[FIXED] Re: 'ldap_bind: Operations error (1)' with ldapd-5.6
Hey Matthew, On 2015-07-18, Matthew Weigel uni...@idempot.net wrote: My root user is authenticated with BSDAUTH. The rest of the users with an md5crypt in the userPassword. This works with the version from 5.5 with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...). md5crypt...? Well, there's your problem. From http://www.openbsd.org/plus56.html: * Removed md5crypt from crypt(3). So ldapd(8) is passing the hash string along to crypt(3) when checking the user's password and crypt(3) is unable to handle it. You'll need to start migrating these password hashes. This is correct. I migrated my personal and lookup users to crypt passwords, and they can successfully authenticate. I'm not sure why I went to md5crypt to start with, probably some confusion with the apache-htpasswd format difference. Anyway, I can confirm that using crypt passwords works well with ldapd-5.6 and PHP application such as ownCloud, Wordpress or DokuWiki. Thanks for your help! -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
Re: 'ldap_bind: Operations error (1)' with ldapd-5.6
Hey Matthew, On 2015-07-14, Matthew Weigel uni...@idempot.net wrote: Did anybody encounter the same issue? Is there a known cause? How could this be solved? I'm running 5.6 and using ldapd without issue. Can you clarify how your test user is authenticated (BSD Auth? A crypt hash in the userPassword attribute?)? My root user is authenticated with BSDAUTH. The rest of the users with an md5crypt in the userPassword. This works with the version from 5.5 with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...). -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
'ldap_bind: Operations error (1)' with ldapd-5.6
move on to the next step. Cheers. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
Re: ldapd(8) binary incompatibility, 5.4 - 5.5
On 2014-07-22, Matthew Weigel uni...@idempot.net wrote: I finally upgraded my last machine - that runs ldapd(8) for user logins, mail aliases, and a few other odds and ends - from 5.4 to 5.5. Haha! I just did the same two days ago. I'm left wondering if I'm the only one who actually uses the stock ldapd(8), because it is not called out at all in upgrade55.html as having problems with the Year 2038 fixes that went into 5.5. No, I'm here. I ended up having to create a 5.4 VM (I stuck with the same amd64 arch as my actual server, and have not investigated or tested under what constraints this might work across architectures) to load the ldapd(8) database files, use third party LDAP tools to create a text dump in LDIF format, and then load the LDIF into an empty database of 5.5 ldapd(8). I'm currently trying to cobble together a binary importer which reads 5.4 dbs, and writes them as 5.5 dbs. It's a bit ugly, based on frankensteined code from ldapd and ldapctl. I haven't found a straight way to write back into a file, so I'm trying go down the compacting way, which appears to be rewriting an entirely new database. Hopefully, it should work in the end. I thought about the VM/dump option, but all I could find was for slapd (using slapcat). Could you give more details on the tools you use? It looks like particularly the btree_stat and btree_meta structs used in the ldapd(8) btree implementation are the culprits, as it looks like they are the only time_t bits actually stored on disk. Since it appears my problems are now solved, I'm mostly sending this message as a heads up in case there is anyone still getting ready to upgrade to 5.5 that uses ldapd(8). I think only the btree_meta is relevant, as I don't see the btree_stat being written on disk. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
Re: ldapd(8) binary incompatibility, 5.4 - 5.5
Hey Matthew, On 2014-07-23, Matthew Weigel uni...@idempot.net wrote: into it, I started up ldapd(8) and connected to it with ldapvi(1) from ports. I wrote out the contents of that buffer to a separate file, and Actually I didn't notice it this weekend but ldapvi(1) has --in and --out arguments that do exactly the right thing - just read and write straight LDIF files. Yup, this did the trick nicely (once I remembered that the DB LDAPD looks for is in /var/db/ldap): ldapvi --out --host localhost -D cn=root,dc=example,dc=net dump.ldiff I have the openldap-client package installed, so ldapadd did the trick to reimport all that into a fresh and empty DB ldapadd -H ldapi://%2fvar%2frun%2fldapi -D cn=root,dc=example,dc=net -W dump.ldiff I'll give up on my binary importer (: Thanks for the pointers! -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
Re: Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts
Hi Joel, all,
On Fri, Feb 21, 2014 at 12:14:28AM +1100, Joel Sing wrote:
I have an OpenBSD 5.4 machine, with httpd serving pages successfully
over both HTTP and HTTPS (with a CaCert-issued certificate). I want to
serve multiple sites on both protocols (the certificate has AltNames for
the various sites).
(Almost) everything works fine, and I do indeed manage to successfully
access all sites over HTTPS as expected. However, the HTTPS environment
variable, which should be set to 'on' for HTTPS sessions, is missing for
all but the first VHost. This is problematic because multiple apps
(mostly php-5.3.27, but also some CGI and Rewrites) inspect this
variable and behave differently depending on whether it is set to 'on'
or anything else.
NameVirtualHost *:80
NameVirtualHost *:443
VirtualHost *:80 *:443
ServerName www.domain2.tld
ServerAdmin webmas...@domain.tld
DocumentRoot /var/www/sites/domain2.tld/www
/VirtualHost
Directory /sites/domain2.tld/www
Options MultiViews SymLinksIfOwnerMatch Includes
AllowOverride FileInfo
Order allow,deny
Allow from all
/Directory
This is a rather standard setup, and I've had this working on previous
machines (=5.3). The HTTPD and SSL logs do not show any error nor
warning. I have been trying many combinations of NameVirtualHost,
VirtualHost and ServerName / ServerAlias.
In this particular case the lack of HTTPS=on is due to the fact that you do
not actually have SSL enabled in the /srv/www/conf/sites.d/ configuration
snippet. Normally this would have (at minimum) SSLEngine, SSLCertificateFile
and SSLCertificateKeyFile directives in the /srv/www/conf/sites.d/
VirtualHost configuration files (as an aside, if your hosting/application
requires SSL, you probably should consider setting up :80 as a redirect to
https, rather than configuring both *:80 and *:443 on the same virtual
host).
Ha! This got me in the right direction. Thanks for your help! I now have
a working setup which is roughly as follows.
VirtualHost *:80
ServerName www.domain.tld
ServerAlias domain.tld other.domain.tld
ServerAdmin webmas...@domain.tld
DocumentRoot /var/www/sites/domain.tld/www
/VirtualHost
VirtualHost *:443
ServerName www.domain.tld
ServerAlias domain.tld other.domain.tld
ServerAdmin webmas...@domain.tld
DocumentRoot /var/www/sites/domain.tld/www
SSLEngine on
SSLCertificAteFile/etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
/VirtualHost
Directory /sites/domain.tld/www
Options MultiViews SymLinksIfOwnerMatch Includes
AllowOverride FileInfo
ErrorDocument 404 /404.xhtml
Order allow,deny
Allow from all
# Redirect aliases to the main name
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ - [env=REQUEST_SCHEME:https]
RewriteCond %{HTTPS} !^on
RewriteRule ^(.*)$ - [env=REQUEST_SCHEME:http]
RewriteCond %{HTTP_HOST}!^www.domain.tld
RewriteRule (.*) %{ENV:REQUEST_SCHEME}://www.domain.tld/$1 [R,L]
/Directory
Essentially, it does create two VHosts on either port, with the required
SSL machinery for port 443. Then, most of the configuration I initially
had in the VHost (not shown before), has been moved to the DocumentRoot
Directory entry. This allows to avoid most of the configuration
duplication between clear/SSL VHosts, which I was trying to avoid by
having a single one.
As to why it worked in my previous configuration, you ask? Well I did
have exactly that. I just didn't see it when recreating the
configuration...
A note, though, is that using a single VHost for both non-SSL and SSL
ports does work, and the SSL connection is established properly
(provided at least one VHost, probably the first one, on port 443 is
properly configured for SSL with keys and certificates). The only
problem I could find was really in the missing mod_ssl environment
variables.
Generally speaking, you will likely have fewer challenges if you configure
each HTTPS virtual host using a dedicated IP address (or port). That way the
virtual host selection is made prior to SSL negotitation occurring.
I only have a limited set of IPv4s (as in: 1), so I unfortunately cannot
do that.
Thanks again!
--
Olivier Mehani sht...@ssji.net
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts
Hey Philip, On February 20, 2014 7:49:17 PM AEDT, Philip Guenther guent...@gmail.com wrote: (Almost) everything works fine, and I do indeed manage to successfully access all sites over HTTPS as expected. However, the HTTPS environment variable, which should be set to 'on' for HTTPS sessions, is missing for all but the first VHost. I don't have any good suggestions on how to fix or workaround this apparent bug in httpd (other than look at the code paths leading to where HTTPS is added to the environment, sent breakpoints, compare good/bad runs, use logic, etc). I had a quick go at that, but I found the mod_ssl code to be rather cryptic. My more useful suggestion is to test out switching from httpd to nginx. nginx was added to base with the goal of deleting httpd from the tree, so moving now, particularly when you're affected by a bug in httpd, should be a Good Idea. Ah, right. I did try nginx out before switching back to httpd because I had troubles getting a similar setup going (mainly, getting php-fpm to behave across multiple vhosts and UrerDirs without having to duplicate too much configuration snippets). I'm not that familiar with it, but it does sound like one more reason to try it again. Thanks for the suggestion! I'm still open to ideas regarding fixing httpd. I'll settle for whichever works satisfactorily first (: -- Olivier Mehani sht...@ssji.net Sent from my mobile, please excuse my brevity.
Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts
Hi all, I have been battling with this issue for far too long, and I am at wits end. I have an OpenBSD 5.4 machine, with httpd serving pages successfully over both HTTP and HTTPS (with a CaCert-issued certificate). I want to serve multiple sites on both protocols (the certificate has AltNames for the various sites). (Almost) everything works fine, and I do indeed manage to successfully access all sites over HTTPS as expected. However, the HTTPS environment variable, which should be set to 'on' for HTTPS sessions, is missing for all but the first VHost. This is problematic because multiple apps (mostly php-5.3.27, but also some CGI and Rewrites) inspect this variable and behave differently depending on whether it is set to 'on' or anything else. The relevant bits of my configuration file are as follows (diffed from the original src/usr.sbin/httpd/conf/httpd.conf from CVS on branch OPENBSD_5_4): 938a939,940 NameVirtualHost *:80 NameVirtualHost *:443 1024,1025c1026,1027 ServerName new.host.name ServerAdmin you@your.address --- #ServerName new.host.name #ServerAdmin you@your.address 1121a1124,1125 Include /srv/www/conf/sites.d The ServerName/ServerAdmin/... are all in the VirtualHost _default_:443 group. The Include is at the very end of the file. I reduced my test case to /srv/www/conf/sites.d containing only one file: VirtualHost *:80 *:443 ServerName www.domain2.tld ServerAdmin webmas...@domain.tld DocumentRoot /var/www/sites/domain2.tld/www /VirtualHost Directory /sites/domain2.tld/www Options MultiViews SymLinksIfOwnerMatch Includes AllowOverride FileInfo Order allow,deny Allow from all /Directory Neither /var/www/htdocs nor /var/www/sites/domain2.tld/www contain .htaccess files. This is a rather standard setup, and I've had this working on previous machines (=5.3). The HTTPD and SSL logs do not show any error nor warning. I have been trying many combinations of NameVirtualHost, VirtualHost and ServerName / ServerAlias. In all (working) cases, the first (_default_) VHost has HTTPS set to 'on', and the other one simply hasn't anything set (as shown through a phpinfo() page). Swapping the ServerName of the _default_ VHost to another of the AltName'd names in the certificare sees that particular domain get the HTTPS variable, and none of the others. I'm not sure what to try next, if there is indeed anything else. Could anybody offer some insight/experience about this type of setups? I guess I'm missing something obvious, but searching the web for hours on end hasn't yielded anything helpful... Does anybody have any idea what the problem might be there? -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
Re: OT: Risks of CAs (Re: Your web development opinions)
On Tue, Mar 22, 2011 at 05:33:01PM +0200, Ciprian Dorin Craciun wrote: CA's cannot be trusted to even pay attention to carefully securing your certificate. B Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. There is a project (which I'm contributing to so take this with a grain of salt) -- Perspectives http://www.networknotary.org/ -- that is trying to solve this problem: how to detect a MITM attack or a rogue CA. The idea is quite simple: provide a Firefox (and in short time a Chrome) plug-in that contacts a series of trusted (see below) notary servers that give back their SSL certificate finger-print observations. If the browser's observed SSL certificate matches the ones provided by the notaries -- with a sensible time frame -- that everything is Ok (there could be false positives though). If not it triggers an alarm (which could be a false negative). Therefore this works with all kind of certificates -- self-signed, trusted CA's or untrusted CA's. (In fact the notaries are able to observe both SSH or arbitrary TLS/SSL based services certificates.) The trust moves from the CA to a set of peer-to-peer, geographically distributed, independently run, notary servers (with a quorum decision). (But like in the case of Tor (or other peer-to-peer security systems) you could be in trouble if someone is able to take over a great deal of the nodes.) Also because this is more for MITM attacks, rogue CA's can be detected only if the government isn't able to redirect all traffic to the rogue server for a large time frame. (Thus for example if government X is able to impersonate the server only in region X, but not in other regions, notaries in those others regions will signal the possible rogue CA / servers.) This is an interesting approach, I'll see if I can do something with it (; However, it also reminds me a lot of MonkeySphere [0], which leverages the PGP WoT, and allow host keys (SSH, SSL) to be signed with the admin's PGP key. This also has the effect of decentralising the key management. However, I suspect there is a risk of false positive/negative, and I'm not sur which one is the worst. I think this is definitely the problem of those decentralised approaches. Note that somebody paying a CA to issue a false certificate would be a false positive anyway... [0] http://web.monkeysphere.info/ -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: pppoe(4): unexpected IPV6CP requests
On Tue, Mar 15, 2011 at 08:02:38AM +0100, Christophe Etcheverry wrote: Any ideaB ? Ask you ISP to start offering IPv6 connectivity (; However, maybe they did, and this is the reason you witnessed a change of behaviour. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
OT: Risks of CAs (Re: Your web development opinions)
Just some OT thoughts. On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) The government would have the certificate, but not the private key, so I'm not sure how they can impersonate you with it. However, they can just get their own key to *any* shoddy CA included in browsers, and get a certificate linking that key to your services without much problem. The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. I may also be wrong in my analysis, but as far as my understanding goes, it's correct. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: FBI And OpenBSD...
On Wed, Dec 15, 2010 at 11:17:02PM +0100, Randy Wrench wrote: The FBI allegedly paid OpenBSD developers to insert back-doors into the code-base... The above url carried an article which is disturbing to say the least... Anyone know more about this??? You should read security-announce@ -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
SCM SCR335 SmartCard reader works OK with GnuPG 2 (was Re: [New] gnupg2)
Ahoy, On Wed, Nov 03, 2010 at 07:31:38AM +0100, David Coppa wrote: It could be fun if someone could test this port with a gnupg smartcard. Hum, I actually have a card reader that I just set up under Linux [0]. My 4.7 is on a remote machine, but I'll try to track down a spare machine and put a fresh 4.8 on it to try it all. It doesn't work. At least the OpenPGP SmartCard V2 I have. This card requires pcsc-lite and ccid. I've ported both and they worked. My work stopped trying to make scdaemon working: threading issues made me give up. I just found time, over the week end, to install 4.8 on said spare machine. My SCM SCR335 USB reader works nicely out of the box with just gnupg-2-0-15. No need for pcsc-lite nor ccid. After starting the GPG agent, I could list and use the keys, both for signing, decryption AND remote SSH login. I jotted down some doc here [0]. Next step is trying to see how to do system auth as well! (; [0] https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard#doing_the_same_w ith_openbsd_48 -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Activating ip6.forwarding and accept_rtadv at the same time
On Sun, Sep 05, 2010 at 03:49:43PM -0400, Simon Comeau Martel wrote: You received a /64 for your router interface ? Or are you in a /64 subnet with other customers ? The setup sounds weird to me. To what address is your ISP forwarding that /56 ? Yeah, it's a bit strange. But it's their IPv6 beta; very few customers are in it right now. I guess they won't give so much address space in the long run. Well, supposedly, end-users should receive /48s from their ISPs [0]. Right now, they give a /64 subnet to everyone in the beta, and, if you tell them you will use a router (that's the case for everyone except those who only have one PC connected directly to their ADSL modem), they also give you a /56 subnet. Back to your initial problem, it is a bit of a bummer. The same happens with Linux as well. As has been stated before, it is accepted that router discovery is for end-hosts only. I still don't quite understand how it is be dangerous (apart from some really twisted cases). Anyway, maybe you should ask your ISP to implement DHCPv6. DHCP used to be a client configuration tool, but DHCPv6 is more specifically designed for router configuration. My ISP does that over a PPP link, and it works wonderfully. They are all publicly routable IPv6 addresses. And it will stay like that! That's one of the reasons to use IPv6: no *(#$(# NAT. [0] http://tools.ietf.org/html/3769 -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Potential Spam: Re: IPv6 calculator
On Thu, Aug 26, 2010 at 09:41:59PM +0200, Martin PelikC!n wrote: I just updated my IPv6 address calculator and thought it might find its use in OpenBSD. It shouldn't contain any security risk, is small enough not to bloat the tree and handy enough to help admins visualize and plan their network's addressing or set those crazy PTRs properly. You can get it here: http://cap.potazmo.cz/software/ipv6calc/ipv6calc.c Did you make sure the b Compact formb complies with [RFC5952]? I haven't, and I am surely not saying it doesn't, but I thought it would be good to mention that RFC if you did not already know about it. [RFC5952] S. Kawamura and M. Kawashima, A recommendation for IPv6 address text representation, RFC 5952 (Standards Track). [Online]. Available: http://tools.ietf.org/rfc/rfc5952.txt -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
OT: On HTTP redirections (nothing to do with Re: Same shit all over again)
Hi, Nothing to do with the previous thread, but this is something that always annoys me a bit in the following syntax. I'm sure most people are aware about that, but I thought I'd hammer the nail once more. On Sun, Aug 15, 2010 at 10:51:32PM -0400, David Hill wrote: # cat why.html html head meta http-equiv=refresh content=0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html; / /head The proper way to do redirection is via the HTTP 30x status codes. This is easily done e.g., with httpd in a .htaccess (or other configuration) file as Redirect /why.html http://www.trollaxor.com/2010/06/why-i-left-openbsd.html Though it works with standard (i.e. quite likely all) clients, it loses the semantics of the redirection at the HTTP level and moves it into the contents of the page, which is not quite right [0]. The refresh META should only be used to, unsurprisingly, refresh the current page at a given frequency. The only thing thus rendered impossible is a redirection to another page after a given period. But I have troubles coming up with a scenario requiring it which couldn't be handled in other ways. Just thought I'd rant about it (; [0] http://www.w3.org/QA/Tips/reback -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: ISC DHCP 4.2
On Sun, Aug 15, 2010 at 08:52:51PM -0700, Michael McCool wrote: When running the ISC 4.2 dhcpd (using the old config file) in the foreground/debugging (-f or -f -d), clients on both my wired lan (segment 1) and wireless lan (segment 2) can obtain IP addresses just fine. When running the dhcpd server is daemon mode, only the wired lan clients can obtain IP addresses. Any suggestions on to what I can do to start digging into what is going on and how to fix it? Just a quick guess from my not so recent experiece: Did you specify all the relevant interfaces in /etc/dhcpd.interfaces? -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: apachectl graceful on a running chrooted apache on 4.7 stops it the first time and starts with the new configuration only when specified a second time
Hi, On Thu, Aug 05, 2010 at 05:00:29PM +0530, Siju George wrote: = [Thu Aug 5 16:56:38 2010] [notice] SIGUSR1 received. Doing graceful restart Syntax error on line 275 of /conf/httpd.conf: Cannot load /usr/lib/apache/modules/mod_perl.so into server: File not found = Line 275 of httpd.conf is LoadModule perl_module/usr/lib/apache/modules/mod_perl.so The problem seems to be that /usr/lib/apache/modules is not accessible from the chroot, and Apache can't find the module it needs to load from in there. It's quite common, but I'm afraid the only solution is a clean stop (e.g. using apachectl), then to start httpd again manually. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: addon to website faq
On Thu, Aug 05, 2010 at 01:31:41PM +0400, Matthew Gladkikh wrote: Hello, I would like to add some usefull tip to http://www.openbsd.org/faq/faq9.html It is how to convert existing linux machine to openbsd on hosting providers that do not provide openbsd support but do provide rescue mode. It is simple like starting obsd install in qemu (in rescue cd mode), accessing it via vnc, installing, fixing /etc/fstab /etc/hostname.if and rebooting whole server to openbsd system. Is it interesting addon? The situation seems to be more and more frequent. However, the qemu then VNC solution may ne be the most effcient. I recently had that problem and use Yaifo [0] which, provided one already working OpenBSD system (or a quick install thereoy in your favorite VM), can build an install image from the source which has the install script running over SSH. You then just have to dd that image at the beginning of the disk of the target machine using its rescue mode. When you have rebooted, you only need to SSH into that machine and proceed through a completely standard installation. [0] http://erdelynet.com/tech/yaifo/yaifo-4-7-beta/ -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Most barebones pf.conf
On Thu, Aug 05, 2010 at 02:17:35AM +0200, Robert wrote:
What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall
with 2 nics, that passes everything.
ext_if=em0
table int_net const persist {10.10.1.0/24}
match out on $ext_if from int_net to any nat-to ($ext_if)
pass all
If I'm not mistaken, you could drop the b
ext_if=em0b
and just use
interface group b
egressb
(which would be your only interface with a
default route in this case) in the match rule.
Similarly, assuming your local interface is in the same network as your
NATted clients, you could use b
($int_if:network)b
instead of the address
table. This would require declaring an $int_if variable.
Maybe a nicer way to do this would be to put your local interface in a
specific group using hostname.$int_if, then only use that group's name
in your pf.conf. This has the additional advantage that you can add
other local interfaces later on, and have the NAT set up directly for
them without modifying your pf.conf, but only their hostname.if.
Thus,
=== pf.conf ===
match out on egress from (ingress:network) to any nat-to (egress)
pass all
==
=== hostname.$int_if ===
...
group ingress
==
PS: I'm just saying that from the top of my head, and haven't tried
this. Particularly, I'm not sure whether the b
nat-to (egress)b
works. It
may need a b
nat-to (egress:0)b
instead, which may net even work either.
I tend to always try out interface group-based solutions first as I find
them more elegant. Anyway, if you're keen, please test and tell us (:
--
Olivier Mehani sht...@ssji.net
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
net/pfstat and pf tables
Hi, I've just set up a quick pfstat on one of my servers to monitor traffic. The default ruleset, extended to include IPv6, works nicely. However, I maintain, in my pf rules, a table of blocked addresses for those scripts kiddies which try to login too often with varying usernames and wrong passwords. I'd like to monitor the size of that table using pfstat as well. I'v read through the documentation and searched for examples, but there doesn't appear to be any mention that pfstat can monitor the size of a custom table. Is it possible? If so, how? Thanks. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: [Fvwm][Bug?] Keyboard layout changes when fvwm restart
Hi, On Mon, Jul 19, 2010 at 04:07:06PM +0800, Bruce Khereid wrote: After startx, the GoToPage actions were bound to Ctrl-F and Ctrl-D in QWERTY layout (which are Ctrl-E and Ctrl-U in Dvorak, or the 3rd and 4th keys in the middle line), so I began to think all those bindings are parsed as in QWERTY layout. But after I restarted the fvwm (by typing restart in FvwmTalk), things changed, it began to interpret the configurations in Dvorak layout, that is, Ctrl-F and Ctrl-D in Dvorak layout, which are Ctrl-Y and Ctrl-H in QWERTY, started to turn the page. How (When) is your keyboard mapped to Dvorak? Is it in the global X configuration, or only for the session (e.g. with a setxkbmap somewhere in a xstartup script)? I suspect it's set up by the session, which means that FVWM starts while your keyboard still has a QWERTY mapping, and based its shortucts on that. Restarting FVWM would then let it rebind the shortcuts to the new keys with the given symbols. I may also be completely wrong. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Dedibox v3 (Dell XS11-VX8 w/ Via Nano U2250) successful installation with yaifo-4.7
Hi list, I just successfully installed OpenBSD 4.7/amd64 on a Dedibox v3 (cheaparse dedicated server in France, based on Dell XS11-VX8). Having no screen nor serial console access (despite what their not up-to-date doc says), I used yaifo-4.7-beta to install the system. It installed and booted like a charm! Having found little information about the process (apart from [0], in french, which greatly helped) I thought I'd share the news. BTW: It has two Intel Pro/1000. The default one (that they plug to the network), is em0. [0] http://opendedibox.fatbsd.com/yaifo.html -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Update on altq and interface groups
Hi list,
I know this question has been asked before, but I'm after an up-to-date
answer, or at least a confirmation.
Has support for interface groups been implemented for altq? By that, I mean
the
possibility to use an interface group name with b
altq on GROUPb
to set up
similar queues for each of the interfaces of the group. This could be used to
not have to explicitly name the interfaces but rather refer to their current
role. The outgoing traffic for all the interfaces could also be classified
with
only one ruleset of b
pass out on GROUPb
s.
Unfortunately, the changelogs and my small experiments (see below) seem to
hint that
it's not supported. But maybe I'm (doing it) wrong?
opera...@mudrublic:~$ /sbin/ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
(...)
ath0: flags=8963UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST
mtu 1500
(...)
groups: wlan internal
(...)
sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
(...)
groups: egress
(...)
Relevant beginning of pfctl.conf:
UPLINK_BANDWIDTH = 90Mb
set skip on lo
set loginterface public
altq on egress priq bandwidth $UPLINK_BANDWIDTH queue {std_out,
interactive_out, dns_out, tcp_ack_out}
queue std_out priq(default)
queue interactive_out priority 4 prirq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
(...)
pass out on egress proto tcp to any flags S/SA keep state queue(std_out,
tcp_ack_out)
pass out on egress proto { tcp udp } to any port domain keep state queue
dns_out
pass out on egress proto tcp to any port ssh flags S/SA keep state
queue(std_out, interactive_out)
$ sudo pfctl -vf /etc/pf.conf
set skip on { lo }
set loginterface public
UPLINK_BANDWIDTH = 90Mb
pfctl: SIOCGIFMTU: Device not configured
This error doesn't happen if I replace egress with sis0 in the b
altq onb
line
(pretty bad omen, I guess...).
$ uname -a
OpenBSD mudrublic.narf.ssji.net 4.6 GENERIC#58 i386
Thanks.
--
Olivier Mehani sht...@ssji.net
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
shape bandwidth per user for all users
Hi again, I have a router with two wireless cards. As I always enjoy the odd open AP to check my emails on the go, I decided I'd reciprocate. I thus have configured one of the Wi-Fi interface as open. However, I wouldn't want people to abuse this b service.b I put it there for them to check their emails, not download big amounts of data (which is also capped to a given monthly volume by my ISP). My goal is then to shape the bandwidth on this network (by not putting packets on the wireless network as fast as they could, thus forcing the tranport to adapt) using AltQ. However, rather than setting a global limit, I'd rather set a limit per user (I assume one user equals one IP here, all limitations and flaws considered). I've been reading docs and tutorial (and still am), but I can't figure a way to limit each user to, say, 500Kb/s* without explicitly creating as many queues as possible IP addresses in the network, disregarding that 500Kb for 253** users would just saturate the network. Of course, I don't want them to be able to borrow any of the remaining bandwidth either. In summary, in a network with 11Mbps with, say three visitors, each of them can get 500Kb/s download, and nothing more. If all of them use it, the network will see 1.5Mb/s of its bandwidth occupied (and so will my uplink), while the other 8.5 (out of the 90% of 11Mb/s) will remain blissfully unused, waiting for another user (or the same user with yet another device). Is there a concise and elegant way to define such a ruleset? Thanks again! * Actually, maybe I should reconsider this value. ** I don't want to think about IPv6 if I have to write this ruleset manually (; -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: allowing inbound icmp6
On Sun, May 23, 2010 at 07:15:07PM -0700, TimH wrote: I have tried a number of ways to allow icmp6, as the notes in my pf.conf (look for #) explain below. What few examples I could find online (http://www.benzedrine.cx/pf.conf) seemed to suggest it shouldn't be hard, but I'm not having any success. Is anyone doing this with 4.7? # I have tried all three of these to no effect #pass on $tunnel_if inet6 proto ipv6-icmp #pass in on $tunnel_if inet6 proto ipv6-icmp from any to $ipv6_net #pass quick proto icmp6 all How about the following? pass in quick proto ipv6-icmp -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Question on read write from Linux to OpenBSD
On Wed, Apr 07, 2010 at 04:34:39PM -0700, Super Biscuit wrote: Using mount -t ufs -o ufstype=44bsd -o ro /mount/point /mount/directory does not allow reading of /home /var /tmp and /root. The option of -o rw doesn't work from Linux to any BSD. (At least for me because I do not know the proper commands.) Mounting the fs in two steps, as follows, worked for me. # mount -t ufs -o ufstype=44bsd /dev/sda4 /mnt # mount -orw,remount /dev/sda4 /mnt However, it requires your UFS support to have been built with the UFS_FS_WRITE at (Linux kernel) compile time (b UFS file system write supportb , only available if b Prompt for development and/or incomplete code/driversb is enabled) which is --as far as my experience goes-- not the case by default with many distros. You may need to recompile your module and/or kernel. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Atheros AR5212/AR5213A 802.11a/b/g mini-pci wont do 802.11g hostap
On Fri, Mar 12, 2010 at 08:16:47AM +1100, Aaron Mason wrote: Yeah, this is something I did battle with awhile ago. I have a laptop with an Atheros 5005 based card that I use as a gateway between a wired and wireless network. As far as I know, the ath(4) driver doesn't have the ability to do 11g, only 11a and 11b. Same thing with a DCMA81 11abg card. Yep, the same holds for AR5213A-based cards. I've had a Mini-PCI card in my Soekris for quite a while, now, but never have been able to set it in 11g mode. It works nicely in 11b, though. OpenBSD 4.6 (GENERIC) #58: Thu Jul 9 21:24:42 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address XX:XX:XX:XX:XX:XX b ifconfig ath0 mediab does indeed not list 11g as an available mode, and I notice that ath(4) does not actually mention 5213 chips. Looks like I'm lucky it's recognized at all. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
trac-0.10.5p0 segfaults on 4.5 release
/api.py, line 460, in
write
self._write(data)
File /usr/local/lib/python2.5/site-packages/trac/web/wsgi.py, line 195, in
_write
self.handler.send_response(int(status[:3]))
File /usr/local/lib/python2.5/BaseHTTPServer.py, line 370, in
send_response
self.send_header('Server', self.version_string())
File /usr/local/lib/python2.5/BaseHTTPServer.py, line 376, in send_header
self.wfile.write(%s: %s\r\n % (keyword, value))
File /usr/local/lib/python2.5/socket.py, line 274, in write
self.flush()
File /usr/local/lib/python2.5/socket.py, line 261, in flush
self._sock.sendall(buffer)
error: (32, 'Broken pipe')
Segmentation fault
I'm proxying the connection from Apache to tracd. For some reason, I do
not find matching log entries in the Apache access_log for these
specific times, event though some other can definitely be found.
It's an amd64 OpenBSD, but I've noticed the sames issues with i386 and
previous versions as well (still with trac-0.10.5, though).
Any thought about what may be causing the problem (I suspect the
GoogleBot) or how to solve it?
--
Olivier Mehani sht...@ssji.net
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: Dual head in current
On Thu, Aug 20, 2009 at 05:49:10PM +0300, Lars Noodin wrote: $ xrandr --output VGA --left-of LVDS xrandr: screen cannot be larger than 1680x1680 (desired size 2320x1050) $ xrandr --output VGA --right-of LVDS xrandr: screen cannot be larger than 1680x1680 (desired size 2320x1050) How do I circumvent the screen size limitation? Maybe add the following to your xorg.conf, and have a quick read of [0] for more details. SubSection Display Virtual 2320x1050 EndSubSection [0] http://www.thinkwiki.org/wiki/Xorg_RandR_1.2#the_Virtual_screen -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: apache1.3 without jail and PHP cannot execute some system binaries..why?
Hello, On Fri, Aug 14, 2009 at 09:59:41AM -0500, Andres Salazar wrote: I have a script that is being called from the web , it invokes the system() function and I try to test running some system commands to see if they are properly invoked. mv and cp do not display any output (this do not execute), while cat and ls do. If I run the script via the command line all of the commands display ouput (even if its the usage help info of each command) . Maybe just a stupid thought, but could it be that cp and mv, for some particular reason linked to that setup, output to stderr, while ls and cat output to stdout. That would assume that system() only catches stdout (to be checked), but could be a problem a stream redirection. I just checked and confirmed that usage help and error messages (e.g. in case of right problem) of cp are output on stderr. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Precision about interface address determination in pf.conf(5)
Hello list, I read in pf.conf(5), b When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address.b I know this works well for IPv4 addresses, where b (sis0)b will resolve to the addresses of sis0. However, I'm working on an IPv6 version of my pf rules, which I started by bluntly copying my previous rules, and changing the address family. As expected when one does something bluntly, it doesn't work. I'm suspecting that syntax b (interface)b in pf.conf only resolves to the IPv4 addresses of the interface. Unfortunately, I haven't found anything clarifying that in the manual. Can somebody shed some light? Additionally, in case this syntax only gives IPv4 addresses, what would be an equivalent method to dynamically get an interface's IPv6 address? Thanks. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Precision about interface address determination in pf.conf(5)
On Thu, Aug 13, 2009 at 05:31:39PM +0200, Henning Brauer wrote: I'm suspecting that syntax b (interface)b in pf.conf only resolves to the IPv4 addresses of the interface. wrong. Right, thanks for this terse answer Henning (: I investigated further, and found the cause of my problems to lie in the fact that I was mentionning the address family in the rules. Here are relevant excerpts of my pf.conf ext_if=sis0 ... block all ... pass in on $ext_if proto tcp from any to ($ext_if) \ port ssh flags S/SA keep state pass in on $ext_if inet6 proto tcp from any to ($ext_if) \ port ssh flags S/SA keep state The (almost) duplication is due to my previously using a tunnel provided by SixXS, thus having an additional interface only for IPv6. My ISP now provides native IPv6, so I just s/sixxs_if/ext_if/g my configuration file (yes, that's my way of bluntly copying). To solve my problem, I replaced the duplicated rules by a single similar one which does not specify any address family: pass in on $ext_if proto tcp from any to ($ext_if) \ port ssh flags S/SA keep state This now works like a charm. What I don't understand, though, is why it wasn't working with the original set of rules, as they look very similar to me, and I would have expected them to achieve the same behavior, if not as efficiently. What am I missing? -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Security considerations for login with an SSH host key
Hello all, I'm currently setting up a remote backup solution based on rdiff-backup. Basically, each computer to be backed up regularly connects to the centralized backup server, and sends the modifications. This is done in a crontab. On the backup server, there is one user per backed-up machine. Each machine stores its files up in the HOME directory of its associated user. Now, as this is a fully automated process, I cannot enter a password, so I naturaly though about using a passwordless SSH keys. (I suppose the passwordlessness of the key could arguably be a security issue, and I'd be happy to know about other possible solutions, if any.) I first thought about generating a specific key for that purpose. I then realized each of these hosts already had one, which is generated during the first boot. I finally decided to implement my system using /etc/ssh/ssh_host_rsa_key as the private key used to authenticate to the backup server. This file is only readable by root, but as cron runs as root, that should be no problem (not tested yet, I'm currently setting everything up). I'm wondering, however, if there were any security risks introduced by specifically using the host key instead of one generated specifically for that purpose and, if so, what they were. Thanks for you insight (: -- Olivier Mehani sht...@ssji.net PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: scrotwm.conf setting custom xterm
On Wed, Mar 04, 2009 at 10:28:43PM -0700, Matt Jibson wrote: I was looking at the man page for xterm(1), and I saw that by invoking xterm -ls, the terminal should read .profile, and set the prompt. In an xterm, I was able to run xterm -ls and have just this exact thing happen. Then I installed scrotwm, and went into /etc/scrotwm.conf and set the spawn_term to xterm -ls, thinking this would do the same, but it does not. What am I doing wrong? I am using the default shell. Does scrotwm do something special to call xterm? To configure xterm, you need to use the .Xdefaults file, although that does not look like what you need. In case an example can help, I have the following in my .Xdefaults to start all xterms as login shells. xterm*loginShell: true Works like a charm. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
OpenBSD release building systems
Hi list, After reading [0], [1] and [2] once again (it never hurts, hey?), I started wondering the following. We know [3] that big parts of OpenBSD releases, for several archs, are built in Theo's basement [4]. But what I have not been able to work out is what version of OpenBSD these machines are actually running. Is this -current, or the latest -stable? Moreover, when it comes to upgrading these machines, what is the preferred way to do so? Is this using the freshly backed new install media to upgrade, maybe bsd.rd [5], or is it a complete reinstall? I'm just being curious here (: Thanks. [0] http://www.openbsd.org/stable.html [1] http://www.openbsd.org/faq/upgrade43.html [2] http://www.openbsd.org/faq/faq5.html [3] http://marc.info/?l=openbsd-miscm=110098157015931w=2 [4] http://www.openbsd.org/images/newrack.jpg [5] http://www.openbsd.org/faq/faq4.html#bsd.rd -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
ImageMagick-6.3.6.10-no_x11's dependency libwmf-0.2.8.3p3 requires X11
Hi, I'm in the process of finishing my OpenBSD 4.2-to-4.3 update (good work, guys, thanks!) as per [0]. When updating the packages, I run into a small issue. I have an X11-less system, so I install the no_x11 flavors of every package which has one. This is the case for ImageMagick, which has to be updated to version 6.3.6.10. ImageMagick depends on libwmf-0.2.8.3p3 which, in turn depends on some X11 libraries. Short story shorter: pkg_add -r ImageMagick-6.3.6.10-no_x11 Can't install libwmf-0.2.8.3p3: lib not found ICE.8.1 Dependencies for libwmf-0.2.8.3p3 resolve to: libxml-2.6.30, libiconv-1.9.2p5, jpeg-6bp3, png-1.2.22 Full dependency tree is libxml-2.6.30,libiconv-1.9.2p5,jpeg-6bp3,png-1.2.22 Can't install libwmf-0.2.8.3p3: lib not found SM.8.0 Can't install libwmf-0.2.8.3p3: lib not found X11.11.1 Can't install libwmf-0.2.8.3p3: lib not found Xau.9.0 Can't install libwmf-0.2.8.3p3: lib not found Xdmcp.9.0 Can't install libwmf-0.2.8.3p3: lib not found freetype.16.0 Can't install ImageMagick-6.3.6.10-no_x11: can't resolve libwmf-0.2.8.3p3 Where should I report that (if not here)? Is bugs@ the right place to report packages issues, or should it rather be [EMAIL PROTECTED] Additionally, what workarounds this be (apart from the obvious installation of xbase43.tgz, which I would like to avoid)? Thanks. [0] http://www.openbsd.org/43.html#upgrade -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
[OT] Regarding spam in french (was Re: Protection de votre marque sur Internet)
Hi list, I've been recently amazed (in a bad way) by the number of spam this list receives that seem to be coming from french companies. I just wanted to point french readers at a spam gathering organisation [0,1]. They provide a form [2] to submit this kind of emails for statistical and (hopefully) more effective treatment in a legal way against the evil-doers. PS: considering the off-topic level of this email, please only respond to me personnaly if you feel you have to, do not overload this list. PPS: there even exist a Python script [3] for easy submission from Mutt! [0] http://www.signal-spam.fr [1] http://www.signal-spam.fr/index.php/frontend/presentation [2] https://www.signal-spam.fr/signaler.php [3] http://www.signal-spam.fr/index.php/frontend/extensions/script_python -- Olivier I still think the sky is forever blue and problems can be solved by just being kind Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: avoid logging useless ssh brute force attempts
On Fri, Feb 01, 2008 at 06:11:17PM +1100, Chris wrote: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. Any suggestions would be much appreciated. Thanks. For a start, you can use DenyHosts [0], which would add the attacking IP in your hosts.deny file after a certain number of failed connection attempts so that they won't even be able to establish a connection to the SSH daemon. It won't solve your problem by itself, but at least greatly diminish the entries in your log files. You have to be careful, though, to have a good hosts.allow file (whitelisting your domains/IPs) in order not to lock you out by mistake (sometimes, to much alcohol doesn't help correctly remembering one's password...). [0] http://denyhosts.sf.net -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: gcc 4.2
On Fri, Jan 11, 2008 at 08:03:49AM -0800, Private Joker wrote: I am trying to compile GCC 4.2 from ports, and I keep getting the same error... with OpenBSD 4.2 and current as well. checking whether the C compiler (/usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bin/egcc -O2 -g ) works... no configure: error: installation or configuration problem: C compiler cannot create executables. *** Error code 1 Stop in /usr/ports/lang/gcc/4.2 (line 2057 of /usr/ports/infrastructure/mk/bsd.port.mk). What's in the config.log ? This usually happens when GCC is called by the configure script with erroneous options e.g., in CFLAGS. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: NAT IPV4 and bridge only IPV6
On Wed, Jan 09, 2008 at 11:04:59AM +0100, Stiphane Chausson wrote: In a [1]press communiqui (in french, sorry) they say they give 2^64 ip address to every customer. To me, total ipv6 beginner, it seems a lot ! It seems to be, though it is the bare minimum. What is bad with /64 ? This is only _one_ prefix. The other lower-order 64 bits would generally be used for autoconfiguration (IPv6 has mechanisms allowing devices to automatically determine a routable address from the prefix and, e.g., their MAC address*). This means you won't be able to do any _clean_ subnetworking. Usually when giving prefixes, the leaf ISPs are supposed to delegate /48 to their customers. This lets enough lattitude to design your network plan without limitation due to being short of /64's. That said, it may be true that most end-users like Free.fr has won't need much more than one /64. But still, this can become frustrating (How come my car cannot be a subnetwork as my home is?!) Are they sort of lying ? Playing with words ? Nope. And it is still a good thing that they finally provide IPv6 connectivity, but this is the smallest move they could have done. * this means, indeed, that the /64 range is very sparsely populated. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Instant Messenger (CLI-based multi-protocol)
On Sat, Sep 22, 2007 at 08:05:57PM -0500, Sean Darby wrote: I have been wanting to switch from a GUI meta-type chat (uses Yahoo, AIM, etc.) to terminal/CLI-based. I came across centericq (apparently it works with multiple protocols) though when trying to install it I get... [...] Is there a better program out there somewhere that is CLI-based for using chat with Yahoo, AIM, MSN, ICQ, IRC, and Jabber? Better I don't know, but Bitlbee [0] is an IRC to said IM networks gateway. You connect to it using your favorite IRC client, lots of which being console apps, like irssi [1], and it will in turn connect to all the IM accounts you've set up and show your contacts as if they were in an IRC chatroom, from which you can query them (or even talk to then directly by prefixing the message by there nick and a colon). [0] http://www.bitlbee.org/ [1] http://www.irssi.org/ -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: nat ipv6 - ipv4 using pf
Hello, On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote: i have a webserver and i'm using ipv6 and ipv4 addresses. the apache server in openbsd does not support ipv6 so i tought i will use pf to nat the ipv6 address to the ipv4 address for port 80. but pf for some reason does not support this. i added the following rule to /etc/pf.conf: nat pass on vr0 from any to 2000:888:10:bbb::2 port http - 213.84.168.252 port http and got the following error message : /etc/pf.conf:40: no translation address with matching address family found. As you have noticed and has been explained, this is not possible. Maybe you can find interesting having a look at faithd(8) which, however, relies on an optional feature which is not compiled* in GENERIC kernels (pseudo-device faith 1 in sys/config/GENERIC). * I would be interested for some explanations and/or pointers about why this feature is not enabled by default (security or kernel size reason ?). -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: ICQ client for X?
On Thu, Jul 19, 2007 at 12:27:08PM +0300, Gregory Edigarov wrote: Tried licq, have been using it happily with FreeBSD, but failed to compile it on OpenBSD. Can someone recommend me a graphical ICQ client for use with OpenBSD? Use Jabber with a tentative ICQ-transport as long as all your contacts have not migrated yet (: Gajim is a cool X Jabber client. And if you want to stick to direct connections to ICQ, well, Pidgin is a good choice. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Rename multiple files at once
On Wed, Jun 27, 2007 at 02:37:07PM +0200, Pieter Verberne wrote:
How do I rename multiple files at once? I want to rename a list of
files like:
file.jpg
file1.jpg
file_2.jpg
to:
file_thumb.jpg
file1_thumb.jpg
file_2_thumb.jpg
Using bash, you can do something like that:
for file in file.jpg file1.jpg file_2.jpg; do
mv $file ${file/.jpg/_thumb.jpg}
done
--
Olivier Mehani [EMAIL PROTECTED]
PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: dhclient on a Sokeris
On Wed, Mar 14, 2007 at 07:35:07AM -0600, Chris Cameron wrote: My one snag is grabbing a DHCP address from a server that may always not be there. For instance if they plug the device in, but then don't plug in the network cable until several minutes later. The dhclient process just goes away without the link. The only solution I see right now is making a script that watches for a dhclient process, and then manually starts it whenever it goes away. This doesn't seem that elegant in my mind. Did you have a look at ifstated(8) ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Make pf reload ruleset whenever a new file appears/changes
On Tue, Jul 18, 2006 at 01:37:52PM +0200, Mackan wrote: 4) same php script generates a new ruleset for pf 5) pf detect changes and reload new ruleset Step 1 - 4 is already done. I need help with step 5. You know pfctl(8)? Yes. But how do I make apache/php execute the pfctl program or signal to pfctl ro reload? Apache is chroot and run by www, and pfctl lives outside chroot and must be run as root. Maybe you can code a little deamon which, running outside of the chroot, would wait on a Unix(4) socket(2) to know when the rules have to be reloaded. The socket entry in the filesystem would lie in the chrooted tree so that one script run by the webserver would be able to write to it. -- Olivier Mehani [EMAIL PROTECTED]
Re: Group editing
On Wed, May 17, 2006 at 08:28:28AM -0700, stupidmail4me wrote: What's the best way to give all 10 developers access to those files? I can create a group called webdevelopers and have that group own /website. I can also change permissions to 775 on that directory so that they can create files and directories. But then that's as much as they can do, the developers can't edit each others files. Is there any way to change the umask for a directory and subdirectories? Have you considered giving the webdevelopers a CVS (or other versionning system) access and having them modify their own local copy of the website, with some mechanism to checkout the latest version of the website in /website ? This has the other advantage to give you cheap backups in case something has gone wrong and you want to revert to an older version of the site. -- Olivier Mehani [EMAIL PROTECTED]
strange ipv6 routing issue
Hello list, I'm playing with IPv6 in 3.8 and came up to this strange problem. My IPv6 connectivity is given by a broker (xs26.net) and I have set up a gif interface to use it (gif0): /etc/hostname.gif0 contains: tunnel SIS0IPv4 BROKERIPv4 inet6 IPv6PREFIX::1 !route add -inet6 default IPv6PREFIX::1 gif0: flags=8151UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST mtu 1500 groups: gif physical address inet SIS0IPv4 -- BROKERIPv4 inet6 fe80::202:6fff:fe21:ea79%gif0 - prefixlen 64 scopeid 0x8 inet6 IPv6PREFIX::1 - prefixlen 64 The funny thing is that I _can_ ping a given machine. [EMAIL PROTECTED]:~$ ping6 DISTANTHOSTNAME PING6(56=40+8+8 bytes) IPv6PREFIX::1 -- DISTANTHOSTIPv6 16 bytes from DISTANTHOSTIPv6, icmp_seq=0 hlim=53 time=207.974 ms 16 bytes from DISTANTHOSTIPv6, icmp_seq=1 hlim=53 time=176.176 ms 16 bytes from DISTANTHOSTIPv6, icmp_seq=2 hlim=53 time=241.964 ms 16 bytes from DISTANTHOSTIPv6, icmp_seq=3 hlim=53 time=253.56 ms ^C --- zorglub.ssji.net ping6 statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 176.176/219.918/253.560/30.306 ms but I get a no route to host when trying to ssh to it [EMAIL PROTECTED]:~$ ssh -v6 DISTANTHOSTNAME OpenSSH_4.1, OpenSSL 0.9.7g 11 Apr 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to DISTANTHOSTNAME [DISTANTHOSTIPv6] port 22. debug1: connect to address DISTANTHOSTIPv6 port 22: No route to host ssh: connect to host DISTANTHOSTNAME port 22: No route to host (/etc/ssh/ssh_config reads $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $ and has not been modified) To be even weirder, the machines behind the router, which get IPv6 in the same prefix manage to ssh to the very same host using IPv6 through the router. Does somebody have some ideas/solutions about this problem ? Useful information (note the illegal prefix len in the output of route for ::/4, which seems to be what default resolves to when route -add'ing) [EMAIL PROTECTED]:~$ uname -a OpenBSD mudrublic.narf.ssji.net 3.8 GENERIC#224 i386 [EMAIL PROTECTED]:~$ route -n show -inet6 Routing tables Internet6: DestinationGatewayFlagsRefs UseMtu Interface route: illegal prefixlen ::/4 IPv6PREFIX::1 UGS 0 1591 - gif0 ::1::1UH 0 0 33224 lo0 IPv6PREFIX::/64link#8 UC 0 0 - gif0 IPv6PREFIX::1 link#8 UHLc0 12 - lo0 IPv6PREFIX:100::/64link#3 UC 0 0 - sis1 IPv6PREFIX:100::1 00:00:24:c4:22:5d UHLc0 0 - lo0 IPv6PREFIX:101::/64link#1 UC 0 0 - ath0 IPv6PREFIX:101::1 00:02:6f:21:ea:79 UHLc0 0 - lo0 IPv6PREFIX:101:211:95ff:febb:812f 00:11:95:bb:81:2f UHLc 0 1857 - ath0 IPv6PREFIX:101:230:65ff:fe0f:2795 00:30:65:0f:27:95 UHLc 02 - ath0 fe80::%ath0/64 link#1 UC 0 0 - ath0 fe80::202:6fff:fe21:ea79%ath0 00:02:6f:21:ea:79 UHLc0 0 - lo0 fe80::211:95ff:febb:812f%ath0 00:11:95:bb:81:2f UHLc0 109 - ath0 fe80::230:65ff:fe0f:2795%ath0 00:30:65:0f:27:95 UHLc0 4 - ath0 fe80::%sis0/64 link#2 UC 0 0 - sis0 fe80::%sis1/64 link#3 UC 0 0 - sis1 fe80::%lo0/64 fe80::1%lo0U 0 0 - lo0 fe80::%gif0link#8 UHLc0 0 - gif0 fe80::%gif0/64 link#8 UC 0 0 - gif0 fe80::202:6fff:fe21:ea79%gif0 link#8 UHLc0 0 - lo0 fe80::260:8ff:fe34:275f%gif0 link#8 UHLc0 606 - gif0 ff01::/32 ::1UC 0 0 - lo0 ff02::%ath0/32 link#1 UC 0 0 - ath0 ff02::%sis0/32 link#2 UC 0 0 - sis0 ff02::%sis1/32 link#3 UC 0 0 - sis1 ff02::%lo0/32 ::1UC 0 0 - lo0 ff02::%gif0/32 link#8 UC 0 0 - gif0 dmesg not included as it does not seem to be relevant for this problem, correct me if I'm wrong (; thanks -- Olivier Mehani [EMAIL
Re: OpenBSD, Samba and active directory
On Mon, Jan 30, 2006 at 09:22:29PM +0100, Thomas Bvrnert wrote: I'm trying to compile Samba 3.0.21a on OpenBSD 3.8 with active directory enabled and when I run the configure script it fails to find libkrb5. Has anyone recently tried to compile Samba with Active Directory support enabled? not on openbsd, but i think you need heimdal and not the krb5 I confirm. From my experiences Heimdal Kerberos works better with Samba, particularly if you want Windows clients to authenticate and connect to your server. -- Olivier Mehani [EMAIL PROTECTED]
Re: console font size
On Wed, Jan 25, 2006 at 06:56:53PM -0500, Mike Hernandez wrote: How does one control appearance of console/fonts on the screen? On one laptop, letters are quite large and console fills entire screen, on another, letters are tiny and the console fills a fraction of the screen. Check out the man pages for: wsconscfg, wsconsctl, wsfontload Maybe you should also check your laptop's manual, some of them do not extend the image to the whole screen, but usually you have a key combination like Fn+F# to switch to extended mode. Hope this helps. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Suggestions about a replacement for FTP over SSL [long]
On Mon, Jan 23, 2006 at 12:57:34AM +0100, Joachim Schipper wrote: [1] Though if I can get everyone to use public key authentication, I could use the command= syntax in ~/.ssh/authorized_keys (where is this documented, anyway?). it is, in sshd(8), under AUTHORIZED_KEYS FILE FORMAT -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: pf not logging to /var/log/pflog...
On Mon, Jan 09, 2006 at 08:37:04PM +0100, Otto Moerbeek wrote: adsl: ! sh -c /sbin/ifconfig pflog0 up As far as I remember, it's not necessary to ifconfig pflog0 up to use it. Why enable pf only when the link is up? It's non-standard and potentially dangarous. You're better of using the standard way of enabling pf. However non standard, I don't clearly see the potential danger in this. Can you elaborate ? -- Olivier Mehani [EMAIL PROTECTED]
Re: Apache Log Rotation - FAQ 10.16
On Fri, 09 Dec 2005 11:11:23 +0100 Hans van Leeuwen [EMAIL PROTECTED] wrote: Could you please share your preferred methods to rotate the /var/www/logs/, ? I had the same problem, and solved it by using cronolog. From my httpd.conf: CustomLog |/usr/local/sbin/cronolog -l /var/www/logs/access-hanz.nl /var/www/logs/old/access-hanz.nl.%Y%m%d combined But you are not using the default chrooted apache, are you ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Apache Log Rotation - FAQ 10.16
On Fri, 09 Dec 2005 13:12:14 +0100 Hans van Leeuwen [EMAIL PROTECTED] wrote: CustomLog |/usr/local/sbin/cronolog -l /var/www/logs/access-hanz.nl /var/www/logs/old/access-hanz.nl.%Y%m%d combined But you are not using the default chrooted apache, are you ? Yes, I am. [EMAIL PROTECTED]:~] grep httpd /etc/rc.conf.local httpd_flags=-DSSL Hum. I'm puzzled. Did you move some files and change permissions in the chroot then ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Apache Log Rotation - FAQ 10.16
On Fri, 09 Dec 2005 13:33:30 +0100 Hans van Leeuwen [EMAIL PROTECTED] wrote: CustomLog |/usr/local/sbin/cronolog -l /var/www/logs/access-hanz.nl /var/www/logs/old/access-hanz.nl.% Y%m%d combined But you are not using the default chrooted apache, are you ? Yes, I am. [EMAIL PROTECTED]:~] grep httpd /etc/rc.conf.local httpd_flags=-DSSL Hum. I'm puzzled. Did you move some files and change permissions in the chroot then ? No. Please tell me what puzzles you... Well, As far as I understand, when chrooted, apache... 1. starts as root 2. open the log files (in this case the pipe) 3. chroots 4. drops privileges to user www Hum... Now that I've written this down, I see no reason why it shouldn't work. This scheme will obviously not survive a apachectl restart because of apache now being chrooted and not having any access to /usr/local/sbin/cronolog to reopen the pipe, but this is not a big problem. The problem is that I remember having dug up this problem a little, and all the solutions using cronolog were said to have problems when booting. I think I will actually give this solution a real try right now (;. (Hans: sorry for the unfinished mail I just sent you) -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: TERM=wsvt25 with wscons?
On Tue, 25 Oct 2005 05:10:13 +1000 [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What I'd like to do is have my TERM environment variable set to wsvt25 for all users forever, See ttys(5) which describes the format of the /etc/ttys file: The third field is the type of terminal usually connected to that TTY line, normally the one found in the termcap(5) database file. The envi- ronment variable TERM is initialized with the value by either getty(8) or login(1). and XTERM set to xterm-xfree86 for all users forever. From xterm(1): termName (class TermName) Specifies the terminal type name to be set in the TERM environ- ment variable. Set this resource to whatever you would like in the general Xresource file. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: TERM=wsvt25 with wscons?
On Tue, 25 Oct 2005 07:19:30 +1000 [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I should get a book on bash and read up on all this. What about man bash ? ;) -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: Two Isp Fault Tollerance Help
On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
BGP (was Re: Two Isp Fault Tollerance Help)
On Fri, 7 Oct 2005 16:09:28 +0200 Lio Goehrs [EMAIL PROTECTED] wrote: The address space can be given by one of the provider. But then, I understand that the route to these addresses will go through the address-providing ISP. Correct ? Or is the very role of bgpd to tell the _other_ provider that the adresses are also reachable through his routers, which will then propagate the information to the whole internet ? (I absolutely don't know about BGP, thought it was time I started getting information ;)) Morevover, I guess not every provider accepts BGP information from its clients. And what prevents me from sending crafted BGP packects saying that I can route to a specific address space I actually don't own ? -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: ath hostap and carp ?
On Thu, 29 Sep 2005 21:35:36 +1000 Brian McKerr [EMAIL PROTECTED] wrote: can anyone tell me if running 'ath' based cards in hostap mode is reliable and stable ? I'm deciding whether to get a linksys wrt54g or to throw an ath based card in my firewall and run it as the AP. [EMAIL PROTECTED]:~$ /sbin/ifconfig ath0 ath0: flags=8963UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:6f:21:ea:79 media: IEEE802.11 autoselect mode 11b hostap status: active ieee80211: nwid narf chan 3 bssid 00:02:6f:21:ea:79 [snip] [EMAIL PROTECTED]:~$ uptime 9:23PM up 29 days, 4:38, 1 user, load averages: 0.94, 0.76, 0.63 [EMAIL PROTECTED]:~$ uname -a OpenBSD mudrublic.narf.ssji.net 3.8 GENERIC#119 i386 Speaks by itself ;) Be careful: 3.7 GENERIC has a problem with these chips, freezing the system after a certain amount of data transferred in hostap mode. Never had a problem since upgrading to 3.8-beta. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: OpenBSD 3.7 on Soekris rebooting at random
On Wed, 31 Aug 2005 12:47:03 +0200 Olivier Mehani [EMAIL PROTECTED] wrote: I've just finished upgrading my router to 3.8-beta (GENERIC#119). Ok, the machine has been running without problem nor unwanted reboots for almost three days. It hasn't been able to last that long before the upgrade. I think the problem is fixed then. Ath works correctly in hostap mode with said kernel ;). Thank you for the advice ! -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: OpenBSD 3.7 on Soekris rebooting at random
On Tue, 23 Aug 2005 19:49:46 +0200 [EMAIL PROTECTED] wrote: I haven't time in the next 10 days to play with it, but maybe Olivier can give some feedback in case he tries the latest snapshot? I've just finished upgrading my router to 3.8-beta (GENERIC#119). I'm going to stress the machine a little now ;) I keep you informed. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
OpenBSD 3.7 on Soekris rebooting at random
Hi, I'm facing a strange problem (started a week or so ago): My OpenBSD 3.7 running on a Soekris net4511 reboots with no obvious reason. I've started monitoring the memory usage, load average and pf states, but these do not seem to be related to the problem. I'm also using the hardware watchdog which I will disable to see if it is involved in the problem, but everything has been working well for more than two months with it before. Do you have any suggestion of other things I should monitor ? Thanks -- Olivier Mehani [EMAIL PROTECTED] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD 3.7 on Soekris rebooting at random
On Tue, 23 Aug 2005 15:21:53 +0200 Dimitri Georganas [EMAIL PROTECTED] wrote: I'm facing a strange problem (started a week or so ago): a dmesg may be helpful... Yes, I realised I forgot to include it just after posting, sorry... Anyway, it confirms that this is the watchdog which triggered the reset, but I still don't know why... Full dmesg follows: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (AuthenticAMD 486-class) cpu0: FPU real mem = 66691072 (65128K) avail mem = 53448704 (52196K) using 839 buffers containing 3436544 bytes (3356K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/41/22, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) elansc0 at pci0 dev 0 function 0 AMD ElanSC520 PCI rev 0x00: product 0 steppin g 1.1, CPU clock 100MHz, reset 8WDT elansc0: WARNING: LAST RESET DUE TO WATCHDOG EXPIRATION! gpio0 at elansc0: 32 pins cbb0 at pci0 dev 9 function 0 Texas Instruments PCI1410 CardBus rev 0x02: irq 10 ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: mac 80.9 phy 4.3 radio 3.6, 802.11a/b/g, FCC1A, address 00:02:6f:21:ea:79 gpio at ath0 not configured sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 5, ad dress 00:00:24:c4:22:5c nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 9, ad dress 00:00:24:c4:22:5d nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f pcmcia0 at cardslot0 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: Hitachi XX.V.3.4.0.0 wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors wd0(wdc0:0:0): using BIOS timings pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f5c5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU rtw0 at cardbus0 dev 0 function 0 irq 10 rtw0: ver F, radio SA2400A, amp SA2411, address 00:0f:3d:cf:cb:e8 dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted And, as it may help too, my watchdog script: #!/bin/sh echo starting watchdog... sysctl kern.watchdog.auto=0 /dev/null while : ; do sysctl kern.watchdog.period=10 /dev/null sleep 8 done -- Olivier Mehani [EMAIL PROTECTED]
Re: OpenBSD 3.7 on Soekris rebooting at random
On Tue, 23 Aug 2005 17:10:08 +0200 Dimitri Georganas [EMAIL PROTECTED] wrote: Did you put this atheros card in one week ago? :) No, it's been in it for more than a month now and everything has been working smoothly until last week. ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: mac 80.9 phy 4.3 radio 3.6, 802.11a/b/g, FCC1A, address 3.7 would crash on ath0 with AR5212 in hostap mode every six hours or so. Your watchdog does an excellent job, otherwise your board would just freeze. This is why it gets paid ;) The reboot is not that periodic (6 hours as you say): it can be as short as 2 hours to 2 days with, once again, no obvious reason. Your best chance is to check out the latest snapshots to see if the problem is fixed. I reported it a while ago, but didn't check back. I just replaced the atheros card by an old prism card and that one works 24/7. Thanks for your advice, I'll check that. -- Olivier Mehani [EMAIL PROTECTED]
Re: OpenBSD 3.7 on Soekris rebooting at random
On Tue, 23 Aug 2005 19:13:40 +0200 Reyk Floeter [EMAIL PROTECTED] wrote: ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: mac 80.9 phy 4.3 radio 3.6, 802.11a/b/g, FCC1A, address btw.: could you also give us the exact product name (on the minipci card)? It is an Atheros 5354MP ARIES 200mW Mini PCI card On the card is written NL-5354MP+ARIES2, and on the chipset is AR5213A-00 A19911C 1804 there were two fixes for hostap mode and it works for me without problems in the driver. I'll upgrade my system and see if it's better. also have a look at mbalmer@'s watchdogd(8) which had been imported some weeks ago. this has some timing advantages over traditional watchdog scripts. Thanks for the advice, I'll look at it -- Olivier Mehani [EMAIL PROTECTED]
serial console weirdness after kernel recompile
Hi, I've just compiled a specific kernel for my soekris net4511 and have a serial terminal issue. With the GENERIC 3.7 kernel, everything went smoothly: * bootloader * kernel * init Every step could be read on the serial console. Now that I'm booting my new kernel, I can see the bootloader output correctly (stty com0 19200 AND set tty com0 in boot.conf) but then I only get garbage (as if the terminal speed wasn't correct) while the kernel boots. I get back to readable messages when init takes control. I get something like this : ...ó.0..f.à...Ø..f.f.à.`æ.f..`.`.Øfxx.`.x...x.x.~.`.Ø.Øæ.`.fæà.~à..Ø.~f ..Øfæ..~. /dev/rwd0a: file system is clean; not checking /dev/rwd0e: file system is clean; not checking /dev/rwd0d: file system is clean; not checking setting tty flags Did I miss a specific way to tell at compile time the serial terminal parameters to used ? Attached to this mail should be the /sys/conf/mudrublic (mudrublic.conf) and /sys/arch/i386/conf/mudrublic (mudrublic.arch.conf) files I used to compile my kernel, in case it may help. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 mudrublic.arch.conf Description: Binary data mudrublic.conf Description: Binary data pgpukZMfAuWnE.pgp Description: PGP signature
Re: serial console weirdness after kernel recompile
On Wed, 8 Jun 2005 00:21:31 +0200 Henning Brauer [EMAIL PROTECTED] wrote: Now that I'm booting my new kernel, I can see the bootloader output correctly (stty com0 19200 AND set tty com0 in boot.conf) but then I only get garbage (as if the terminal speed wasn't correct) while the kernel boots. I get back to readable messages when init takes control. option PCCOMCONSOLE option CONSPEED=19200 no, this is wrong. there are no options needed. I'm trying this anyway, this doesn't cost much. Now that I think about it, I had exactly the same problem with a hand made OpenBSD 3.4 kernel too. -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: serial console weirdness after kernel recompile
On Tue, 07 Jun 2005 23:02:32 +0100 Stuart Henderson [EMAIL PROTECTED] wrote: Now that I'm booting my new kernel, I can see the bootloader output correctly (stty com0 19200 AND set tty com0 in boot.conf) but then I only get garbage (as if the terminal speed wasn't correct) while the kernel boots. I get back to readable messages when init takes control. option PCCOMCONSOLE option CONSPEED=19200 This doesn't change anything... :-/ -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: rtw transmit timeout and too many rx segments
On Tue, 31 May 2005 02:43:23 +0200 Olivier Mehani [EMAIL PROTECTED] wrote: * Relevant parts of the dmesg say: rtw0 at cardbus0 dev 0 function 0 irq 10 rtw0: ver F, radio SA2400A, amp SA2411, address 00:0f:3d:cf:cb:e8 I forgot to mention this is a GENERIC 3.7 kernel: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
rtw transmit timeout and too many rx segments
Hi ! (I'm new to the list, plese tell me if this is not the correct place to ask this question. It seemed to be anyway). I'm trying to build a NAT/Wireless router using a Soekris NET4511, a 512 Mb flash and a Cardbus DLINK DWL-610 (rtw driver). I use OpenBSD 3.7 to do this. Unfortunately, when trying to associate another machine to this access point, I get the following errors on the console: rtw0: transmit timeout, priority 1 (very often) rtw0: too many rx segments (less often) rtw0: DMA error/FIFO overflow 0400, rx descriptor 4 (once) * Relevant parts of the dmesg say: rtw0 at cardbus0 dev 0 function 0 irq 10 rtw0: ver F, radio SA2400A, amp SA2411, address 00:0f:3d:cf:cb:e8 * My hostname.rtw0 contains: inet 10.0.1.1 255.255.255.0 NONE media autoselect mediaopt hostap nwid narf chan 11 * And ifconfig shows: rtw0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:0f:3d:cf:cb:e8 ieee80211: nwid narf chan 11 bssid 00:0f:3d:cf:cb:e8 media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap) status: active inet6 fe80::20f:3dff:fecf:cbe8%rtw0 prefixlen 64 scopeid 0x7 inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 I also tried with a Netgear MA512 (rtw too) and got the same problem. When trying to get and IP via DHCP from another machine, I often get the above messages, and no IP. Sometimes, I can associate with the AP, and see in the logs that dhcpd got a request: May 31 02:30:16 mudrublic dhcpd: DHCPDISCOVER from 00:09:5b:8b:23:4a via rtw0 May 31 02:30:17 mudrublic dhcpd: DHCPOFFER on 10.0.1.10 to 00:09:5b:8b:23:4a via rtw0 But the client machine never get the answer back. More, for each DHCPOFFER, a transmit timeout seems to occur. Can anybody help ? Thanks. PS: I also sometimes get the message Data modified on freelist: word 4 of object 0xd094b300 size 0x100 previous type devbuf (0xdeadbeed != 0xdeadbeef) I'm not sure whether this is linked to the problem or not... -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 [demime 1.01d removed an attachment of type application/pgp-signature]
