Re: Trouble with lpr and Brother wireless printer

[Ryan Freeman]

On Thu, Aug 04, 2022 at 09:27:09PM -0700, Ben Hancock wrote:
> Boy, I went down the rabbit hole on this one. I'll spare the list
> all the gory details, but for the sake of posterity I figured I'll
> try to close the loop on this thread.
> 
> To make a long story short: After failing to get the printer working
> with just regular lpr, I tried CUPS to no avail. Along the way,

Did you happen to try CUPS with the brlaser package installed?
I have a Brother HL-L2390DW, and once I found brlaser it just worked.

-Ryan

> however, I discovered a Perl script in a Linux package available
> on Brother's website that ostensibly could have served as an input
> filter for lpr (called, somewhat obviously, `lpdfilter`). After a
> bit of searching, I found a related thread [1] on a FreeBSD list
> and made some edits to this script, hoping that it would be the trick.
> 
> Where I hit a wall was with a binary (also included in the package)
> called `rawtobr3`, that the Perl script expected. It appears to be
> proprietary Brother stuff and kept throwing an error, probably
> because it was built for Linux and not BSD. I did find a GitHub
> repo via a FreeBSD forum thread [2] that seemed to include _some_
> version of this program, but it threw another error and the filter
> did not work.
> 
> So, to wrap up: I do not recommend the Brother HLL2350DW for your
> OpenBSD printing needs. I may end up heeding the suggestions to
> simply buy a printer that speaks PostScript. Recommendations welcome.
> 
> - Ben
> 
> [1] 
> https://lists.freebsd.org/pipermail/freebsd-questions/2017-July/277994.html
> 
> [2] https://forums.freebsd.org/threads/port-for-brother-printer-drivers.78393/
> 

Re: npppd(8) and PROXY_AUTHEN_CHALLENGE bad length with Juniper

[Ryan Freeman]

Hello,

On Tue, Mar 09, 2021 at 02:41:43PM +0900, YASUOKA Masahiko wrote:
> Hi,
> 
> I looked into the ICCN packets you sent me separately.  Its "Proxy Authen
> Challenge" length is 31 and "Proxy Authen Type" is PPP CHAP.  The
> message seems to comply RFC 2661.
> 
> Also what I said
> >> It's for CHAP or MSCHAPv1.  If MD5 is selected for PPP CHAP, the
> >> challenge length for CHAP is 16 octet.  The challenge for MSCHAPv1 is
> >> also 8 octet, but npppd doesn't support MSCHAv1 anyway.  So 24 must be
> >> enough for RFC 2661.
> 
> is false.  Length of callenge is "independent of the hash algorithm".
> 
> In RFC 1994 (PPP CHAP):
> |  The Challenge Value is a variable stream of octets.  The
> |  importance of the uniqueness of the Challenge Value and its
> |  relationship to the secret is described above.  The Challenge
> |  Value MUST be changed each time a Challenge is sent.  The length
> |  of the Challenge Value depends upon the method used to generate
> |  the octets, and is independent of the hash algorithm used.
> 
> it doesn't state the limit clearly.
> 
> I suppose 24 had been long enough for many implementations, but
> actually new Junipor is using 31-63
> 
> >> > Feb  8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 Received 
> >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 40 > 24
> >> > Feb  8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 SendCDN 
> >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> >> > Feb  8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 Received 
> >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 62 > 24
> >> > Feb  8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 SendCDN 
> >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> >> > Feb  8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 Received 
> >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 46 > 24
> >> > Feb  8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 SendCDN 
> >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> >> > Feb  8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 Received 
> >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 63 > 24
> >> > Feb  8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 SendCDN 
> >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> 
> So I suppose changing the following limit will solve the problem.
> 
>   #define MAX_CHALLENGE_LENGTH24
> 
> Also I found a Junipor's document,
> 
>   
> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/challenge-length-edit-dynamic-profiles-chap.html
> 
> the max challenge length can be configured 63 at the maximum.
> 
> I'm thinking change the limit in npppd to 96.

I've completed testing a build of npppd with MAX_CHALLENGE_LENGTH set to 96:

Index: npppd/ppp.h
===
RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.h,v
retrieving revision 1.21
diff -u -p -r1.21 ppp.h
--- npppd/ppp.h 12 Aug 2017 11:20:34 -  1.21
+++ npppd/ppp.h 9 Mar 2021 19:17:33 -
@@ -82,7 +82,7 @@
 
 #defineMAX_USERNAME_LENGTH 256
 #defineMAX_PASSWORD_LENGTH 256
-#define MAX_CHALLENGE_LENGTH24
+#define MAX_CHALLENGE_LENGTH96
 
 #define INADDR_IPCP_OBEY_REMOTE_REQ0xL


With this in place, things are still working with our upstream's new
equipment!  This has also cleared up the "Proxy Authen Challenge is too
long" errors from layer=chap, and our sessions consistently establish
cleanly:

Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=lcp dialin-proxy 
user=...@pppoe.example.com auth-type=MD5-CHAP renegotiate=no
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base logtype=Started 
tunnel=L2TP(1.2.3.4:1701)
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=lcp logtype=Opened 
mru=1460/1460 auth=MD5-CHAP magic=xx55f2ac/xx65f7d0
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=chap proto=chap 
logtype=Success username="...@pppoe.example.com" realm=PGS-DYNAMIC
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=ipcp IP Address peer=0.0.0.0 
our=5.6.7.8.
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=ipcp logtype=Opened 
ip=5.6.7.8 assignType=dynamic
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base logtype=TUNNELSTART 
user="...@pppoe.example.com" duration=0sec layer2=L2TP 
layer2from=1.2.3.4:1701 auth=MD5-CHAP  ip=5.6.7.8 iface=pppac1 dialin_proxy=yes
Mar  8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base Using pipex=yes


Thank you again for your help and taking the time to look over the packet
captures.

-Ryan

Ryan Freeman
Senior Systems Administrator
Uniserve Communications
Suite 330 - 333 Terminal Avenue, Vancouver, BC V6A 4C1
Phone: 604.395.3905
Email:  ryan.free...@uniserveteam.com
www.uniserve.com

Re: npppd(8) and PROXY_AUTHEN_CHALLENGE bad length with Juniper

[Ryan Freeman]

Thank you for the reply!  I have been given permission to show a bit
more about our setup.  I snipped out some of the original message, and
I'll post the additions at the bottom.

On Sat, Mar 06, 2021 at 07:45:03PM +0900, YASUOKA Masahiko wrote:
> Hi,
> 
> On Fri, 5 Mar 2021 19:07:45 +
> Ryan Freeman  wrote:
> > Full disclosure: this took place over the course of about a month, and
> > I've done my best to include the relevant info..
> > 
> > Unsure if this is really a bug, and I don't have a real diff for a fix, 
> > just a
> > work-around, so misc it is.
> > 
> > This is done with OpenBSD 6.8-stable, syspatch 001 through 012 installed.
> > We considered trying -current, but noticed no activity in the npppd tree
> > that might make a difference.
> > 
> > 'old' and 'new' equipment types from upstream are both Juniper, though
> > unsure of exact models.  Old  should be Juniper ERX of some type, new
> > I only know this from packet capture: Juniper Networks/Unisphere(4874).
> > 
> > I work for a small ISP and we are exploring the use of npppd(8) for
> > termination of L2TP with incumbent for xDSL connections. 
> > 
> > Working with the provider, their 'old' equipment works fine[1], however,
> > the 'new' network would always cause these errors upon receipt of Proxy AVP:
> > 
> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 Received bad 
> > ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 33 > 24
> > Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 SendCDN 
> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none
> > 
> > Looking at RFC 2661, I can't actually figure where a limit of 24 is imposed,
> >
...snip...
> 
> Yes.  The limit is come from MAX_CHALLENGE_LENGTH in ppp.h.
> 
>  85 #define MAX_CHALLENGE_LENGTH24

Thank you!

> 
> In RFC 2661,
> 
>   This AVP MUST be present for Proxy Authen Types 2 and 5. The
>   Challenge field contains the CHAP challenge presented to the
>   client by the LAC.
> 
> Proxy Authen Challenge AVP is for "Proxy Authen Types 2 and 5".
> 
>Proxy Authen Type (ICCN)
>(snip)
>   Defined Authen Type values are:
>  0 - Reserved
>  1 - Textual username/password exchange
>  2 - PPP CHAP
>  3 - PPP PAP
>  4 - No Authentication
>  5 - Microsoft CHAP Version 1 (MSCHAPv1)
> 
> It's for CHAP or MSCHAPv1.  If MD5 is selected for PPP CHAP, the
> challenge length for CHAP is 16 octet.  The challenge for MSCHAPv1 is
> also 8 octet, but npppd doesn't support MSCHAv1 anyway.  So 24 must be
> enough for RFC 2661.
> 
> I'd like to see the packet capture of ICCN from Juniper to see what is
> happening.  (what authen type is used.)

I will contact you off-list about packet captures.

> >
...snip...
> > Ultimately we managed to get this working by simply omitting the size check
> > as such:
> > 
> > Index: l2tp/l2tp_call.c
> > ===
> > RCS file: /cvs/src/usr.sbin/npppd/l2tp/l2tp_call.c,v
> > retrieving revision 1.19
> > diff -u -p -r1.19 l2tp_call.c
> > --- l2tp/l2tp_call.c5 Dec 2015 16:10:31 -   1.19
> > +++ l2tp/l2tp_call.c5 Mar 2021 17:46:12 -
> > @@ -546,7 +546,8 @@ l2tp_call_recv_ICCN(l2tp_call *_this, u_
> > dpi->last_recv_lcp.ldata = avp_attr_length(avp);
> > break;
> > case L2TP_AVP_TYPE_PROXY_AUTHEN_CHALLENGE:
> > -   AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall));
> > +   /* XXX: disable to try and skirt 'too long' errors */
> > +   /* AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall)); */
> > memcpy(dpi->auth_chall, avp->attr_value,
> > avp_attr_length(avp));
> > dpi->lauth_chall = avp_attr_length(avp);
> > 
> > We've been running this modified npppd for a week now, our upstream is happy
> > that they can continue phasing out their 'old' gear, and our endusers are
> 
> Do you mean that the endusers can connect with the above diff?

Absolutely.  Prior to disabling that particular size check, endusers do not
get past the RecvICCN stage due to "PROXY_AUTHEN_CHALLENGE too long" error.

> diff --git a/usr.sbin/npppd/npppd/ppp.h b/usr.sbin/npppd/npppd/ppp.h
> index 1bb8bfc6cf3..219b47c6172 100644
> --- a/usr.sbin/npppd/npppd/ppp.h
> +++ b/usr.sbin/npppd/npppd/ppp.h
&g

npppd(8) and PROXY_AUTHEN_CHALLENGE bad length with Juniper

[Ryan Freeman]

Hello!

Full disclosure: this took place over the course of about a month, and
I've done my best to include the relevant info..

Unsure if this is really a bug, and I don't have a real diff for a fix, just a
work-around, so misc it is.

This is done with OpenBSD 6.8-stable, syspatch 001 through 012 installed.
We considered trying -current, but noticed no activity in the npppd tree
that might make a difference.

'old' and 'new' equipment types from upstream are both Juniper, though
unsure of exact models.  Old  should be Juniper ERX of some type, new
I only know this from packet capture: Juniper Networks/Unisphere(4874).

I work for a small ISP and we are exploring the use of npppd(8) for
termination of L2TP with incumbent for xDSL connections. 

Working with the provider, their 'old' equipment works fine[1], however,
the 'new' network would always cause these errors upon receipt of Proxy AVP:

Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 Received bad 
ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 33 > 24
Feb  5 14:13:13 edge9 npppd[86416]: l2tpd ctrl=2359 call=2685 SendCDN 
result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none

Looking at RFC 2661, I can't actually figure where a limit of 24 is imposed,
though I was tricked as I counted the bits on top of their chart which does
hit 32, nothing in the surrounding text actually dictates this size limit:

>From RFC 2661, "Proxy Authen Challenge (ICCN)" near page 37:

   0   1   2   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Challenge... (arbitrary number of octets) |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Looking at npppd's l2tp_subr.h where the error above comes from:

#define AVP_MAXLEN_CHECK(_avp, _maxlen) \
do {\
if ((_avp)->length > (_maxlen) + 6) {   \
snprintf(emes, sizeof(emes),\
"Attribute value is too long %s %d > %d",   \
avp_attr_type_string((_avp)->attr_type),\
(_avp)->length - 6, (int)(_maxlen));\
goto size_check_failed; \
}   \
} while (/* CONSTCOND */0)

I drew wild conclusions that perhaps 24 + 6, which lines up with counting
the bits on the RFC chart above, is how the limit was chosen.

After many more days of packet captures and head scratching, I specifically
saw that in the RADIUS packet, within the Attribute Value Pairs, it was
CHAP-Challenge, type 60, that was overflowing this size check.

On to RFC 2865, page 59: https://tools.ietf.org/html/rfc2865#page-59

0   1   2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   | Type  |Length |String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Aha, this chart actually hits exactly 24.  Still no mention of a hard
size limit, the only thing it dictates is:

   Length
  >= 7

Ultimately we managed to get this working by simply omitting the size check
as such:

Index: l2tp/l2tp_call.c
===
RCS file: /cvs/src/usr.sbin/npppd/l2tp/l2tp_call.c,v
retrieving revision 1.19
diff -u -p -r1.19 l2tp_call.c
--- l2tp/l2tp_call.c5 Dec 2015 16:10:31 -   1.19
+++ l2tp/l2tp_call.c5 Mar 2021 17:46:12 -
@@ -546,7 +546,8 @@ l2tp_call_recv_ICCN(l2tp_call *_this, u_
dpi->last_recv_lcp.ldata = avp_attr_length(avp);
break;
case L2TP_AVP_TYPE_PROXY_AUTHEN_CHALLENGE:
-   AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall));
+   /* XXX: disable to try and skirt 'too long' errors */
+   /* AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall)); */
memcpy(dpi->auth_chall, avp->attr_value,
avp_attr_length(avp));
dpi->lauth_chall = avp_attr_length(avp);

We've been running this modified npppd for a week now, our upstream is happy
that they can continue phasing out their 'old' gear, and our endusers are
able to get online.

Neither myself nor my colleague can figure out how '24' is chosen for _maxlen,
but as this finally got us moving forward, wanted to share what we had and see
if we are on the right track.

I am thinking that we would want a maximum length set there still, but perhaps
it can be pushed up?  I've seen many of those error types, all seem to stay
below 100:

Feb  8 11:42:53 edge9 npppd[86416]: l2tp

Re: FAQ: dmesg archive

[Ryan Freeman]

On Tue, Jun 26, 2018 at 09:38:37AM -0400, Rupert Gallagher wrote:
> Ok new question.
> 
> I am about to purchase SYS-E300-9A-8CN8, because I cannot wait any longer.
> 
> Does it work with OpenBSD? Let see... nope! The dmesg database shows little 
> love for SuperMicro in general, and a single hit for a C3000 cpu in 
> particular, with plenty of unrecognised devices:
> 
> http://dmesgd.nycbug.org/index.cgi?do=view&id=3445

That is only a RAMDISK kernel.  It does not have all devices enabled that
the normal full kernel does.

> 
> The problem I see with the current database is the absence of collaboration. 
> The owner of that server may have additional information to fill in the obsd 
> gaps, such as a dmesg from freebsd and another one from linux, and another 
> may have links to their open-source drivers, and a third one may actually 
> work at SuperMicro and be willing to help from the inside, but such 
> information is neither available nor asked for... :-(
> 
> On Tue, Jun 26, 2018 at 15:04, Rupert Gallagher  wrote:
> 
> > Answering to myself... 
> > http://dmesgd.nycbug.org/index.cgi?NAV=dmesgd;SQLIMIT=20 Sent from 
> > ProtonMail Mobile On Tue, Jun 26, 2018 at 14:59, Rupert Gallagher wrote: > 
> > There seems to be a dm...@openbsd.org address where to post such stuff, but 
> > I could not find its archive, nor I could find a searchable database. Do I 
> > have to search harder? @protonmail.com>

Re: NFS server down, again, and again, and again...

[Ryan Freeman]

On Wed, Apr 18, 2018 at 01:08:01PM -0400, Rupert Gallagher wrote:
> This is all I managed to retrieve from the logs (/var/log/daemons, 
> /var/log/messages):
> 
> Mar 12 09:27:20 server mountd[50607]: Socket disconnected
> Mar 29 18:05:30 server mountd[52162]: Socket disconnected
> Apr 16 12:04:07 server mountd[66430]: Socket disconnected
> Apr 17 17:55:26 server mountd[14081]: Socket disconnected
> 
> No messages from nfsd and portmap.
> 
> If the logs are true, then mountd is the daemon that is causing problems.
> 
> The manual says
> 
> > -d  Enable debugging mode.  mountd will not detach from the
> >controlling terminal and will print debugging messages to stderr.
> 
> The above option does not work, because it detaches from the terminal:
> 
> > > doas /sbin/mountd -d
> > Here we go.
>

This is how it works when your system is normal:
$ doas touch /etc/exports
$ doas mountd -d
Here we go.
Getting export list.
unexporting / /
unexporting /home /home
unexporting /tmp /tmp
unexporting /usr /usr
unexporting /usr/X11R6 /usr/X11R6
unexporting /usr/local /usr/local
unexporting /usr/obj /usr/obj
unexporting /usr/ports /usr/ports
unexporting /usr/src /usr/src
unexporting /var /var
unexporting /tmpfs /tmpfs
Getting mount list.
* waiting here in foreground *
 
> I tried "mountd_flags=-d" in rc.conf.local, and rebooted the whole OS, 
> because mountd refuses soft restart. As a result, the OS refuses to boot. 
> System crashed.

On this point, ``rcctl restart mountd'' works fine.  Restarting mountd
will not harm things already mounted, they will already be handled by one
of the running nfsd processes.

Also, ``pkill -1 mountd'' tends to work fine as well.  You can verify this
when you adjust /etc/exports by using ``showmount -e'', making a new or
removing an exports entry, SIGHUP the mountd process, and check showmount
again.

I have never needed to reboot just to reload/restart mountd.

You may want to revisit how you set these machines up, as it is likely
that cognitive bias from your 30+ years of experience is making you miss
something simple.

> 
> On 18 April 2018 2:47 AM, IL Ka  wrote:
> 
> > You could use ktrace(1) to trace all calls and then use kdump(1) to read 
> > them, and may help you to find what cause it to die, but it may be tricky 
> > for anyone except nfsd developer..
> > You can also try to find person who supports it by looking at last commits 
> > to:
> > https://github.com/openbsd/src/blame/master/sbin/nfsd/nfsd.c
> > and email this person, but I do not know if it will help, or talk to people 
> > on bugs@ list.
> >
> > Or you can move to samba/smbd: SMB must have good support in Windows.
> >
> > On Wed, Apr 18, 2018 at 2:53 AM, Rupert Gallagher  
> > wrote:
> >
> >>> Do you mean nfsd server dies?
> >>
> >> I mean the NFS service as delivered by nfsd, portmap and mountd.
> >>
> >>> Does it provide core dump?
> >>
> >> No!
> >>
> >>> You do not need to restart it
> >> manually: just create script that checks for server existence (like 
> >> ``/etc/rc.d/nfsd check``) and run it if it is dead.
> >> I usually prepare my servers from source with custom patches and settings. 
> >> When a server dies on me, it makes a lot of noise in the logs, and it 
> >> happens rarely. In 30+ years of activity, I have never restarted a 
> >> production server because of clients using it!
> >>
> >> NFS is an exception. I am using the obsd default, and it dies on me under 
> >> load and without logs. It is unreliable.

Re: Image viewer alternative to eog

[Ryan Freeman]

On Sat, Nov 25, 2017 at 05:51:26PM -0200, x9p wrote:
> Hi,
> 
> Is there a good/safe and light image viewer? Was used to eog, but it has
> too many "vfprintf %s NULL" in messages. gimp is too big and good for play
> with images, In need of smth fast.
> 
> cheers.
> 
> x9p

graphics/viewnior is very fast and lightwieght, still gtk-based

Re: Is there an option switch to lower minimum DH strength in SSH client?

[Ryan Freeman]

On Fri, Nov 03, 2017 at 12:06:22AM -0400, Jacob Leifman wrote:
> I was finally able to bring our OpenBSD based Network Management System up
> to the current OS release (it was a couple of years out of date) but this
> process broke access to a large number of older HP switches on our network.
> Thorough analysis of the problem and study of the source code lead me to
> believe that the culprit is commit to usr.bin/ssh/dh.h rev 1.14:
> 
> increase the minimum modulus that we will send or accept in
> diffie-hellman-group-exchange to 2048 bits;
> 
> Within the file it further explains that this is mitigation for DH
> precomputation attacks. I understand and appreciate strengthening server
> code. But this breaks the use of SSH client leaving little recourse other
> than perhaps telnet with NO encryption instead of somewhat weak encryption,
> as the "server" is outside of our control. (I already checked that we have
> the latest firmware, less than one year old.)
> 
> Curiously, diffie-hellman-group1-sha1, which is the only one supported by
> the switches, is an accepted KexAlgorithm value in OpenSSH 7.6 (OBSD 6.2);
> I was hoping that I could use it to explicitly request smaller DH but
> ultimately it still dies with "Invalid key length" error.
> 
> Is this an oversight or is there a particular logic to intentionally
> breaking compatibility with a not-insignificant base of installed equipment?

While I agree with all the other posters that ideally all equipment
should be kept up-to-date rather than leaning on aging security
technology, I do realize that in some areas you simply have to get things
done and move on.

As such, I recommend this quick fix:

# pkg_add putty

This will give you the 'plink' command which is a cli putty ssh, and
it allows this stuff by default without making you add host entries
to ~/.ssh/config.  I have noticed it still does warn you when the end
point is using older ciphers but at least doesn't bomb out.

I started using this for older Cisco gear at $WORKPLACE as I grew tired
of editing the ssh config for the OpenSSH version :-)

Hope this helps,

Cheers!
-ryan

> 
> Thank you,
> 
> Jacob Leifman
> Educational Technology
> 
> Weymouth Public Schools
> 
> -- 
> CONFIDENTIALITY NOTICE: This e-mail message and any attachment to it is 
> intended only for the individual or entity to which it is addressed and may 
> contain confidential and/or privileged information. Any unauthorized 
> review, use, disclosure or distribution is prohibited. If you are not the 
> intended recipient, or the employee or agent responsible for delivering it 
> to the intended recipient, please contact the sender by reply e-mail and 
> destroy all copies of the original message. If you are the intended 
> recipient but do not wish to receive communication through this medium, 
> please advise the sender immediately. Please note that any views or 
> opinions presented in this email are solely those of the author and do not 
> necessarily represent those of the Weymouth Public Schools. 
> www.weymouthschools.org/

Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox

[Ryan Freeman]

On Thu, Nov 02, 2017 at 12:45:54PM -0400, tec...@protonmail.com wrote:
> Thanks for sharing a much better fix for this issue.
> 
> I wonder what consequences this option change will have on future web 
> services that make use of asm.js

Embedded in-browser cryptocurrency mining won't work ;)

> 
>  Original Message 
> On Nov 2, 2017, 4:32 PM, Andy Lowton wrote:
> 
> >> From: r...@protonmail.com
> >>
> >> Try this...
> >>
> >> javascript.options.asmjs: true
> >>
> >> Sent from ProtonMail Mobile
> >
> > Changing the value from true to false resolved the issue for me.
> >
> > Thank you for that.

Re: font face in fvwm vs cwm

[Ryan Freeman]

On Tue, May 30, 2017 at 06:22:27PM +0300, Mihai Popescu wrote:
> Hello,
> 
> I installed a snapshot of amd64 recently and I was using fvwm from
> Openbsd base to install some packages. I even started Firefox to look
> for some documentation.
> 
> Later, I was going back to cwm since I use it daily. I have a feeling
> that Firefox pages fonts in fvwm were more appealing that what I see
> now in cwm. Is it just my imagination?
> 
> Let's say i will go back to fvwm, but I see there is one fvwm in base,
> shipped by default, but there is also a package called fvwm2. Could
> you give me some recommandation for one of the other, please?
> 
> Thanks.
> 

I can't say that I've ever really noticed the fonts looking /nicer/
in fvwm vs any other of the traditional window managers.

I did notice that using lavish desktop environments such as gnome
or xfce usually resulted in a pleasant font experience.

Check out the xsettingsd package, I have been using it with
WindowMaker and now at least gtk apps look very nice outside a
large environment.

-ryan

Re: Is there something to replace zaurus?

[Ryan Freeman]

On Wed, Mar 29, 2017 at 05:00:44PM -0500, Jordon wrote:
> > On Mar 29, 2017, at 4:51 AM, Luke Small  wrote:
> >
> > I thought I read that there is an arm7 based mobile device, but I can't
> > find anything about it.
> >
> 
> I???m really hoping the Dragonbox Pyra could become a mobile OpenBSD device
> like the zaurus was.  It is almost ready for manufacturing.
> 
> Jordon
>

Wow that is a really neat looking little unit, thanks for mentioning
this!

I only did a quick search, but it seems at least the cpuid for the
Cortex A15 cpu at least exists in cvs:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/arm/arm/cpu.c?rev=1.36&content-type=text/x-cvsweb-markup

I only hope the rest of the hardware in that little box is friendly :-)

-ryan

Re: OpenBSD to Dell Latitude E6510

[Ryan Freeman]

On Tue, Mar 28, 2017 at 01:14:59PM +, Majerní?ek ?tefan wrote:
> Hi All.
> I have question.
> 
> Is it possible install openbsd to notebook dell latitude E6510?
> 

I have one of these, OpenBSD worked with pretty much every device in
the unit.  Wifi cards can be different, but the intel hd graphics,
ethernet, audio, wifi, all work good!

No dmesg to share as the laptop is asleep at home :-)

Hibernate and sleep works well on the laptop too, as I have let it
sleep for so long the uptime almost elapsed 365 days, and everything
still works when it comes back awake.

Great job and kudos to the OpenBSD crew for such a solid laptop OS ;-)

> Thank you a lot.
> 
> Stevo

Re: Hardware recommendations for compact 1U firewall

[Ryan Freeman]

On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote:
> On 2016-12-15, Aaron Mason  wrote:
> > All
> >
> > I'm looking for a 1U appliance that I can re-purpose into a firewall
> > using OpenBSD.  I've tried the near-free method by using an old Lacie
> > Ethernet Disk appliance I had lying around, but it turns out the
> > onboard SATA chipset is toast on this particular unit (it freezes at
> > CDBOOT when it detects hard drives and the BIOS freezes when I set it
> > to IDE mode with drives attached, plus it only has one onboard NIC and
> > one PCI slot, so I can't install another SATA card without removing
> > the other NIC I installed), so I'm looking for other options that fit
> > a limited budget.
> > 
> > The most important criteria are that it must be 1U and it must fit
> > within a 420mm (~16.5") space (for reasons I will explain below).  I
> > have a couple of Sun Netra X1s that meet the need, but I can't push
> > more than ~60mbps over the onboard FE ports and they run quite hot to
> > the point of causing kernel panics.
> >
> > For a bit of context - I manage network and systems for a group that
> > run regular LAN parties at a local university, and our network
> > infrastructure lives in a 4RU flight case (with 420mm between the
> > front and rear vertical rails) currently occupied by three HP
> > switches.  We're currently using a Sun V20Z (admittedly running
> > pfSense, a decision made before I took over) but it's rather
> > cumbersome to carry along with three Dell 1950s (two VM hosts and a
> > Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
> > don't usually get more than 35 players and we don't do any complex
> > filtering on the firewall.
> >
> > I've been considering looking at old firewall appliances like Nokias,
> > Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
> > getting OpenBSD on any of those or other such appliances?
> > 
> > Gigabit ports would be nice (the university finally bought gigabit PoE
> > switches) but will accept Fast Ethernet if my budget says no.
> 
> IMHO, you can get a fairly useful decent second-hand machine for a low
> enough price that it's not worth the hassle repurposing or using something
> from before GE was common, they're going to be more hassle to get working,
> and old enough that you may well run into things failing through age.
> 
> How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard,
> if you need more ports then dual-port PCIe nics are pretty cheap.
> If you want to cut down on weight+noise at the expense of more cost
> and a less powerful cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.

I can second that :-).  I have a Sunfire v120 w/dual 100mbit nics, but
had to stop using it as large amounts of throughput was causing panics
I couldn't figure out + keep housemates happy.

I ended up with a Dell R210 and couldn't be happier.  It has been 100%
stable since installation almost exactly a year ago now.

FWIW -- noise was almost unbearable with the sunfire v120, but the r210
is actually nicely quiet.  The fans spin down and I rarely hear it, it
blends in with the 24 port gigabit poe switch I have.

Cheers,
-ryan

Re: OpenBSD 6.0 panic

[Ryan Freeman]

On Fri, Sep 02, 2016 at 06:25:15PM +0200, Bastien Durel wrote:
> Hello.
> 
> I upgraded my router to 6.0 yesterday, and now I got a panic each time
> I reboot it.

Hi,

Did you happen to forget to do your pkg_add -u to upgrade packages?  I
suspect it might be openvpn not updated yet throwing the error?

Cheers!
-ryan

> 
> Here is a console log :
> 
> # reboot
> stopping package daemons: munin_node svscanpanic: kernel diagnostic assertion 
> "ifp != NULL" failed: file "../../../../net/route.c", line 902
> Starting stack trace...
> panic() at panic+0x10b
> __assert() at __assert+0x25
> rtrequest_delete() at rtrequest_delete+0x206
> rtrequest() at rtrequest+0x247
> route_output() at route_output+0x4e8
> raw_usrreq() at raw_usrreq+0x217
> route_usrreq() at route_usrreq+0x6e
> sosend() at sosend+0x3c8
> dofilewritev() at dofilewritev+0x205
> sys_writev() at sys_writev+0x6d
> syscall() at syscall+0x27b
> --- syscall (number 121) ---
> end of kernel
> end trace frame: 0x4, count: 246
> 0xa46bf29a62a:
> End of stack trace.
> syncing disks... 14 12 12 12 12 12 12 12 12 12 12 12 8 8 8 8 8 8 8 8 giving up
> 
> dumping to dev 4,1 offset 492607
> dump 511 510 509 508 507 506 505 504 503 502 501 500 499 498 497 496 495 494 
> 493 492 491 490 489 488 487 486 485 484 483 482 481 480 479 47d
> 
> 
> rebooting...
> 
> The svcan deamon which is to be shut down when the panic occurs
> monitors a few(4) openvpn tunnels, in TAP mode, over which ospfd+ospf6d
> runs. When it's stopped, the tun* interfaces is removed, I guess it's
> related ?
> 
> I've attached a boot log (with dmesg).
> 
> There's a "Bad system call" in the networking start too, but I think
> it's not related (and I don't know what interface produces this
> message)
> 
> Thanks,
> 
> --??
> Bastien
> 
> [demime 1.01d removed an attachment of type text/x-log which had a name of 
> fremen.log"; charset="UTF-8]

Re: getmail and gmail

[Ryan Freeman]

On Fri, Aug 12, 2016 at 12:24:59PM -0500, jsg wrote:
>Running openbsd ver 5.9
>Using getmail and mutt
> 
>decided to add my google account to the getmailrc file
> 
>i.e.
>getmail -nv --rcfile blablabla --rcfile blablabla1
> 
>In getmail I tried simple pop3SSL and simple IMAPSSL
>both attempts resulted in google errors
> 
>After reading googles docs .. I toggled my GMAIL server
>account settings to allow pop downloads with 
> "A reduced security setting" 
> 
>following this all mail downloaded from GMAIL to getmail
>to the appropiate mail directories.
> 
>
>Taken into account GMAIL's reputation can anyone
>shed light on Why this happens with getmail and GMAIL.
> 

I think this is really nothing to do with your openbsd and/or getmail
settings, but rather google letting you know that you are opening extra
conduits to your gmail account by activating POP/IMAP access methods.

Once you do, you can then connect to your gmail with just username/password
whereas with POP/IMAP access disabled, you may have extra authentication
protection (2-factor, whatever else google offers these days).

Hope this makes sense,

Cheers!
-ryan

> 
>Thanks in Advance 
> 
>L)

Re: image view and manipulation

[Ryan Freeman]

On Sun, Jul 03, 2016 at 07:34:41PM -0500, jsg wrote:
>Hi folks
> Can some of you recommend what packages or package
>you use to manipulate, view, resive  .png or .img (other) imaeges
>for website content.
> 
> 
>thanks in advance
> 

You might be interested in the ImageMagick (or GraphicsMagick) packages.
The latter is a fork of the former, but they both supply the same
commands.  display, convert, mogrify are some of the commands available,
and can be useful to do things on the fly in a scripted fasion if you'd
like.

Cheers!
-ryan

Re: watchdog issues ?

[Ryan Freeman]

On Sun, May 08, 2016 at 11:46:11AM +0200, Sjöholm Per-Olov wrote:
> > On 08 May 2016, at 00:39, Sjöholm Per-Olov  wrote:
> >
> > Hi
> >
> > I have skipped all major releases of OpenBSD after 5.4 for one firewall due
> to
> > watchdog timeout resets on the em driver. Earlier today I fired up a 5.9
> > release and patched it up to 5.9 stable and let it take over from the old
> one.
> > It seems to go very well. But I do have one question.
> >
> >
> > The system seems to work as it should.
> >
> > But what does this mean?
> > Is it bad?
> >
> >
> > root@xanadu:~#grep -i watchdog /var/log/messages
> > May  8 00:12:15 xanadu /bsd: em1: watchdog: head 118 tail 182 TDH 118 TDT
> 118
> > May  8 00:25:33 xanadu /bsd: em1: watchdog: head 181 tail 246 TDH 181 TDT
> 181
> > May  8 00:26:35 xanadu /bsd: em1: watchdog: head 137 tail 202 TDH 137 TDT
> 137
> > root@xanadu:~#
> >

Hey,

At the very least, you'll want to fire up the 5.9 install and provide a full
dmesg output, or better yet ``sendbug -P''.

Cheers!

> >
> >
> >
> > Thanks in advance
> >
> > Regards
> > Peo
> > --
> > GPG keyID: 9429C093
> > GPG fingerprint: 5F37 4298 A07F C614 647B 458C A756 5C4E 9429 C093
> >
> 
> 
> Well??? It was not good. I once again had to go back to the old 5.4 as the
> network traffic was not stable.
> 
> 
> I have two nics (PCI pass through in KVM).
> em0 at pci0 dev 3 function 0 "Intel 82576" rev 0x01: irq 11, address
> 00:1b:21:cc:51:7c
> em1 at pci0 dev 4 function 0 "Intel 82576" rev 0x01: irq 10, address
> 00:1b:21:cc:51:7d
> 
> I use a couple of VLANs and also IPv6 on top on em0. em1 on the other hand is
> just an interface with an IP and an IP alias on it, no VLANs or so.
> 
> Any clues of how to track this down? I can fire the machine up again and to
> some test...
> 
> Thanks
> Peo

Re: QIV is faster in Linux

[Ryan Freeman]

On Mon, Dec 14, 2015 at 02:20:48PM -0500, Alan Corey wrote:
> Stuck them on devio, simpler than that GUI crap
> 
>   http://devio.us/~ab1jx/files/slowness/
> 
> Outputs from time(1) too
> 
> time qiv dsc_2258.jpg
> 
> Copied and pasted, not redirected
> 
> Debian:
> 0.572u 0.316s 0:03.28 26.8% 0+0k 0+0io 0pf+0w
> OpenBSD:
> 1.920u 0.510s 0:05.97 40.7% 0+0k 182+19io 762pf+0w
> 

I can't speak for qiv as I don't have it installed, but feh opened that image
and scrolled around it very quickly.

11:41 ryan@bofh:~$ time feh dsc_2258.jpg  
0m00.77s real 0m00.37s user 0m00.09s system

Compare that with display(1) from the ImageMagick set that took almost 25
seconds (and caused my audio stream to block a couple times).

11:41 ryan@bofh:~$ time display dsc_2258.jpg   
0m23.23s real 0m18.63s user 0m00.61s system

Even the GIMP did very well here:

11:42 ryan@bofh:~$ time gimp dsc_2258.jpg 
While parsing XMP metadata:
Error on line 43 char 1: End of element  not expected in this 
context

Metadata parasite seems to be corrupt
0m06.90s real 0m03.57s user 0m01.03s system

Perhaps QIV is just doing something silly that OpenBSD exposes through
previously mentioned memory sanitizations.

-ryan

> 
> -- 
> Credit is the root of all evil.  - AB1JX

Re: HP LaserJet Problem

[Ryan Freeman]

On Fri, Dec 04, 2015 at 11:33:20AM -0700, bluesun08 wrote:
> hmm, the "device busy" message is gone. 
> But now there is a new message:
> 
> # ./testfile > /dev/ulpt0
> ksh: ./testfile: cannot execute - Permission denied
> 
> So what permissions fail?

unless 'testfile' is a script set to output something, that won't work.
if its just a text file, try this:

# cat testfile > /dev/ulpt0

> 
> 
> 
> 
> --
> View this message in context: 
> http://openbsd-archive.7691.n7.nabble.com/HP-LaserJet-Problem-tp284216p284602.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.

Paris..

[Ryan Freeman]

Completely off-topic but I am concerned for the .fr devs..

http://www.theglobeandmail.com/news/world/paris-police-report-shootout-at-restaurant-explosion-near-stadium/article27256201/

Can I get a ping to this thread from all the .fr folks?
Stay strong France...

-Ryan

Re: VGA memory size

[Ryan Freeman]

On Wed, Nov 04, 2015 at 02:18:28PM +0330, Mohammad BadieZadegan wrote:
> Hi everybody,
> I have searched more time to find a command to show the current VGA memory
> size but nothing found for OpenBSD.
> Is that a way to find it?
> Thanks.
>

I'm not sure about a base utility, but you can (sometimes?) get the vga memory
size via the glxinfo(1) command, ex:

--snip--
Extended renderer info (GLX_MESA_query_renderer):
Vendor: X.Org (0x1002)
Device: AMD RV710 (0x9540)
Version: 10.2.9
Accelerated: yes
Video memory: 512MB
Unified memory: no
Preferred profile: core (0x1)
Max core profile version: 3.3
Max compat profile version: 3.0
Max GLES1 profile version: 1.1
Max GLES[23] profile version: 3.0
--snip--

Cheers,

-Ryan 

missing mailing list message(s)?

[Ryan Freeman]

Hey,

Not sure if this is the best place to post this, but I noticed I never
received mlarkin@'s announcement to tech@ about the coming hypervisor
for amd64 (and i386?)

I did some checking to make sure my spamfilters didn't somehow eat it,
but it didn't look like it even showed up in my maillog.  I noticed
the article on undeadly, and the post at marc.info. I do have other
mail from Mike as well with no decernable reason for not receiving
that one.  Now the question of 'what if there are more' crosses my mind.

Anyone else notice this?  Might just be me... I DID receive a reply
from someone referencing that post, but that post is mysteriously
missing.

Cheers,
--ryan

Re: dhclient.conf does not appear to support resolv.conf formatting for nameservers on non-standard port

[Ryan Freeman]

On Thu, Jul 09, 2015 at 04:36:33PM -0700, Seth wrote:
> I'm trying to use the following statement in /etc/dhclient.conf
> 
> supersede domain-name-servers [127.0.0.1]:40;

don't wrap the ip address in square [] brackets.  
should clear it up

--ryan

> 
> But when the machine boots and the network starts it fails to apply
> the setting. The error message is:
> 
> /etc/dhclient.conf line 4: expecting decimal octet.
> supersede domain-name-servers [127.0.0.1]:40;
>   ^
> I've also tried quoting the value "[127.0.0.1]:40" and escaping it
> \[127.0.0.1\]:40 without success.
> 
> Using the resolv.conf.tail method is undesirable as I only want a
> single nameserver entry in /etc/resolv.conf
> 
> Any suggestions on how to resolve this?

Re: Almost offtopic question to the "Improving Browser Security" question

[Ryan Freeman]

On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote:
> Hello,
> 
> If I:
> 
> pkg_add firefox-esr
> 
> then I cannot see any separated user for it:
> 
> grep -i firefox /etc/passwd
> 
> When will OpenBSD have a separated user for the webbrowser by default?

I think Ted specifically stated that jailing the browser under its own
user was outside the scope of what he was intending to do..

> If someone gets in via the webbrowser... it will have the id_rsa, the
> *.kdb, etc.
> 
> If it will not be default what are the solutions for the people to
> run their webbrowser with another user?
> 
> $ su - foo
> Password:
> $ /usr/local/bin/firefox-esr
> Error: no display specified
> $ exit
> echo $DISPLAY
> :0
> $ su - foo
> Password:
> export DISPLAY=":0"
> $ /usr/local/bin/firefox-esr
> No protocol specified
> No protocol specified
> Error: cannot open display: :0
> $
> 

You'll need to copy the .Xauthority file from your main user (the one
running X) to ~foo/.Xauthority

>From there, you can then run X apps as foo and they should work just
fine.

> Or is X so bad that it's not worth it? Can I run _several X servers_
> on my notebook (separated from each other)?
> 
> Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X
> server, and CTRL+ALT+F3 another..
> 
> Many thanks,

Re: leaving linux - questions about capabilities

[Ryan Freeman]

On Mon, Dec 29, 2014 at 12:45:14PM -0500, Christopher Barry wrote:
> On Mon, 29 Dec 2014 09:29:15 -0800
> Ryan Freeman  wrote:
> 
> >On Mon, Dec 29, 2014 at 11:17:55AM -0500, Christopher Barry wrote:
> >> Greetings All,
> >> 
> >> I've used OpenBSD in the past to build redundant routers and
> >> firewalls and it was fantastic, but it's been quite a few years
> >> since I've played with it. I've also never used it as my default
> >> workstation. Yet.
> >> 
> >> I've always used Debian GNU/Linux on my workstations in the past,
> >> but with jessie/sid (and practically all other linux distros) the
> >> direction the linux userspace has taken is a serious turn for the
> >> worst IMO. I am simply philosophically at odds with systemd, and I
> >> would like to stop relying on linux altogether if possible. My
> >> problem is I have specific needs, and it's not clear if I can meet
> >> them running OpenBSD. I'm hoping I can, and someone can share their
> >> experiences with making a similar setup work.
> >> 
> >> Firstly, I'm running an i7 960 with a PCI-e ATI Radeon 7850 in a
> >> three monitor configuration (2 direct DVI and 1 active HDMI-to-DVI
> >> dongle) using the OpenSource Radeon linux driver @1920x1200 on each
> >> monitor.
> >
> >Hey, not 100% the same but similar setup on a workstation at work:
> >Radeon HD4550 using radeondrm and two 1920x1080 monitors:
> >DisplayPort-0 connected 1920x1080+1920+0
> >DVI-0 connected 1920x1080+0+0
> >
> >Also have used multiple monitors on my i5-powered laptop, using its
> >integrated intelHD video.
> >
> >> I'm using enlightenment 17.6 as my window manager. I use and rely on
> >
> >I use openbox myself but enlightenment 0.17.5 is an available package.
> >
> >> blender <http://www.blender.org> a /lot/ with hardware accelerated
> >> OpenGL, and having three monitors is important for my graphics work.
> >
> >blender is available in packages as well, though I have never used it.
> >
> >> Is anyone running OpenBSD with three monitors? With blender, hw-accel
> >> OpenGL, and/or E1{7,8,9}?
> >
> >I'm sure three monitors would work just as well as two :)  E17 does
> >work, I have used it in the past.  I play with OpenGL stuff quite
> >regularly and it is my opinion that the recent drivers for intel and
> >radeon video devices respectively perform roughly the same here as
> >they do on freebsd or linux.  No formal tests have been done by
> >myself, strictly subjective experience.
> >
> >> Your thoughts, knowledge, and possibly links to more info would be
> >> very greatly appreciated.
> >> 
> >> Thank You.
> >
> >I would like to point out that I do follow current, both on my own
> >workstations and my work workstation :)
> >
> >The FAQ on http://www.openbsd.org/ is always a good read.
> >
> >Cheers!
> >
> >--ryan
> 
> Hey Ryan,
> 
> Thanks for the thoughtful response. The move looks promising then. I'll
> definitely read the FAQ - thanks for the reminder.
> 
> RE: OpenGL:
> It's great that it works, but is it taking advantage of the hw, or do
> you know if it is sw only? Some posts I've read seem less positive
> about that.

Sorry I was not clear, it works with hardware for me :)  no software
renderer here!  That being said, you mention a rather lofty radeon card,
Jonathan Gray replied with some valuable info there, unfortunately if your
card falls ABOVE the category he outlines, it will be rather unaccellerated
for most useful things at this time.  If you have an older radeon card you
upgraded from and are willing to use it in the mean time, that could  be
a stepping stone for you.

Cheers!

--ryan

> 
> Anyone else have any experiences to share?
> 
> Thanks again,
> 
> --
> -C

Re: leaving linux - questions about capabilities

[Ryan Freeman]

On Mon, Dec 29, 2014 at 11:17:55AM -0500, Christopher Barry wrote:
> Greetings All,
> 
> I've used OpenBSD in the past to build redundant routers and firewalls
> and it was fantastic, but it's been quite a few years since I've played
> with it. I've also never used it as my default workstation. Yet.
> 
> I've always used Debian GNU/Linux on my workstations in the past,
> but with jessie/sid (and practically all other linux distros) the
> direction the linux userspace has taken is a serious turn for the worst
> IMO. I am simply philosophically at odds with systemd, and I would like
> to stop relying on linux altogether if possible. My problem is I have
> specific needs, and it's not clear if I can meet them running OpenBSD.
> I'm hoping I can, and someone can share their experiences with making a
> similar setup work.
> 
> Firstly, I'm running an i7 960 with a PCI-e ATI Radeon 7850 in a three
> monitor configuration (2 direct DVI and 1 active HDMI-to-DVI dongle)
> using the OpenSource Radeon linux driver @1920x1200 on each monitor.

Hey, not 100% the same but similar setup on a workstation at work:
Radeon HD4550 using radeondrm and two 1920x1080 monitors:
DisplayPort-0 connected 1920x1080+1920+0
DVI-0 connected 1920x1080+0+0

Also have used multiple monitors on my i5-powered laptop, using its
integrated intelHD video.

> I'm using enlightenment 17.6 as my window manager. I use and rely on

I use openbox myself but enlightenment 0.17.5 is an available package.

> blender  a /lot/ with hardware accelerated
> OpenGL, and having three monitors is important for my graphics work.

blender is available in packages as well, though I have never used it.

> Is anyone running OpenBSD with three monitors? With blender, hw-accel
> OpenGL, and/or E1{7,8,9}?

I'm sure three monitors would work just as well as two :)  E17 does work,
I have used it in the past.  I play with OpenGL stuff quite regularly
and it is my opinion that the recent drivers for intel and radeon video
devices respectively perform roughly the same here as they do on freebsd
or linux.  No formal tests have been done by myself, strictly subjective
experience.

> Your thoughts, knowledge, and possibly links to more info would be
> very greatly appreciated.
> 
> Thank You.

I would like to point out that I do follow current, both on my own
workstations and my work workstation :)

The FAQ on http://www.openbsd.org/ is always a good read.

Cheers!

--ryan

Re: Lenovo T500 doesn't boot [Was: Re: Can't boot Nov 21 amd64/bsd.rd - finishes at 'entry point'...]

[Ryan Freeman]

On Wed, Nov 26, 2014 at 12:45:18PM -0800, Mike Larkin wrote:
> On Wed, Nov 26, 2014 at 02:48:33PM -0500, Jiri B wrote:
> > Does anybody have an archive for each amd64 snapshot?
> > I'd like to check what is the latest amd64 kernel which can
> > boot on T500. Nov 7 snapshot works OK but recent ones do not.
> > 
> > I updated bios, ran memtest86+, still same problem.
> > 
> > But... I see I don't have any getty, strange, I haven't
> > observe it before as I use X.
> 
> Can you verify you've enabled NX (sometimes called execute disable)
> in your BIOS? We made some changes in this area recently and while
> I did test on a non-NX setup, maybe we missed something. I see your
> CPUID outputs in the dmesg that works don't have NXE, which leads
> me to believe you disabled it in the BIOS for some reason (as your
> CPU does support it).
> 
> -ml

Thank you Mike!  I ran into the same problem moving from a Nov 16th
snapshot to a Nov 19th (and then Nov 20th as main mirror had one
day newer).  I had gone into my bios and checked a few things over,
i flipped the nx option and a couple other things to try, in typical
bad diagnosic fashion :( and when it was fixed wasn't sure what it
was.  thank you!  for sake of info here is my dmesg:
(mac addys removed)

-ryan

OpenBSD 5.6-current (GENERIC.MP) #583: Thu Nov 20 11:47:06 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 30
real mem = 4066766848 (3878MB)
avail mem = 3954667520 (3771MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf2480 (70 entries)
bios0: vendor Dell Inc. version "A05" date 08/10/2010
bios0: Dell Inc. Latitude E6410
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC TCPA MCFG HPET BOOT SLIC SSDT
acpi0: wakeup devices AGP_(S4) P0P1(S4) DIGC(S3) UAR1(S3) HDEF(S4) PXSX(S4) 
RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) 
RP05(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.49 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (AGP_)
acpiprt2 at acpi0: bus 11 (P0P1)
acpiprt3 at acpi0: bus 1 (RP01)
acpiprt4 at acpi0: bus 2 (RP02)
acpiprt5 at acpi0: bus 3 (RP03)
acpiprt6 at acpi0: bus 5 (RP04)
acpiprt7 at acpi0: bus -1 (RP05)
acpiprt8 at acpi0: bus -1 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus -1 (PEG3)
acpiprt11 at acpi0: bus -1 (PEG5)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C1, PSS
acpicpu1 at acpi0: C3, C1, PSS
acpicpu2 at acpi0: C3, C1, PSS
acpicpu3 at acpi0: C3, C1, PSS
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: PBTN
acpibtn2 at acpi0: SBTN
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "DELL F8TTW24" serial 1689 type LION oem "SMP"
acpibat1 at acpi0: BAT1 not present
acpivideo0 at acpi0: VID_
acpivideo1 at acpi0: VID_
acpivout0 at acpivideo1: LCD_
cpu0: Enhanced SpeedStep 2660 MHz: speeds: 2400, 2399, 2266, 2133, 1999, 1866, 
1733, 1599, 1466, 1333, 1199 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0

Re: Contributing

[Ryan Freeman]

On Sat, Nov 15, 2014 at 04:34:35PM -0800, andrew fabbro wrote:
> What about writing tutorials/articles?
> 
> There's www.openbsdsupport.org which I believe is officially blessed though
> it doesn't look too active.  Probably for lack of people submitting
> articles :-)

www.openbsdsupport.org definitely isn't 'officially blessed' see here:

""
Note: The content published here in no way implies that the OpenBSD
project or any member of the OpenBSD team sanctions or approves of
such use. Do not complain to them if you find anything obsolete here.
If you do find it unusable, inexact, obsolete or simply bad, then your
help would be welcome to make it better. Send in your new document.
""

It doesn't look like its had much activity since 2012.

> Of course if you have a blog or web site you can write OpenBSD stuff for it.
> 
> I know I've sometimes struggled with putting the pieces together where a
> step-by-step "how to accomplish X" with OpenBSD would have helped.  Just
> last week, Ted Unangst's "what I wish I known before setting up OpenBSD on
> my Beagle Bone Black" on his blog saved me a lot of time and frustration.

In general just blogging about stuff, especially when not fully understood
can be a bad thing.  The blog you mentioned by Mr Ted Unangst is different,
because he is actually a dev :)

Hope this helps clear up confusions, cheers!

-ryan

Re: audio in linux emulation, skype & friends

[Ryan Freeman]

On Mon, Nov 03, 2014 at 07:16:34PM +0100, Alexandre Ratchov wrote:
> On Mon, Nov 03, 2014 at 08:58:29AM -0800, Ryan Freeman wrote:
> > On Fri, Oct 31, 2014 at 08:58:15AM +0100, Alexandre Ratchov wrote:
> > > On Fri, Oct 31, 2014 at 11:48:00AM +0530, Jay Patel wrote:
> > > > Try https://jitsi.org/ or tox https://tox.im/
> > > > 
> > > > Hope this helps.
> > > > 
> > > 
> > > thanks for the links.
> > > 
> > > The question is more about audio support in linux emulation itself.
> > > Does anyone use it? does it even work? what about deleting it?
> > >
> > 
> > I haven't used i386 for a year or so and i thought linux compat was still
> > pretty much not usable anymore :-) but when i last used it, it was just
> > for binary released linux games such as unreal tournament. 
> > 
> 
> Not sure to understand, did you manage to play with unreal
> tournament on OpenBSD, with working audio?

yes indeed, i used to haha

> 
> > so, i guess linux binaries that used sdl had sound.
> >
> 
> BTW, sdl (on linux) could be configured to use sndio, which would
> make sound work, as long as the linux binaries are dynamically
> linked against sdl.
> 
> > just for informational purposes, i would presume linux sdl binaries
> > must have been using the ossaudio type layer as we have (had?) no
> > alsa stuff.  i don't use this anymore as my machines are amd64,
> > cheers!
> 
> so you won't object if ossaudio is removed for linux emulation,
> right?
> 
> -- Alex

Re: audio in linux emulation, skype & friends

[Ryan Freeman]

On Fri, Oct 31, 2014 at 08:58:15AM +0100, Alexandre Ratchov wrote:
> On Fri, Oct 31, 2014 at 11:48:00AM +0530, Jay Patel wrote:
> > Try https://jitsi.org/ or tox https://tox.im/
> > 
> > Hope this helps.
> > 
> 
> thanks for the links.
> 
> The question is more about audio support in linux emulation itself.
> Does anyone use it? does it even work? what about deleting it?
>

I haven't used i386 for a year or so and i thought linux compat was still
pretty much not usable anymore :-) but when i last used it, it was just
for binary released linux games such as unreal tournament. 

so, i guess linux binaries that used sdl had sound.

just for informational purposes, i would presume linux sdl binaries
must have been using the ossaudio type layer as we have (had?) no
alsa stuff.  i don't use this anymore as my machines are amd64,
cheers!

-ryan
 
> -- Alexandre

Re: pf+voip

[Ryan Freeman]

On Tue, May 27, 2014 at 01:59:07PM +0400,   wrote:
> Does pf have specific rules for voip, may be example of working
> pf_rule with voip?
> 
> Because for «standart rules» i have problems with voip.
> 
> set skip on lo
> 
> match out on pppoe0 from { em1:network } nat-to (pppoe0)
> 
> block
> 
> pass out
> 
> pass in on { em1 }
> 
> - after hanging up, the line near 3 minutes still busy (may be keep
> state set to no state in rules)
> 
> - badly hear person on the phone (quiet)
>

Hey,

I don't use this anymore, but i still have the blurbs from my pf.conf
that had a pretty much perfect working voip connection:

Queuing: this was originally around 900kbit up when i used it (diff
isp).  i also had given the voip queue around 12% i think, left it
there as I was unsure of whether i'd still be using the voip phone
after i left that company, and just knocked it down to 2% ;)

also pre-newqueue, warning! ;)
ext01 and ext02 are aastra phone and obihai voip device, respectively.

--snip--

# hfsc queueing
altq on $ext_if bandwidth 460Kb hfsc queue \
{ voip, ack, dns, game, ssh, www_ftp, std_out }

queue voipbandwidth 2% priority 8 hfsc(realtime 2%)
queue ack bandwidth 15% priority 7 hfsc(realtime 15%)
queue gamebandwidth 37% priority 6 hfsc(realtime 40%)
queue dns bandwidth  5% priority 5 hfsc(realtime  5%)
queue ssh bandwidth 15% priority 4 hfsc(realtime 17%) {ssh_im, ssh_bulk}
queue   ssh_im bandwidth 90% priority 4 hfsc
queue   ssh_bulk   bandwidth 10% priority 3 hfsc
queue www_ftp bandwidth  3% priority 2 hfsc(linkshare  3%)
queue std_out bandwidth 15% hfsc(linkshare  5% default)

--snip--

# NAT voip, static-port required to maintain UDP port mappings for SIP proxy
match out on $ext_if from $ext01 to any nat-to ($ext_if) static-port
match out on $ext_if from $ext02 to any nat-to ($ext_if) static-port

# queue voip, to AND from
match inet proto udp to port $rtp_ports scrub(set-tos ef) queue voip
match inet proto udp from port $rtp_ports scrub(set-tos ef) queue voip

--snip--

above here took care of the rest.  this was using both a obihai voip
device for hookup of a POTS phone, and an Aastra phone as my primary
voip phone hooked into the company directory etc (all quite easy with
asterisk!)

The above worked enough that I could take business calls including calls
that may have resulted in sales of voip service, without it sounding
like i was on a shitty link with various vocal artifacts etc.
in the end i could pretty much hammer my inet connection as hard as
i wanted while a call was in progress and never really lost anything.

YMMV :)  I found my values via hours of tweaking, hammering with
various bandwidth-intensive applications, and hammering more.

I believe we did have a form of STUN or SIP proxy, the phones we
used could be preconfigured to fetch a config from the company server,
which would include things like a STUN or SIP proxy ip.

in my setup, my normal nat line in pf does not use static-port, hence
the added line before that point to catch the voip devices and make
sure they are natted with static-port.

Cheers,

-ryan

Re: ssh connections dropped after creating a keypair on the server

[Ryan Freeman]

On Wed, Apr 16, 2014 at 06:12:41AM -0500, Ed Ahlsen-Girard wrote:
> I added a second -current box to the house. Since the first (named
> FIRST below) had never had anywhere to ssh to, I created its first
> keypair.
> 
> Now the Win7 laptop (LAPPER) running Putty has its connections to the
> first -current box dropped before authentication. The key from the
> laptop is still in authorized_keys. /etc/ssh/sshd_config has not
> changed. security, authorization and message log files have nothing
> to say about this. Dmesg and `tcpdump -o` output from the timeframe of a
> connect attempt are below.

Hi,

Is there a chance you haven't updated that version of PuTTY recently?
OpenSSH takes a hard line on insecure HMACs and I recently had to
update PuTTY on a work machine as it wouldn't connect to a new OpenBSD
snapshot installation from a couple weeks ago.

Force people to update software following insecure semantics rather than
make it easy to be lazy is the song and dance here.

Cheers,

-ryan

> 
> -- 
> 
> Edward Ahlsen-Girard
> Ft Walton Beach, FL
> 
> OpenBSD 5.5-current (GENERIC.MP) #59: Mon Apr  7 22:49:12 MDT 2014
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 2094530560 (1997MB)
> avail mem = 2030067712 (1936MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf06d0 (43 entries)
> bios0: vendor American Megatrends Inc. version "0504" date 10/05/2009
> bios0: ASUSTeK Computer INC. P-P5G41
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI SSDT
> acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) UAR1(S4) PS2K(S4)
> PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4)
> P0P5(S4) P0P6(S4) P0P7(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24
> bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0:
> apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU E7500 @
> 2.93GHz, 3520.38 MHz cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF
> cpu0: 3MB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 266MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz, 2933.30 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF
> cpu1: 3MB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (P0P2)
> acpiprt2 at acpi0: bus -1 (P0P3)
> acpiprt3 at acpi0: bus 3 (P0P4)
> acpiprt4 at acpi0: bus -1 (P0P5)
> acpiprt5 at acpi0: bus 2 (P0P6)
> acpiprt6 at acpi0: bus 1 (P0P7)
> acpicpu0 at acpi0: C2, C1, PSS
> acpicpu1 at acpi0: C2, C1, PSS
> aibs0 at acpi0 RTMP RVLT RFAN GGRP GITM SITM
> aibs0: FSIF: invalid package
> acpibtn0 at acpi0: PWRB
> cpu0: Enhanced SpeedStep 3520 MHz: speeds: 2936, 2670, 2403, 2136,
> 1870, 1603 MHz pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03
> vga1 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xe000, size 0x1000
> inteldrm0 at vga1
> drm0 at inteldrm0
> inteldrm0: 1280x768
> wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> "Intel G41 Video" rev 0x03 at pci0 dev 2 function 1 not configured
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: msi
> azalia0: codecs: Realtek ALC888
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
> pci1 at ppb0 bus 3
> ppb1 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: msi
> pci2 at ppb1 bus 2
> re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C
> (0x3c00), msi, address 48:5b:39:c5:63:95 rgephy0 at re0 phy 7:
> RTL8169S/8110S PHY, rev. 2 ppb2 at pci0 dev 28 function 3 "Intel
> 82801GB PCIE" rev 0x01: msi pci3 at ppb2 bus 1
> vendor "VIA", unknown product 0x3401 (class serial bus subclass
> Firewire, rev 0x00) at pci3 dev 0 function 0 not configured vendor
> "VIA", unknown product 0x401a (class mass storage subclass
> miscellaneous, rev 0x00) at pci3 dev 0 function 1 not configured sdhc0
> at pci3 dev 0 function 2 vendor "VIA", unknown product 0x401b rev 0x00:
> apic 2 int 19 sdhc0 at 0x10: can't map registers uhci0 at pci0 dev 29
> function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 uhci1 at p

Re: Are xdm configs overwritten on upgrade?

[Ryan Freeman]

On Sat, Dec 14, 2013 at 01:32:04PM +, Laurence Rochfort wrote:
> Hello,
> 
> I want to prevent xconsole starting with xdm. I see it is started in
> /etc/X11/xdm/Xsetup_0.
> 
> Is there a user or system specific file for xdm conf files as there are for
> /etc/rc.conf? If not, and I modify Xsetup_0 will it be overwritten on OS
> upgrade?

While I don't believe there is any .local version of Xsetup_0, I myself
put pkill xconsole in my .xsession to rid myself of the xconsole once
i login.  That way I see the xconsole on boot, then can transition
to a root-tail after login.

This doesn't prevent it from starting up with xdm of course, so if
your problem is that you don't want it showing up on the login screen
I can only think modifying Xsetup_0 and merging changes via sysmerge
is the way to go.

Cheers,

-ryan

> 
> Many thanks,
> Laurence

Re: queueing/hfsc question

[Ryan Freeman]

On Wed, Dec 04, 2013 at 12:11:42AM +, Stuart Henderson wrote:
> On 2013-12-03, Ryan Freeman  wrote:
> > On Tue, Dec 03, 2013 at 09:10:32PM +0100, Gabor Berczi wrote:
> >> On Dec 3, 2013, at 8:57 PM, josh Grosse wrote:
> >> 
> >> >The new scheduler will be included in 5.5-release.  Users of -
> >> >current now, or of 5.5 when it is released, who wish to continue
> >> >using altq syntax and an altq scheduler may do so during a
> >> >transition period, as described in the link above.
> >> 
> >> Okay. But what you just described ("Child queues are able to use the
> >> same name") doesn't work with ALTQ either. Are you certain it does
> >> with the new sched? (that would mean that it was impossible to do
> >> before)
> >> 
> >> altq on {$extif} bandwidth 600Kb hfsc queue { pri,http,warez }
> >> 
> >> queue pri   bandwidth 10% priority 7qlimit 500 hfsc(realtime
> >> 5% ecn red)
> >> queue http  bandwidth 70% priority 5qlimit 500 hfsc(realtime
> >> 50% ecn red)
> >> queue warez bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit
> >> 90% ecn red)
> >> 
> >> altq on {$intif} bandwidth 10Kb hfsc queue { local,down }
> >> 
> >> queue local bandwidth 90% priority 7qlimit 500 hfsc(realtime
> >> 5% ecn red)
> >> queue down  bandwidth 10% { pri,http,default,warez }
> >>  queue pri  bandwidth 10% priority 7qlimit 500 hfsc(realtime
> >> 5% ecn red)
> >>  queue http bandwidth 70% priority 5qlimit 500 hfsc(realtime
> >> 50% ecn red)
> >>  queue default  bandwidth 10% priority 4qlimit 500 hfsc(realtime
> >> 5% ecn red)
> >>  queue warezbandwidth 1% priority 0 qlimit 500 hfsc(upperlimit
> >> 90% ecn red)
> >> 
> >> queue pri already exists on interface pppoe0
> >> /etc/pf.conf.dual:71: errors in queue definition
> >> queue http already exists on interface pppoe0
> >> /etc/pf.conf.dual:72: errors in queue definition
> >> queue warez already exists on interface pppoe0
> >
> > try:
> >
> > altq on {$extif} bandwidth 600Kb hfsc queue { pri,http,warez }
> >
> > queue extpribandwidth 10% priority 7qlimit 500 hfsc(realtime 5% 
> > ecn red)
> > queue exthttp   bandwidth 70% priority 5qlimit 500 hfsc(realtime 
> > 50% ecn red)
> > queue extwarez  bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit 90% ecn 
> > red)
> >
> > altq on {$intif} bandwidth 10Kb hfsc queue { local,down }
> >
> > queue local bandwidth 90% priority 7qlimit 500 hfsc(realtime 5% 
> > ecn red)
> > queue down  bandwidth 10% { pri,http,default,warez }
> > queue intpribandwidth 10% priority 7qlimit 500 hfsc(realtime 5% 
> > ecn red)
> > queue inthttp   bandwidth 70% priority 5qlimit 500 hfsc(realtime 
> > 50% ecn red)
> > queue default   bandwidth 10% priority 4qlimit 500 hfsc(realtime 5% 
> > ecn red)
> > queue intwarez  bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit 90% ecn 
> > red)
> >
> > the only thing i noticed is you're defining pri, http, and warez twice and 
> > confusing pf.
> 
> This does not confuse PF at all, but you have to be explicity about
> which interfaces they relate to.
> 

Ah, I had once run into this but didn't realize you could be explicit about
the interface on the queue line itself.

cool! cheers :)

-ryan

Re: queueing/hfsc question

[Ryan Freeman]

On Tue, Dec 03, 2013 at 09:10:32PM +0100, Gabor Berczi wrote:
> On Dec 3, 2013, at 8:57 PM, josh Grosse wrote:
> 
> >The new scheduler will be included in 5.5-release.  Users of -
> >current now, or of 5.5 when it is released, who wish to continue
> >using altq syntax and an altq scheduler may do so during a
> >transition period, as described in the link above.
> 
> Okay. But what you just described ("Child queues are able to use the
> same name") doesn't work with ALTQ either. Are you certain it does
> with the new sched? (that would mean that it was impossible to do
> before)
> 
> altq on {$extif} bandwidth 600Kb hfsc queue { pri,http,warez }
> 
> queue pri   bandwidth 10% priority 7qlimit 500 hfsc(realtime
> 5% ecn red)
> queue http  bandwidth 70% priority 5qlimit 500 hfsc(realtime
> 50% ecn red)
> queue warez bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit
> 90% ecn red)
> 
> altq on {$intif} bandwidth 10Kb hfsc queue { local,down }
> 
> queue local bandwidth 90% priority 7qlimit 500 hfsc(realtime
> 5% ecn red)
> queue down  bandwidth 10% { pri,http,default,warez }
>  queue pri  bandwidth 10% priority 7qlimit 500 hfsc(realtime
> 5% ecn red)
>  queue http bandwidth 70% priority 5qlimit 500 hfsc(realtime
> 50% ecn red)
>  queue default  bandwidth 10% priority 4qlimit 500 hfsc(realtime
> 5% ecn red)
>  queue warezbandwidth 1% priority 0 qlimit 500 hfsc(upperlimit
> 90% ecn red)
> 
> queue pri already exists on interface pppoe0
> /etc/pf.conf.dual:71: errors in queue definition
> queue http already exists on interface pppoe0
> /etc/pf.conf.dual:72: errors in queue definition
> queue warez already exists on interface pppoe0

try:

altq on {$extif} bandwidth 600Kb hfsc queue { pri,http,warez }

queue extpribandwidth 10% priority 7qlimit 500 hfsc(realtime 5% ecn 
red)
queue exthttp   bandwidth 70% priority 5qlimit 500 hfsc(realtime 50% 
ecn red)
queue extwarez  bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit 90% ecn red)

altq on {$intif} bandwidth 10Kb hfsc queue { local,down }

queue local bandwidth 90% priority 7qlimit 500 hfsc(realtime 5% ecn 
red)
queue down  bandwidth 10% { pri,http,default,warez }
queue intpribandwidth 10% priority 7qlimit 500 hfsc(realtime 5% ecn 
red)
queue inthttp   bandwidth 70% priority 5qlimit 500 hfsc(realtime 50% 
ecn red)
queue default   bandwidth 10% priority 4qlimit 500 hfsc(realtime 5% ecn 
red)
queue intwarez  bandwidth 1% priority 0 qlimit 500 hfsc(upperlimit 90% ecn red)

the only thing i noticed is you're defining pri, http, and warez twice and 
confusing pf.

-ryan

> 
> -- 
> G

Re: Looking for a laptop in the Toronto area

[Ryan Freeman]

On Wed, Oct 30, 2013 at 04:04:42PM +0100, Riccardo Mottola wrote:
> Hi,
> 
> On 10/30/13 12:18, Aaron Mason wrote:
> >On Wed, Oct 30, 2013 at 4:21 PM, Brad Smith  wrote:
> >>Hi,
> >>
> >>I added an entry to want.html as I am looking for a laptop to replace the
> >>laptop I have at the moment which has some really bad heat related issues
> >>and I have been hobbling along with it for awhile now. I am in the Toronto
> >>area. I thought I would post to misc@ for some greater exposure. Is there
> >>anyone that would be able to help me out?
> >Hi Brad
> >
> >Is the fan functioning?  If so, have you tried opening up the laptop
> >and re-applying thermal grease to the CPU?  If the laptop has a few
> >years under its belt, the old grease could have perished.
> >
> >We had a similar issue with our ageing fleet of Dell Latitude D630s
> >where the GPU was overheating and causing random crashes and graphics
> >artefacts, and that cleared the problem up nicely if we got to it
> >before it caused permanent damage to the GPU.  That rarely happened
> >since the laptops were used in rather remote areas and thanks to the
> >moron who came before us they plugged on without letting us know what
> >happened, but we managed to rescue a handful of them until they
> >succumbed to other kinds of hardware failure, finally convincing
> >management to shell out for some replacement laptops that were covered
> >by 3 years of hardware support.
> >
> >Hope this helps.
> Be sure that all fans are "clean" sometimes fans and grids look
> clean, but in the corners you need to clean it better. Usually you
> need to at least remove the keyboard and blow from the inside or
> check visually. Better airflow means at least less noise! I too
> fixed a freezing Dell D600 this way!

Further to verifying things are actually clean, as someone who
worked in a warranty depot servicing toshiba/hp/acer machines
predominently, the way you blow out your fans and grates is
also important! :)

Always always best to blow through the grates toward the fan
ports, basically making sure air you blow is going opposite
to the direction the fans blow.  Lots of people force air
through the fans, see some dust come out the grates, and call
it a day.  In actual fact, they have now severely lodged
dust bunnies into the inside of the grates, requiring a full
teardown to properly clean it.

Finally, on my thinkpads, my last t41p i had to take apart
3-4 times in its final years to reapply grease before the gpu
finally bit the bucket, that being said I have a feeling Brad
has already done all this.

Cheers,

-ryan

> 
> Riccardo

Re: Way too many crashes with recent snapshots (non-HTML-version)

[Ryan Freeman]

On Sat, Sep 21, 2013 at 12:10:18PM +0200, Erling Westenvik wrote:
> On Fri, Sep 20, 2013 at 11:43:50PM +0200, Stefan Wollny wrote:
> > OK - it happened again: The system just stopped responding, entirely!
> > 
> > This time it was after roughly 4 hours. grellkm reported temperatures of
> > acpi* below 80 degrees Celsius, over 10 degrees below the threshold.
> >
> > radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1300 M52-64"
> > rev 0x00: apic 1 int 16 drm0 at radeondrm0
> > drm: initializing kernel modesetting (RV515 0x1002:0x7149
> > 0x17AA:0x2005). radeondrm0: VRAM: 128M 0x -
> > 0x07FF (64M used) radeondrm0: GTT: 512M 0x0800
> > - 0x27FF ttm_pool_mm_shrink_init stub
> > drm: PCIE GART of 512M enabled (table at 0x0004).
> > radeondrm0: 1400x1050
> > wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using
> 
> A shot in the dark perhaps, but I noticed that your machine has a
> DuoCore cpu and radeon graphics. On two of my similar machines (a
> ThinkPad T500 and a Dell Optiplex 755) I've given on up using radeon
> graphics alltogether. Especially the Dell machine kept on stopping
> completly.
> 
> The ThinkPad has switchable graphics, ATi or Intel, and runs fine with
> the latter. On the Dell I gave up using my old ATi (RV610 chipset) a
> week ago and switched to the onboard Intel chip. I lost dual head but at
> least the machine is now rock stable.
> 
> I cannot afford to buy more recent ATi (AMD) cards and test, but suspect
> radeondrm to be the culprit!?

I too have a thinkpad T60 with a slightly 'better' radeon chipset, at
least the model number is slightly higher:

11:16 insomniac:~% dmesg|grep radeondrm
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1400" rev 0x00: apic 
1 int 16
drm0 at radeondrm0
radeondrm0: VRAM: 128M 0x - 0x07FF (128M used)
radeondrm0: GTT: 512M 0x0800 - 0x27FF
radeondrm0: 1400x1050
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0

It currently has an uptime of 6 days 16hrs, I beat the graphics regularly. 
6 days 16hrs ago i did an update to a newer snapshot.

my desktop running a radeon hd3650 had an uptime of over 15 days whilst
using heavy gl stuff.  managed to freeze it with a browser, though ;)

laptop has yet to freeze since radeondrm officially in-tree, it was a bit
shakey during the initial radeondrm tests, but those weren't even public
in the first place.

my Thinkpad T60 does not have an option to switch between radeon and
an intel chip.

-ryan

> 
> Erling

Re: 11" mid-2102 i7 MacBook Air 5,1 dmesg

[Ryan Freeman]

On Thu, Sep 05, 2013 at 07:32:38PM +, Miod Vallat wrote:
> > > Geez, not much changed in the 89 years between now and 2102. :-)
> > > 
> > >  Ken
> > 
> > Im the idiot from the future, 2 days ago, I thought I was running 
> > 5.4-RELEASE on there
> 
> 5.4-RELEASE will have time issues in 2102. However, 5.4-CURRENT as of
> now ought to run without any particular problems (assuming the hardware
> is still in working condition and you can still get electricity in year
> 2102).
>

Confirmation of this will have to go in his Will as a task for future
generations ;)  less of course, that human brain uploading technology
is done by then, and i better be able read about it in brain(4) ;)

-ryan 

usb device works on amd64 but not i386

[Ryan Freeman]

Hey tech@,

i came across a uhid device (joystick adapter) I have that only
seems to work on my amd64 desktop, but not i386 laptop.

amd64:
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb3 at ohci2: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci3: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb5 at ohci4: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
*snip*
uhidev1 at uhub2 port 2 configuration 1 interface 0 "vendor 0x product 
0x0667" rev 1.00/2.88 addr 2
uhidev1: iclass 3/0
uhid0 at uhidev1: input=6, output=0, feature=0

i386:
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
*snip*
uhidev1 at uhub1 port 2 configuration 1 interface 0 "vendor 0x product 
0x0667" rev 1.00/2.88 addr 2
uhidev1: no report descriptor

I have confirmed with 'another os' that the device works on this
i386 machine so its not bad ports or anything.

I noticed in sys/dev/usb/uhidev.c there are notes about a
broken descriptor for a waccom tablet, and in sys/dev/usb/usb.h
a note for i386 using unaligned access for unaligned little-endian
word components in usb records.

I guess my only question would be, am I looking in the right
areas for something such as this? 

Cheers,

-ryan