would be to remove the MTA from base altogether unless things in base need an MTA for local delivery, in which case installing something smaller than sendmail that can't be used for anything other than local delivery would be one solution to the 'problem'. That's all I'm suggesting. Thanks for the suggestion, but it isn't going to be implemented - see the numerous discussions on misc@ over many years for the reasoning. I think the only way that sendmail will be removed from base is if there is some compelling replacement for it. This could be something new, it might possibly be a qmail that is made (much) more sane wrt configuration and filesystem hierarchy, it could be postfix if it were ever released under a palatable license, it might be Sendmail X/MeTA1 when it is finished. None of these possible futures will eventuate because of suggestions - someone has to actually do the work. Are you going to do some, or do you plan on continuing to suggest that we do it all for you? -d
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, L. V. Lammert wrote: I still stand by my original statement. Running application 'domains' in VMs instead of on a single server increases security. It no worse security-wise to run applications on VMs rather than on the one OS, but that isn't the only choice - is it? You obviously didn't read Tavis' virtualisation security paper. VM escape vulnerabilites are not theoretical. Tavis found vulnerabilities in every VM he tested using only a couple of fuzzers. Please stop pretending that virtualisation is about security, it isn't. The benefits are cost savings and decoupling applications from hardware. -d
Re: About Xen: maybe a reiterative question but ..
On Wed, 24 Oct 2007, Brian wrote: All of the theoretical attack vectors are exactly that: theoretical. But by adding complex layers does not guarantee any increase in security. They aren't theoretical, they have been demonstrated. Read the paper: http://taviso.decsystem.org/virtsec.pdf
Re: About Xen: maybe a reiterative question but ..
On Tue, 23 Oct 2007, Theo de Raadt wrote: Virtualization seems to have a lot of security benefits. You've been smoking something really mind altering, and I think you should share it. x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. cf. http://taviso.decsystem.org/virtsec.pdf
Re: OpenBSD replacement for GnuPG
On Thu, 11 Oct 2007, Sean Darby wrote: Hi, Is there an alternative PGP or OpenPGP-like program available other than PGP or GnuPG/GPG? Is there something along lines of a BSD-PG-type program (using BSD licensing/copyright and basically non-GNU)? There is this: http://openpgp.nominet.org.uk/cgi-bin/trac.cgi but it doesn't seem finished yet. -d
Re: SMTP flood + spamdb
On Wed, 26 Sep 2007, Liviu Daia wrote: Greylisting is trivial to bypass, with or without a queue: just send the same messages twice. Some spammers have figured that out long ago. Ever wondered why sometimes you receive 2 or 3 copies of the same spam, from the same IP, with the same Message-Id etc., a few minutes apart? That doesn't work, at least not against spamd.
Re: OBSD's perspective on SELinux
On Sat, 22 Sep 2007, Douglas A. Tutty wrote: Hello all, I'm running OBSD on my older boxes but still Debian on my big box (not ready yet). Linux has SELinux in its 2.6 kernel and debian has gone ahead and compiled SELinux into the libraries, although the SELinux policies aren't ready on debian yet. The whole focus seems to be to make Linux more secure. I'm not sure what to make of it. I figure that if you want secure, you switch to OBSD. Could someone who knows both the details of OBSDs security enhancements and the details of SELinux comment? In terms of mandatory access controls, OpenBSD only has systrace. Every medium to large Linux deployment that I am aware off has switched SELinux off. Once you stray from the default configurations that the system distributors ship with the default policies no longer work and things start to break. In my admittedly limited experience, this happens very quickly. If the policy language was halfway sane then this wouldn't be so bad - a skilled administrator could adjust the policy. Unfortunately: 1) skilled administrators are hard to come by, and their time is usually better spent *not* tweaking brittle mandatory access control policies 2) the SELinux policy language is nowhere near sane. OpenBSD's systrace suffers from #1 - it is a generic problem with these sorts of access control mechanisms, and it is one reason why it has never been enabled by default. The brittleness is a real problem - I use systrace for a few things and often need to update my policies because of software upgrades or libc changes. Oh, and skilled administrator means someone deeply familiar with the Unix system interface - not a just a graduate of certification course de jour. The Linux solution to #2 seems to be to add various wizards and other abstraction between the administrator and the policy, rather than tossing the horrid mess and replacing it with something more comprehensible. I'm sure you could use SELinux to improve the security of a system but it would require quite a bit of time and effort, both initial and ongoing. -d
Re: The Atheros story in much fewer words
On Sat, 15 Sep 2007, Rui Miguel Silva Seabra wrote: You seem uneducated about how powerless someone is without the freedom to change a program because he has no access to the source code. You seem to be entirely missing the irony of making this statement in the context of an argument about software _reverse engineered from a binary blob_.
Re: The Atheros story in much fewer words
On Sat, 15 Sep 2007, Rui Miguel Silva Seabra wrote: On Sat, Sep 15, 2007 at 09:54:10PM +1000, Damien Miller wrote: On Sat, 15 Sep 2007, Rui Miguel Silva Seabra wrote: You seem uneducated about how powerless someone is without the freedom to change a program because he has no access to the source code. You seem to be entirely missing the irony of making this statement in the context of an argument about software _reverse engineered from a binary blob_. You seem to be entirely missing the fact that it requires extraordinary skill, which used in the defense of your arguments contradicts the freedom for all you defend, since it's only avialable to a select few, even among the already scarce select few programmers among the human beings. I don't know which of my arguments you are talking about in your pontificating rant, because this is the first time I have ever replied to you. Last too.
Re: Software freedom
On Mon, 27 Aug 2007, [EMAIL PROTECTED] wrote: rest of the kernel uses it to store the value of curlwp. Sam won't recompile the HAL for us (fair enough), and we can't modify the HAL to use another register because doing so could put us in breach of the license (v. crappy). So, do a save/set/restore on %s7 in KernIntr() How hard is it to recompile the HAL that Sam can't be bothered to do it, and more importantly, why should a trivial change to make the software inter operable be a breach of the license? That can't be the owner's intent. Why are you making excuses for the people who provide binary blobs? It doesn't matter at all what the owner's _intent_ is, when the practical consequence is that OS developers have to put in layers of hacks for bugs that they cannot themselves fix. -d
Re: classify scp and ssh
On Sat, 7 Jul 2007, Lawrence Horvath wrote: Is there a way using pf to distinguish between ssh shell logins, and scp file transfers? Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, but does it after the TCP handshake. If you are assigning connections to queues statefully, this is too late, as the state would have already been created with the default TOS. -d
Re: OpenSSL key theft through cache timing
On Wed, 20 Jun 2007, Karel Kulhavy wrote: http://www.daemonology.net/papers/htt.pdf This is the missing link to my post about keyboard security. No, it isn't. You can't really compare a public key crypto operation to someone bashing at a keyboard. -d
Re: Security of the keyboard
On Wed, 20 Jun 2007, Mikulas Patocka wrote: Yay ! Let's map everything uncached from now on! For great justice! [I was tempted to write some stuff about how keyboard keycode translation works in wscons, but it's not worth my time] Miod You don't have to map keyboard map uncached, just change the way code is written --- instead of x = a[i] you write something like x = 0; for (j = 0; j sizeof a/sizeof *a; j++) x |= a[j] (-(i ^ j) 31) - 1; What an improvement - that is so much more maintainable.
Re: Multicast sending
On Sun, 10 Jun 2007, Praveen wrote: Hi, I am using the send program from this example: http://ntrg.cs.tcd.ie/undergrad/4ba2/multicast/antony/example.html#sender The only modification is the use of setsockopt() to set the interface from which I want to send the packet. The setsockopt() succeeds but sendto() fails with host is down message. Any clues?. The program works fine on a Linux machine. The test program doesn't set sin_len. Try adding addr.sin_len = sizeof(addr);. Also ensure that you have set up multicast on your host. Some notes are in /etc/netstart. -d
Re: Linux and Novell article in Linux Journal
I think you have the wrong list... On Fri, 1 Jun 2007, Dan Farrell wrote: At the link below from the Linux Journal, Glyn Moody states that the GNU/Linux Community should wish Novell well, as it may be the first domino to fall. In the comments section I mentioned there's a least one project that has nothing to fear ;) ... http://www.linuxjournal.com/node/1000232#comment-250697 Gotta get the word out, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
Re: OpenBSD sucks
On Thu, 31 May 2007, Open Phugu wrote: On 5/31/07, qw er [EMAIL PROTECTED] wrote: It really sucks. it is slow. What you say does not apply to OpenBSD. What you said describes you. I find it amazing that, in 2007, people still respond to the most blatant trolling in exactly the way that the troll wants.
Re: tpb and tphdisk assistance
where did you get that idea from? you are wrong. On Mon, 28 May 2007, openbsd fan wrote: tpb and tphdisk are only for thinkpads with apm not acpi... On 5/27/07, Don Scott [EMAIL PROTECTED] wrote: I have setup an MSDOS partition for tphdisk: $ sudo fdisk sd0 Disk: sd0 geometry: 5168/240/63 [78140160 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 160 1 1 - 346 159 63 [ 63: 5241537 ] OS/2 hidden 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused *3: A6 346 160 1 - 2933 223 63 [ 5241600:39119472 ] OpenBSD $ sudo disklabel sd0 # Inside MBR partition 3: type A6 start 5241600 size 39119472 # /dev/rsd0c: type: SCSI disk: SCSI disk label: HTS541040G9SA00 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 240 sectors/cylinder: 15120 cylinders: 5168 total sectors: 78140160 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:163296 5241600 4.2BSD 2048 163841 # Cyl 346*- 357* b: 2096640 5404896swap # Cyl 357*- 496* c: 78140160 0 unused 0 0 # Cyl 0 - 5167 d:163296 7501536 4.2BSD 2048 163841 # Cyl 496*- 506* e: 2096640 7664832 4.2BSD 2048 163841 # Cyl 506*- 645* f: 12581856 9761472 4.2BSD 2048 163841 # Cyl 645*- 1477* g: 16776144 22343328 4.2BSD 2048 163841 # Cyl 1477*- 2587* i: 524153763 MSDOS # Cyl 0*- 346* I've created a save2dsk.bin file: $ ls -l /mnt/ total 5240832 -rwxr-xr-x 1 root wheel 2683305984 May 27 17:31 save2dsk.bin I have tpb set to run as a daemon from ~/.xinitrc. The volume mute/down/up buttons work, but none of the Fn buttons do except for the thinklight. On-screen display also does not work. Is this something I can fix with a simple configuration change? Here is some information about my hardware. Thanks for any advice. $ sysctl hw hw.machine=i386 hw.model=Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.physmem=2137419776 hw.usermem=2137407488 hw.pagesize=4096 hw.disknames=sd0 hw.diskcount=1 hw.sensors.acpitz0.temp0=49.05 degC (zone temperature) hw.sensors.acpitz1.temp0=47.05 degC (zone temperature) hw.sensors.acpibat0.volt0=14.40 VDC (voltage) hw.sensors.acpibat0.volt1=14.85 VDC (current voltage) hw.sensors.acpibat0.watthour0=73.24 Wh (last full capacity) hw.sensors.acpibat0.watthour1=3.66 Wh (warning capacity) hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity) hw.sensors.acpibat0.watthour3=20.38 Wh (remaining capacity), OK hw.sensors.acpibat0.raw0=1 (battery discharging), OK hw.sensors.acpibat0.raw1=18047 (rate) hw.sensors.acpiac0.indicator0=Off (power supply) hw.sensors.acpidock0.indicator0=Off (not docked) hw.sensors.aps0.temp0=50.00 degC hw.sensors.aps0.temp1=50.00 degC hw.sensors.aps0.indicator0=On (Keyboard Active) hw.sensors.aps0.indicator1=Off (Mouse Active) hw.sensors.aps0.indicator2=On (Lid Open) hw.sensors.aps0.raw0=495 (X_ACCEL) hw.sensors.aps0.raw1=502 (Y_ACCEL) hw.sensors.aps0.raw2=495 (X_VAR) hw.sensors.aps0.raw3=502 (Y_VAR) hw.cpuspeed=1996 hw.setperf=0 hw.vendor=LENOVO hw.product=1709G3U hw.version=ThinkPad X60 hw.serialno=LVD6250 hw.uuid=7ac062e0-711a-11db-80c2-db36273570d5 and a dmesg: OpenBSD 4.1-current (GENERIC.MP http://generic.mp/) #3: Sat May 26 13:17:13 PDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386 /compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 2137419776 (2038MB) avail mem = 1943982080 (1853MB) using 4278 buffers containing 106995712 bytes (104488K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 04/18/07, BIOS32 rev. 0 @ 0xfd690, SMBIOS rev. 2.4 @ 0xe0010 (67 entries) bios0: LENOVO 1709G3U pcibios0 at bios0: rev 2.1 @ 0xfd620/0x9e0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #22 is the last bus bios0: ROM list: 0xc/0xea00! 0xdc000/0x4000! 0xe/0x1! acpi0 at mainbus0: rev 2 acpi0:
Re: Peek active process
On Wed, 23 May 2007, Daniel Ouellet wrote: I am trying to find out how many peek active process a server run in a given time period, like in one day, and may be a week. I try to see how servers handle heavy peak at time. I thought that systat vmstat, or others could provide me that. Unless I don't read the right man page, looks like the peak active stats process are not kept anywhere. Is that the case, or is there a way to find more long term stats like that? man systat talk about boot stats: The following commands are specific to the vmstat and ifstat displays; the minimum unambiguous prefix may be supplied. bootDisplay cumulative statistics since the system was booted. run Display statistics as a running total from the point this command is given. timeDisplay statistics averaged over the refresh interval (the de- fault). zeroReset running statistics to zero. systat doesn't support display of maxima. It would probably be trivial to add it though. -d
Re: Why Linus Torvalds won't donate to OpenSSH
Two points: 1. Please don't post private email. (Apologies if you obtained his permission to post). 2. Who really cares? I'd much rather see contibutions from companies who ship OpenSSH in their products and list SSH support as a feature on their glossy brochures than shaking down other free software developers. -d On Tue, 10 Apr 2007, Kernel Monkey wrote: I recently wrote Linus Torvalds asking why I don't see his name listed on the OpenBSD donations page (http://www.openbsd.org/donations.html), since I figured he uses OpenSSH. This was the reply I got back: From: Linus Torvalds [EMAIL PROTECTED] Tue, 10 Apr 2007 14:29:56 -0700 (PDT) I suspect that OpenSSH would get more funding if it was directed directly to OpenSSH, and not OpenBSD, which almost nobody is interested in. As it is, how much of any money actually goes to OpenSSH development, rather than everything else? Linus I thought the reply was funny.
Re: Why Linus Torvalds won't donate to OpenSSH
On Wed, 11 Apr 2007, Timo Schoeler wrote: Which commercial *NIX that's still alive is more of a security thread and covered with the same level of stability problems as GNU/Linux? One really stops counting remote exploits for GNU/Linux very soon, otherwise one would have to dedicate one's whole life to do so, it's that time consuming. That's nice, but what does bashing other operating systems have to do with OpenBSD? -d
Re: bcw(4) is gone
On Thu, 5 Apr 2007, Andris Delfino wrote: First, this wouldn't happen cause I prefer the BSD license, but, if someone violates the copyright of my work, I'll take that guy down. In the most publicly and shameful way. How does this militant attitude work alongside your preference for the BSD license? If another free software developer is violating your license, would you publicly shame someone who is probably working for similar reasons to yourself, or would you give them the benefit of the doubt and give them a private do you know what you are doing? email and try to work things out like gentlepeople? I know of at least one GPL project that violates the license (BSD) of some code that I wrote. If I ever cared to enforce that license then I would certainly be polite first. -d
Re: No Blob without Puffy
On Sun, 18 Mar 2007, Jason Dixon wrote: Again, why are you being hypocritical by including a BLOB-friendly OS in your campaign? You're part of the problem, not the solution. Actually, I think that by listing only blob-distributing OSs on their poster the campaign has a very funny subtextual meaning. -d
Re: ssh/sshd challenge-response seems to have stopped working in -current
Please send a Debug3 trace (sshd -dddp222), debug level 1 doesn't contain all the necessary information -d On Tue, 27 Feb 2007, Josh Grosse wrote: After building -current on Feb 25, I noticed when I attempted to use S/Key remotely, that it was not a permitted authentication style. (I use S/Key when publc key authentication is not available, so it may have nothing to do with recent changes to how sshd_config Match works, and may be something else entirely, I have not used S/Key in a few weeks.) Trying to recreate the problem, I ran sshd in debug mode, and ssh -vvv; it looks like the authentication method isn't viable. I'm hoping someone can quickly come to an ah-hah!! by looking at this output and my config files. If not, perhaps recreate the problem? (I used -p 222 to override the default port while collecting debug output.) debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='222' debug1: Bind to port 222 on 0.0.0.0. Server listening on 0.0.0.0 port 222. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 4, 4 Connection from 127.0.0.1 port 46616 debug1: Client protocol version 2.0; client software version OpenSSH_4.5 debug1: match: OpenSSH_4.5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.5 debug1: permanently_set_uid: 27/27 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client-server aes128-cbc hmac-md5 none debug1: kex: server-client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user j:skey service ssh-connection method none debug1: attempt 0 failures 0 Connection closed by 127.0.0.1 debug1: do_cleanup debug1: do_cleanup ssh output OpenSSH_4.5, OpenSSL 0.9.7j 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 222. debug1: Connection established. debug1: identity file /home/j/.ssh/identity type -1 debug1: identity file /home/j/.ssh/id_rsa type -1 debug1: identity file /home/j/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5 debug1: match: OpenSSH_4.5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit:
Re: ssh/sshd challenge-response seems to have stopped working in -current
also, does it work if you try connecting without any keys in your ssh-agent? On Tue, 27 Feb 2007, Josh Grosse wrote: On Tue, Feb 27, 2007 at 04:20:20PM -0700, Damien Miller wrote: Please send a Debug3 trace (sshd -dddp222), debug level 1 doesn't contain all the necessary information ...
Re: ssh/sshd challenge-response seems to have stopped working in -current
what does the client say? (ssh -vvvp 222 localhost) On Tue, 27 Feb 2007, Josh Grosse wrote: On Tue, Feb 27, 2007 at 04:20:20PM -0700, Damien Miller wrote: Please send a Debug3 trace (sshd -dddp222), debug level 1 doesn't contain all the necessary information debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 268 debug2: parse_server_config: config /etc/ssh/sshd_config len 268 debug3: /etc/ssh/sshd_config:12 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:13 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:14 setting ClientAliveInterval 15 debug3: /etc/ssh/sshd_config:15 setting ClientAliveCountMax 3 debug3: /etc/ssh/sshd_config:16 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:17 setting AddressFamily inet debug3: /etc/ssh/sshd_config:101 setting Subsystem sftp /usr/libexec/sftp-server debug1: sshd version OpenSSH_4.5 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-dddp222' debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 222 on 0.0.0.0. Server listening on 0.0.0.0 port 222. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 268 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 4, 4 Connection from 192.168.2.50 port 26193 debug1: Client protocol version 2.0; client software version OpenSSH_4.5 debug1: match: OpenSSH_4.5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.5 debug2: fd 4 setting O_NONBLOCK debug2: Network child is on pid 18455 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 27:27 debug1: permanently_set_uid: 27/27 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client-server blowfish-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server-client blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 535/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: monitor_read: 0 used once, disabling now debug3
Re: Compile Issue in libssl/crypto.
On Mon, 29 Jan 2007, Sean Kennedy wrote: Understood, -- Just being pedantic, before I move to -rstable, I usually do a build with -rOPENBSD_X_x first when I do a Vanilla system. Answer of Use -rstable. is your answer. libssl/crypto has issues with -rOPENBSD_4_0. shrug To be clear, your problem isn't due to what you are checking out but rather how your a building it. Follow the instructions: http://www.openbsd.org/stable.html -d
Re: PlayStation 3
On Wed, 24 Jan 2007, Jeroen Massar wrote: The key in getting it to work is UPNP, thus something like: http://upnp.sourceforge.net/ http://linux-igd.sourceforge.net/ a more OpenBSDish implementation seems to be http://miniupnp.free.fr/ NB. I have never used it, or any for of uPNP (nor would I)
Re: atactl smartstatus to email other than cron user
On Wed, 24 Jan 2007, Paul Pruett wrote: Using cron and atactl to email smartstatus errors to an email address other than cron user: ... I use the following script to help with cron stuff, it can do what you want. -d --- #!/bin/sh # Helper for cron(8) to send mail only if command terminates abnormally. # Also allows you to specify a different recipient. usage() { echo Usage: cronmail.sh [-h] [-r recipient] command [args...] 12 exit 1 } args=`getopt hr: $*` [ $? -ne 0 ] usage set -- $args for o ; do case $o in -h) usage;; -r) RECIPIENT=$2; shift; shift;; --) shift; break;; esac ; done # Need at least one argument (command) [ -z $1 ] usage OUTTMP=`mktemp -t cronmail.out.` if [ $? -ne 0 ]; then # Fall back to executing the command with unredirected output exec $* fi $* $OUTTMP 21 RC=$? if [ $RC -ne 0 ]; then if [ -z $RECIPIENT ]; then cat $OUTTMP else mail -s Failed cron command $1 $RECIPIENT $OUTTMP fi fi rm $OUTTMP exit $RC
Re: Why setresuid() and not setuid() is used?
On Mon, 22 Jan 2007, Alexander Farber wrote: Hello, I'm writing a small network daemon program and want it to drop priviliges after it opens a listening port. I've looked at the several programs in /usr/src/usr.sbin and many do it in the similar way: 1) getpwnam(NTPD_USER) to find its home dir 2) check that the home dir belongs to root and isn't group-world writable 3) chroot() into that dir and then chdir(/) 4) setgroups(1, pw-pw_gid) to limit it to just 1 group 5) Finally call setresgid(pw-pw_gid, pw-pw_gid, pw-pw_gid) and setresuid(pw-pw_uid, pw-pw_uid, pw-pw_uid) I have 2 questions: 1) Can't a compromised process change back to its saved root uid? Not if you used setresuid. 2) Why is setresuid() used and not setuid()? ... What was the reason to introduce setresuid() on BSD? See Setuid Demystified by Chen, Wagner and Dean: http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf Micro-summary: setresuid is the only API with unambiguous semantics. For OpenBSD, we adopted it as the standard way to revoke privileges. Observation: for a system call that takes a single integer argument to need a paper to demystify it is a sign that it should probably be avoided. My program is for OpenBSD, but I also want to keep it runnable on Linux and Cygwin - and the latter one doesn't offer setresuid(). I recommend that you pick the best API available and implement/emulate it where it doesn't exist. You will have to write compatibility code regardless of your approach, so you are best off keeping this out of your main program. See http://www.mindrot.org/~djm/auug2005/ for a description of the portability approach we use for OpenSSH. Also is there maybe a good guide on priv. sep. on OpenBSD? For privsep, Henning's daemons (OpenNTPd, OpenBGPd) are clean examples. OpenSSH and syslogd are more complex ones. (responding to your follow-up email:) Privilege revocation is a component of privilege separation. Any daemon that starts with root privileges and is privilege separated must revoke those privileges along the way, so the above are good examples of privilege revocation too. -d
Re: openbsd 4.0 ralink problem low operation range
On Mon, 18 Dec 2006, pedro la peu wrote: On Friday 15 December 2006 09:51, you wrote: So far for all you people who have complained about lousy ral(4) range or reception, only one of you has posted a dmesg (and even it was incomplete) and none of you have posted your interface config. Irrelevant. Knowing the MAC and RF versions of the affected cards is irrelevant? Don't let this interrupt your complain-fest, but if you want to move beyond whinging and start trying to figure out what the bad performing cards have in common then you know what you have to do... Don't let this interrupt your comprehension. The common factor is ral radios. I guess ral(4) that works fine over 20m through several double-brick walls is a figment of my imagination then... -d
Re: openbsd 4.0 ralink problem low operation range
So far for all you people who have complained about lousy ral(4) range or reception, only one of you has posted a dmesg (and even it was incomplete) and none of you have posted your interface config. Don't let this interrupt your complain-fest, but if you want to move beyond whinging and start trying to figure out what the bad performing cards have in common then you know what you have to do... -d On Fri, 15 Dec 2006, Anis Kadri wrote: I have experienced the same problems with both ath(4) and ral(4) (minipci cards). I tried to use different modes (B G) and different settings (channels, ..) and using an external antenna but the performance's still lossy :-/ for ral(4): g mode doesn't work very well for me (packet loss, ...) so i'm sticking with b mode for ath(4): changing the mode just causes the kernel to crash :/ so i used b mode as well. I don't know if ath(4) works better than ral(4) for some of you. I heard it has a better radio chipset but it is not documented. On 12/15/06, pedro la peu [EMAIL PROTECTED] wrote: http://www.netgate.com/info/miniPCI/2511MPPLUS/2511MP_PLUS_Spec.pdf Receive sensitivity: -89dBm to -91dBm. http://soekris.kd85.com/pdf/ralabg.pdf Receive sensitivity: -70dBm to -84dBm.
Re: SFTP only access to sshd
On Thu, 23 Nov 2006, Ingo Schwarze wrote: From time to time, people come here to ask: How can i set up an account for SFTP only, forbidding shell access? One common answer is scponly, http://sublimation.org/scponly/wiki/ This looks quite powerful, in particular if you intend to chroot. I just had to implement SFTP only access myself. Reading the scponly sources, i realized that the task is nearly trivial as long as you only want SFTP, no other protocols, and need no chroot. So i thought i might as well share with the list. In case i overlooked anything serious, chances are i shall be beaten... ;-) In OpenSSH-4.5: Match user djm X11Forwarding no AllowTCPForwarding no ForceCommand /usr/libexec/sftp-server -d
Re: Sun T1 105
On Tue, 31 Oct 2006, Daniel Ouellet wrote: I am looking for some feedback on this DMESG if possible. I am playing with an old Sun T1 105 and does look like it work well, but I never saw so many not configure message in a single DMESG. This is normal and harmless - openfirmware identifies all devices in the system, including some tiny and relatively useless ones. -d