Re: Can minecraft run on OpenBSD i386 with less than 2Gb Ram ?

[Solene Rapenne]

On Sat, Oct 05, 2019 at 12:20:09PM +0100, Tom Smyth wrote:
> Hi all,
> My 5 year old son as a laptop .. Running OpenBSD 6.5 stable and im trying
> to
> I figured current would be a little tricky for him :) ...
> I have tried to get minecraft working on it but I think I probably don't
> have enough ram...
> I have tried upping the staff limits in limits .conf etc..
> there also seems to be a bug with the current launcher that is included in
> ports
> as there is a "you need java script enabled to view this site" message
> displayed on the launcher after you click the play button ...
> 
> Perhaps I just need to shell out for a laptop that will run x86-64 ..  :)
> 
> Kindest regards,
> Tom Smyth.

I think it can run, but you may prefer running games/minetest, it's an
opensource minecraft clone which requires a LOT less ressources and
which should bring a lot of fun too.

The main difference would be the lack of monsters, less blocks and no
redstone, but there are lots of mods to fill thoses gaps IIRC.

Re: trouble with radeon r9 290 and eduke32

[Solene Rapenne]

On Sat, Sep 21, 2019 at 09:34:35PM +1000, Jonathan Gray wrote:
> On Sat, Sep 21, 2019 at 12:29:59PM +0200, Solene Rapenne wrote:
> > On Tue, Aug 20, 2019 at 05:40:50PM +1000, Jonathan Gray wrote:
> > > On Tue, Aug 20, 2019 at 09:43:48AM +0300,  wrote:
> > > > Hello,
> > > > When I start eduke32 with LD_PRELOAD=/usr/X11R6/lib/libGL.so.17.0  so it
> > > > can run in opengl,
> > > > on ion fury it freezes after starting the game and whole machine becomes
> > > > unresponsive for some time. I can ssh to it from my cell phone after 
> > > > some
> > > > time. Here is screenshot of dmesg:
> > > > 
> > > > https://yadi.sk/i/C6NSFEqjxuchoA
> > > > 
> > > > Here is dmesg after reboot: https://pastebin.com/HiHp8DUQ
> > > > 
> > > > Help. please.
> > > > Thanks.
> > > 
> > > Why are you using LD_PRELOAD?  OpenGL should work without that.
> > > eduke32 will dlopen libGL.so after libGL.so.1 can't be opened going by
> > > source/glad/src/glad.c.
> > > 
> > > Are you using the version of eduke32 in ports?  It is quite old and
> > > ion fury had the initial release a few days ago.
> > > 
> > > Can you reproduce this with any other game supported by eduke32?
> > > I don't have ion fury but have the rest (and duke3d shareware
> > > is installed when installing the eduke32 package).
> > > 
> > > Here is an update to the latest eduke32 which has some graphical
> > > glitches on the title screen with duke3d shareware with inteldrm.
> > > Not sure if the xmp bits are properly built for the tracker music
> > > in ion fury.
> > > 
> > 
> > With your patch I can play Ion Fury, sounds works but there is no music.
> > 
> >   Generating voxel models for Polymost. This may take a while...
> >   Initializing music...
> >   Initializing sound... 64 voices, 2 channels, 16-bit 48000 Hz
> >   MV_PlayXMP: libxmp-lite support not included in this binary.
> >   MV_PlayXMP: libxmp-lite support not included in this binary.
> >   Line 1637, starttrackslot: invalid level 25 or null music for volume 0 
> > level 25
> >   Cache time: 939ms
> > 
> > The duke nukem shareware works too, I did not see any glitch.
> > My graphic card from dmesg:
> > 
> > "Intel UHD Graphics 620" rev 0x07 at pci0 dev 2 function 0 not configured
> > inteldrm0 at pci0 dev 2 function 0 "Intel UHD Graphics 620" rev 0x07
> > 
> > I don't know if this is expected, but I was only able to play Ion Fury 
> > smoothly
> > in 640x480, eduke32 was always near 98% of cpu usage, at higher resolution 
> > it
> > was not playable at all. This is curious given my cpu is a i7-8550U 1.80GHz.
> > 
> 
> Here is a diff to build with HAVE_XMP=1 and FURY=1.
> 
> This changes the binary to 'fury' and isn't intended to support duke3d
> from what I understand, so isn't something that should be committed.
> 
> Building with FURY=1 disables the polymer OpenGL renderer so this may
> help with running at higher resolutions.
> 
> ifeq ($(FURY),1)
> APPNAME := Ion Fury
> APPBASENAME := fury
> STANDALONE := 1
> POLYMER := 0
> USE_LIBVPX := 0
> NETCODE := 0
> SIMPLE_MENU := 1
> endif

HAVE_XMP solves the music issue on Ion Fury and duke3d still works fine
(sound, music, game)

maybe the ports could be split into multipackages to make a
eduke3d-duke3d and eduke3d-fury

I did retry, I already had polymer disabled, but it's slow only in
certains areas at a certain time. Like if loading ennemies was requiring
lot of cpu, then usage reduces.

Re: trouble with radeon r9 290 and eduke32

[Solene Rapenne]

On Tue, Aug 20, 2019 at 05:40:50PM +1000, Jonathan Gray wrote:
> On Tue, Aug 20, 2019 at 09:43:48AM +0300,  wrote:
> > Hello,
> > When I start eduke32 with LD_PRELOAD=/usr/X11R6/lib/libGL.so.17.0  so it
> > can run in opengl,
> > on ion fury it freezes after starting the game and whole machine becomes
> > unresponsive for some time. I can ssh to it from my cell phone after some
> > time. Here is screenshot of dmesg:
> > 
> > https://yadi.sk/i/C6NSFEqjxuchoA
> > 
> > Here is dmesg after reboot: https://pastebin.com/HiHp8DUQ
> > 
> > Help. please.
> > Thanks.
> 
> Why are you using LD_PRELOAD?  OpenGL should work without that.
> eduke32 will dlopen libGL.so after libGL.so.1 can't be opened going by
> source/glad/src/glad.c.
> 
> Are you using the version of eduke32 in ports?  It is quite old and
> ion fury had the initial release a few days ago.
> 
> Can you reproduce this with any other game supported by eduke32?
> I don't have ion fury but have the rest (and duke3d shareware
> is installed when installing the eduke32 package).
> 
> Here is an update to the latest eduke32 which has some graphical
> glitches on the title screen with duke3d shareware with inteldrm.
> Not sure if the xmp bits are properly built for the tracker music
> in ion fury.
> 

With your patch I can play Ion Fury, sounds works but there is no music.

  Generating voxel models for Polymost. This may take a while...
  Initializing music...
  Initializing sound... 64 voices, 2 channels, 16-bit 48000 Hz
  MV_PlayXMP: libxmp-lite support not included in this binary.
  MV_PlayXMP: libxmp-lite support not included in this binary.
  Line 1637, starttrackslot: invalid level 25 or null music for volume 0 level 
25
  Cache time: 939ms

The duke nukem shareware works too, I did not see any glitch.
My graphic card from dmesg:

"Intel UHD Graphics 620" rev 0x07 at pci0 dev 2 function 0 not configured
inteldrm0 at pci0 dev 2 function 0 "Intel UHD Graphics 620" rev 0x07

I don't know if this is expected, but I was only able to play Ion Fury smoothly
in 640x480, eduke32 was always near 98% of cpu usage, at higher resolution it
was not playable at all. This is curious given my cpu is a i7-8550U 1.80GHz.

Re: What is you motivational to use OpenBSD

[Solene Rapenne]

On Wed, Aug 28, 2019 at 04:32:29PM +0200, Mohamed salah wrote:
> I wanna put something in discussion, what's your motivational to use
> OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work
> fine on openbsd and you love this os so much what will do?

What I really like in the OpenBSD team is the ability to take correct
decisions and not trying to be consumer friendly or following a trend.

I say consumer friendly instead of user friendly, because OpenBSD _is_
user friendly, as far as you do your homeworks and learn how to read the
documentation. The system come with sane defaults and every user can
easily enjoy their own system for their own use.

Consumers don't want to think or make the effort.

Some of the decisions are the following:

Microphone on laptop?
disabled by default, change requires root

Webcam?
only for root by default

Disable SMT?
default setting

Sacrifice startup speed for security (randomization)?
done

The list could be extended with unmaintained code removal (tmpfs,
bluetooth, linux emulation etc...)

Those choices would be considered bold or even harmful to users on some
others systems I've been slightly involved.

But in the end, they are beneficial for the end user.

Re: su - root => segmentation fault

[Solene Rapenne]

On Wed, Jul 31, 2019 at 04:49:54PM +0500, dmitry.sensei wrote:
> Hi!
> why did it happen?
> 
> OpenBSD 6.5 current
> $su - root
> root's password:
> Segmentation fault
> $ doas su - root
> #
> 
> -- 
> Dmitry Orlov

what current? What arch?

works for me©
OpenBSD 6.5-current (GENERIC.MP) #153: Sun Jul 28 20:33:09 MDT 2019

Re: Apache 2.4 not running php OpenBSD 6.4

[Solene Rapenne]

On Wed, Jul 10, 2019 at 11:40:42PM -0700, mansoor wrote:
> Hi,
> I hope you guys are doing great.
> 
> I am using OpenBSD 6.4, apache-httpd-2.4.35, php version 5.6.
> I have disabled default httpd of OpenBSD, now apache2 is showing plain php
> code in browser it doesn't process php at all.
> 
> I couldn't find solution to this problem on stackOverflow (or any other site
> on internet).
> Please help me if anyone know about this problem. 
> Thanks.
> 

You need to install the php apache module. It should be explained in the
php README file in /usr/local/share/doc/pkg-readmes/

Re: firefox, sndiod and pledge

[Solene Rapenne]

On Thu, May 30, 2019 at 10:41:39AM +0200, Hrvoje Popovski wrote:
> Hi all,
> 
> i'm not sure is this intended or not, but if sndiod isn't running and if
> i want to open youtube video with firefox i got this log
> firefox[54192]: pledge "tty", syscall 54 and firefox crashes 
> when sndiod is running everything seems fine ..
> 
> 

which firefox package and version on which openbsd version?

Re: When will be created a great desktop experience for OpenBSD?

[Solene Rapenne]

On Tue, May 07, 2019 at 02:01:34AM -0300, Clark Block wrote:
> In 2019 still there is not a great desktop experience for NetBSD. However,
> the new "OS108" is seeking to improve this with a NetBSD operating system
> paired with the MATE desktop environment.
> So, OS108, a derivative of NetBSD, has just been released:
> https://os108.org/?ez_cid=CLIENT_ID(AMP_ECID_EZOIC)
> 
> When will be created a great desktop experience for OpenBSD?

"Great desktop experience" is subjective, and the current state is
enough for me for example.

I don't really see how adding a window manager this can improve the
"desktop experience" though.

Re: Upgrade procedure for VMM virtualization server

[Solene Rapenne]

On Mon, May 06, 2019 at 11:16:18AM +, mabi wrote:
> Hello,
> 
> Now that 6.5 is out I was wondering what is the best approach of upgrading my 
> OpenBSD 6.4 VMM virtualization server, should I first upgrade the VMM 
> hypervisor host from 6.4 to 6.5 and then afterwards the virtual machines from 
> 6.4 to 6.5? That would make sense to me but I just wanted to double check.
> 
> Best,
> Mabi
> 

There are no order. But I would upgrade the host, then the VM, this
requires only one downtime for the whole stack.

Don't forget backups of course.

Re: Qemu Agent assistance needed

[Solene Rapenne]

On Sun, Apr 28, 2019 at 11:10:14AM +, Strahil Nikolov wrote:
> Hi All,
> I am new to openBSD and I really like the idea. Sadly I do not have
> suitable hardware to run on , thus I use KVM and I would be happy if
> anyone hint me of a working solution for Qemu Guest Agent.
> Anything I dig up (via google searches) show up only suggestions , but
> nothing more.In openBSD 6.4  I successfully installed qemu (and thus
> the agent), but I can't understand how to get the device needed for
> communication with the host up and running.
> As I mainly know linux - I know that we need a kernel module that to
> be loaded and with combination of udev rules - the devices is created
> on the necessary location and with the correct rights.According to
> many google findings - openBSD doesn't support any more loadable
> kernel module support.
> I have tried to figure it out by myself, but I cannot find the
> necessary module needed, nor how to load it in a proper manner.
> Any hint is well appreciated.
> Best Regards,Strahil Nikolov  
> 

qemu on openbsd doesn't support any hardware acceleration, and the
available version is quite old.

I'm not sure it is compatible with libvirt.

Re: hacked for the second time

[Solene Rapenne]

On Thu, Apr 04, 2019 at 11:42:15AM +, Cord wrote:
> 
> 
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 4, 2019 12:27 PM, Normen Wohner  wrote:
> 
> > Seeing that OpenBSD comes secure out of the Box the most likely
> > thing is that you yourself compromised your System through 3rd
> > party software. If it even is the case. I think the best course of
> > action would be to go for a forensic approach. Google how to log ssh
> > traffic and where to find the logs. Then confirm your remote access
> > actually happens. If so you should determine what software exposed
> > you. VPN, Some Web Service, Your own stupidity? If you really use
> > ssh keys instead of password login then someone had to be able
> > to access those, usually outside of transfer. So most likely your
> > work device is compromised and your OpenBSD server is just a
> > casualty.
> >
> 
> Maybe my description is not very clear.
> I try to explain again.

Hi, I don't understand the whole story.

> internet because I often use untrusted wifis. At this point, after 1
> month I have started to suspect a break in because private message
> seem to be know from others. 

What are "private messages", mails? Who are the "others"? What makes you
think the "others" know your messages?

> I started to search a rootkit and I found
> signs of hacking in ssh connection of my vps. I mean, a tor exit node
> was connected to the ssh vps with my ssh key. 

How did you figure out this? Could you paste the commands you used to
find someone did connect to the VPS with your SSH key, and how you
figured out it was using a tor node?

> Then, because my key was
> been exfiltrated  then my desktop was been hacked

What make you think your desktop has been hacked?
Do you run sshd on it, allowing the ssh key which is said stolen?

> But I repeat the
> problem is not the server (vps). The problem is the desktop and how
> the key was been exfiltrated. Then I deleted everything (also the vps)
> and I reinstalled openbsd on my desktop, I changed vpn provider and I
> started to use chrome+unveil, again private message seem known from
> other... I search again and I found webmail session opened but I am
> sure I have logout everytime.

On which computer did you find the webmail session opened, on your desktop?
That would be a really weird hack, to use your webmail locally with a
tab opened on display :1

Re: Is there the ability to read and write raw RAM contents?

[Solene Rapenne]

On Mon, Mar 25, 2019 at 05:26:54PM -0400, Z Ero wrote:
> I understand this would be a severe security/stability issue in many
> cases but for some applications it would be interesting/useful if one
> could dd and grep, etc, RAM on a live system. Is there any way to do
> this on OpenBSD? Or is program memory space read write access always
> protected by the kernel in every instance?
> 

Using vmm you can save the memory of the VM as a file.

Re: httpd acme-client renew multiple domains

[Solene Rapenne]

On Mon, Mar 25, 2019 at 02:27:19PM +0100, Mischa wrote:
> 
> 
> > On 25 Mar 2019, at 01:40, Stuart Henderson  wrote:
> > 
> > On 2019-03-23, Mischa  wrote:
> >> Hi Geir,
> >> 
> >> I have solved this with a little script.
> >> 
> >> ###
> >> #!/bin/sh
> >> OUT=2
> >> /usr/sbin/acme-client -v www.example.com
> >> if test  $? -eq 0
> >> then EXT=$?
> >> fi
> >> /usr/sbin/acme-client -v www.example1.com
> >> if test $? -eq 0
> >> then EXT=$?
> >> fi
> >> if test $EXT -eq 0
> >> then
> >>echo "New certificates installed."
> >>rcctl restart httpd
> >> else echo "No new certificates installed."
> >> fi
> >> ###
> > 
> > Simpler:
> > 
> > for i in www.example.com www.example1.com; do
> >  acme-client -v $i && reload=y
> > done
> > [[ -n $reload ]] && rcctl reload httpd
> 
> Nice!! I have a couple of more domains in there, so the 'for' becomes a 
> little ugly, but I keep forgetting &&.
> It's indeed not needed to use the actual exit code.
> 
> Mischa
> 
> 

One could easily write something like this:

#!/bin/sh

UPDATE=0
for domain in $(awk '/^domain/ { print $2 }' /etc/acme-client.conf)
do
acme-client $domain
if [ $? -eq 0 ]; then UPDATE=1 fi
done

if [ $UPDATE -ne 0 ]; then
rcctl restart httpd dovecot smtpd
fi

you could also handle the exit status per domain if you want more
informations. I did write the script for this mail, it may contains
errors.

Re: xhci isochronous transfers (was: Re: CVS: cvs.openbsd.org: src)

[Solene Rapenne]

On Sat, Mar 16, 2019 at 12:38:09PM -, Christian Weisgerber wrote:
> On 2019-03-15, Patrick Wildt  wrote:
> 
> > CVSROOT:/cvs
> > Module name:src
> > Changes by: patr...@cvs.openbsd.org 2019/03/15 17:20:35
> >
> > Modified files:
> > sys/dev/usb: xhci.c 
> >
> > Log message:
> > Improve and enable isochronous transfers in xhci(4). [...]
> 
> Wow, that appears to be the crucial step many people have been
> waiting for.  With this, I can now play sound through my USB audio
> dongle connected to a "new" (~5-year old) machine:
> 
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
> addr 1
> ..
> uaudio0 at uhub0 port 9 configuration 1 interface 1 "C-Media INC. USB Sound 
> Device" rev 1.10/0.10 addr 4
> uaudio0: class v1, full-speed, sync, channels: 2 play, 0 rec, 4 ctls audio1 
> at uaudio0
> 
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de
> 

On my T480 with usb3 only, I can now:

- use the built in webcam
- use an usb webcam
- use the usb phone tethering (lineageos) with urndis0

Thanks!

Re: security - preferred way to make check_access_file happy?

[Solene Rapenne]

On Mon, Feb 25, 2019 at 09:13:33AM -0600, Adam Thompson wrote:
> > Use vipw to put 13 * in the password field
> > 
> > From passwd(5)
> > [...]
> >  authentication, conventionally have 13 asterisks in the
> > password field.
> 
> Thank you!  Now that I know what I'm looking for, I can see the
> relevant code in security(8), too.
> 
> I wonder if there's a way for ports to do that for me while
> calling useradd?  Another rabbit hole to go down.
> 
> Thanks again,
> -Adam
> 

all my users installed by packages have 13 * in that
second field when I check with "doas vipw"

Re: security - preferred way to make check_access_file happy?

[Solene Rapenne]

On Mon, Feb 25, 2019 at 08:50:18AM -0600, Adam Thompson wrote:
> Hi,
> I'm getting daily insecurity (i.e. security(8)) nags about
> userids that are off but still have a valid shell and access
> files.  (Specifically, I'm getting the nag from
> check_access_files() in /usr/libexec/security.)
> 
> Since ports (at least in my experience) regularly creates
> userids that will trigger this warning, what's the "best" way to
> disable the warning?  I'm reluctant to mess with permissions on
> directories created by packages, but maybe that's the best way?
> 
> Otherwise, it looks like I can disable the warning by setting a
> password on the userid in question.
> 
> However, that leads to the question: what if I don't *want* a
> password on the account, because it's supposed to be a
> SFTP-only, public-key-authentication-only account, but still
> needs to be readable and needs a valid shell for various cron
> jobs to be happy?  If I'm following the logic correctly, one of
> the warnings I'm getting is for ~/.ssh being readable on a
> userid with no password - exactly the scenario I just mentioned.
> But AFAIK they can't login if I take away S_IRUSR on ~/.ssh?
> 
> The most distasteful option is to hack /usr/libexec/security to
> ignore certain userids, but ... it's there for a reason.
> 
> The cleanest example I have right now from ports is _rancid,
> created by the rancid package, and triggered by the existence of
> ~_rancid/.ssh with S_IRUSR (u+r) permissions.
> 
> Suggestions / advice?
> 
> Thanks,
> -Adam
> 

Use vipw to put 13 * in the password field

>From passwd(5)

 The password field is the encrypted form of the password.  If the
 password field is empty, no password will be required to gain access to
 the machine.  This is almost invariably a mistake.  By convention,
 accounts that are not intended to be logged in to (e.g. bin, daemon,
 sshd) only contain a single asterisk in the password field.  Note that
 there is nothing special about ‘*’, it is just one of many characters
 that cannot occur in a valid encrypted password (see crypt(3)).
 Similarly, login accounts not allowing password authentication but
 allowing other authentication methods, for example public key
 authentication, conventionally have 13 asterisks in the password field.
 Because master.passwd contains the encrypted user passwords, it should
 not be readable by anyone without appropriate privileges.

Re: Keeping track of MAC addresses

[Solene Rapenne]

On Wed, Feb 20, 2019 at 10:36:16AM -0700, j...@bitminer.ca wrote:
> > I would like to keep tabs on the MAC/IP addresses in my secure net.
> > I do know how to do this, but keeping track of ethernet MAC addresses
> > seems
> > quite cumbersome in OpenBSD, not that it is more convenient in any other
> > general purpose operating system but many interfaces for ex. routers
> > make it
> > easy to manage, especially MAC filtering.
> > 
> > At the moment we have:
> > 
> > /etc/ethers file #not the same as arp -s and arp -f !!
> > arp -a output
> > arp -s and arp -f input # not the same as /etc/ethers!!
> 
> The apps in ports don't seem to do what you (or I) want.  After looking them
> over,
> in the end I wrote a sh script to compare `arp -an` output with a list
> of "known" MACs, and it would notice when a new MAC appeared or an existing
> MAC disappeared (most everything is on a wireless DHCP so lots of transient
> behaviour).
> 
> When a new one appears, or an existing one disappears, it logs to syslog.
> 
> Previously unseen MACs are logged slightly differently, so the network
> management
> app can issue an alert.
> 
> In general I think the average home network is approximately similar or even
> more
> complex than a simple small business network.  So lots of management
> features
> are worthwhile: segmentation, MAC and IP surveillance, and a network
> management
> app.
> 
> 
> --J
> 

did you take a look at net/arpwatch?

does crypto softraid implies disk integrity check?

[Solene Rapenne]

Hello

When using a bioctl crypto softraid, as blocks are encrypted
on the disk, does it mean the system can detect if disk has
been altered when reading a block? I'm thinking both a bitrot
or malicious modification cases.

Regards

Re: pkg_add, stdout and exit code

[Solene Rapenne]

On Wed, Feb 13, 2019 at 01:56:07AM -0500, Wesley Mouedine Assaby wrote:
> Hi all,
> 
> I'm using OpenBSD 6.4 amd64 (GENERIC.MP) #6
> 
> Using 'pkg_add' i can't access stdout, and the exit code stays 0 whatever it
> finds or not the package to install.
> 
> Example :
> doas pkg_add sl > file.stdout
> echo $? # exit code is 0
> cat file.stdout # empty file
> 
> or
> doas pkg_add sl > file.stdout 2>&1
> cat file.stdout # empty file
> 
> Therefore, i can access stderr trying to install a bad package name but exit
> code stays 0
> doas pkg_add sli > file.stderr
> echo $? # exit code is 0
> cat file.stderr # => Can't find sli
> 
> Reading pkg_add(1) :
> Interactive mode is the default on a tty
> -I Force non-interactive mode. Default is to be interactive when run from a
> tty.
> -i Force interactive mode, even if not run from a tty. pkg_add may ask
> questions to the user if faced with difficult decisions.
> 
> I also tried with -i/-I same issue.
> 
> Any way to get stdout ? Is this an expected behavior ?
> 
> Thanks,
> 
>   Wesley
> 
hi,

I don't know about pkg_add return codes but what you are currently
looking is the return code of doas which return >0 in those cases as
explained in doas(1):

• The config file /etc/doas.conf could not be parsed.
• The user attempted to run a command which is not permitted.
• The password was incorrect.
• The specified command was not found or is not executable.

Re: increase user memory limits (staff group)

[Solene Rapenne]

On Mon, Feb 11, 2019 at 12:09:56PM +0100, Riccardo Mottola wrote:
> Hi all,
> 
> I need to compile certain big softare and want to do this as
> user, I am hitting memory limits, e.g:
> 
> ./../js/src/libjs_static.a: could not read symbols: Memory exhausted
> 
> I read in various post and man pages, but am a little confused.
> 
> First thing, I added my user to the "staff" group, which should
> have increased limits, but they are not enough.
> 
> $ groups
> staff wheel wsrc
> 
> Thanks.
> 
> Riccardo
> 

The names in login.conf are classes, this is not related to groups.
You can find in which class your user by looking at the 5th field of
your username in /etc/master.passwd. You can use the following command:

$ doas awk -F':' '/^YOUR_USER/ { print $5 }' /etc/master.passwd

If it returns "staff" then you should have the correct limits from
/etc/login.conf

Look at /etc/login.conf.db, if you have that file, you must either
recreate it using cap_mkdb or remove it. If the file is not present
then login.conf is read. If the file is present, login.conf is not
read and login.conf.db is used instead, so you need to recreate it.
This is explained in login.conf(5).

Don't forget to delog yourself and relog-in with the account after
changes into login.conf. Limits are applied at login, not when you
call ulimit.

Re: amd64: can't boot 6.4, can boot 6.3

[Solene Rapenne]

On Fri, Feb 08, 2019 at 02:23:21PM +0300, ¯\_(ツ)_/¯ ¯\_(ツ)_/¯ wrote:
> Hello,
> I can't install 6.4 nor snapshot.
> Boot hangs after:
> wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0
> 
> Motherboard is MSI B85M-G43.
> Can't provide full dmesg because can't boot :(
> 
If it boots 6.3 then you can post a dmesg from 6.3,
that will be really helpfull.

Re: missing sdl header and lib files

[Solene Rapenne]

On Fri, Feb 08, 2019 at 11:26:15AM +, shadrock uhuru wrote:
> hi everyone
> 
> i have added the following packages
> 
> sdl
> sdl-mixer
> sdl_image
> sdl_net
> sdl_ttf
> sdl2
> sdl2-mixer
> sdl2_image
> sdl2_net
> sdl2_ttf
> 
> the lib and header files are missing
> 
> are there additional packages to add for these.
> 
> shadrock
> 
Headers are in /usr/local/include/SDL2/

Re: Modern CPUs AES-NI enabling system wide

[Solene Rapenne]

Denis  wrote:
> How to enable AES-NI AES system wide hardware acceleration support for
> crypto disciplines like LibreSSL, softraid0 crypto etc?

Hi, just enable it in bios.

Re: I am revolted against the injustice of Ubuntu Forums administrators and moderators .

[Solene Rapenne]

Command FreeBSD  wrote:
> Hi,
> 
> The article that have spoken about Linux malicious commands that was posted
> in Ubuntu Forums was restored, but who accessed this link yesterday and
> this morning saw that this article has been deleted.

hello

this is the wrong mailing list, you are on misc@openbsd.org where threads are
about OpenBSD.

Re: The Dark Side of the ForSSHe - OpenSSH malwares

[Solene Rapenne]

"Kollar Arpad"  wrote:
> Hello, 
> 
> How about blacklisting some often used passwords? ex.: 
> https://github.com/eset/malware-ioc/tree/master/sshdoor (either used by 
> humans often or by backdoors)
> 
> When will "passwd" have option to give/generate passwords from 4 random 
> english words from a 65k wordlist? 
> 
> Thanks, just loud thinking.

use keys

Re: OpenBSD install on a g5 imac power pc

[Solene Rapenne]

Mehma Sarja  wrote:
> Installed openbsd on a model A1058, imac g5. The install was uneventful.
> However, I cannot boot to it. I've tried what the documentation says for
> booting off the HD using open prom and the error is that /bsd does not
> exist. I'm going off memory now.
> 
> Is anyone running off a g5?
> 
> Yudhvir

Can you explain how do you proceed for booting?

Re: Core Dev?

[Solene Rapenne]

Ahmad Bilal  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> @Janne: Read up where? Link please (if you are referring to anything except 
> that github)
> 
> @Marc: Thanks for the information, but based on what you said, what would you 
> consider as 'official' then? Just curious.
> 
> And no, I'm not on OpenBSD at all 'yet'. I was basically on CentOS for a long 
> time. Then recently shifted to FreeBSD, and I'm considering to use OpenBSD 
> now (and for foreseeable future)
> 

Everything on the official CVS repository is obviously official

http://cvsweb.openbsd.org/cgi-bin/cvsweb/

Re: Common Lisp and OpenBSD

[Solene Rapenne]

Programmer  wrote:
> There don't seem to be any Common Lisp libraries available as
> packages.  I'd be interested in packaging the most common and mature
> Common Lisp libraries, but I'm not certain who I'd discuss this with.
> 
> I'd appreciate any help with getting started contributing to OpenBSD.

hello

What software requires porting common lisp libraries?
There is no point in doing ports for CL libraries if it's not used by
a port.

We already have a few CL software in ports, and none requires ported
libs:

- net/clic uses no lib
- sysutils/cl-launch uses no lib
- sysutils/reed-alert uses no lib
- x11/spectrwm uses no lib
- x11/stumpwm uses 2 libs which are downloaded before compiling the
  port and then, stumpwm is compiled as a binary, including the libs

I already been thinking about packaging some libs but I found no
software to port to use them.

If a software would requires too much libs, it may be easier (as we
do for go packages) to use quicklisp to create a folder embedding
the libraries, and use that tarball for compiling it.

I also had patches for lang/sbcl and lang/ecl to add a system wide
folder into the asdf loading path in case we wanted to port libs
see https://marc.info/?l=openbsd-ports=147983440719241=2

Re: Munin node over IPv6

[Solene Rapenne]

Alarig Le Lay  wrote:
> Hi,
> 
> I would like to pull my munin node over IPv6, but the process is only
> listening on IPv4.
> 
> guinch# grep '^host' /etc/munin/munin-node.conf
> host *
> guinch# netstat -af inet | grep 4949
> tcp  0  0  *.4949 *.*LISTEN
> guinch# netstat -af inet6 | grep 4949
> guinch#
> 
> This configuration works on other OSes.
> How could I make it on OpenBSD?
> 
> Thanks,

can you try the following:

host ::1 (or even host :::1 it seems that a bug requires to add an extra colon)

Re: How make tmux on start, create a couple of windows and start given programs in them?

[Solene Rapenne]

Joseph Mayer  wrote:
> Hi,
> 
> I have one single command for starting and (re)attaching to tmux, and
> it's "tmux -u new -t main". It works as it should.
> 
> On each fresh tmux start, tmux runs /etc/tmux.conf , and so I put some
> general configuration in there like "set -g status-bg SOMECOLOR".
> 
> I'd now like tmux to create five windows on startup, and each window
> should be running a particular program e.g. "top" in one window, "ksh"
> in another, and so on.
> 
> How do I do this - is it possible to add as extra configuration in
> "tmux.conf", or do I need to create a separate file ("mywindows.conf")
> that I instruct tmux of via some other argument, or how?
> 
> And what should the commands be.
> 
> 
> Of course creating the windows and starting the processes should happen
> only at the initial "tmux -u new -t main" run which starts the first
> tmux OS process, not on subsequent "tmux -u new -t main" calls which
> reattach to the already existing tmux or add a concurrent terminal to
> access the already existing tmux.
> 
> Thanks,
> Joseph

Hello,

I use a script which create a named session, split the windows, choose a pane,
send keys to start a command, split again etc...

Here is my script:

#!/bin/sh
SESSION=tor
tmux -2 new-session -d -s $SESSION
tmux split-window -v
tmux select-pane -t 0
tmux send-keys "vnstat -l -ru" C-m
tmux split-window -h
tmux select-pane -t 1
tmux send-keys "while true ; do clear ; vnstat -ru -h ; sleep 120 ; done" C-m
tmux select-pane -t 2
tmux send-keys "systat rules" C-m
tmux attach

Re: syntax error and doas.conf

[Solene Rapenne]

Stuart Henderson  wrote:
> On 2018-10-31, Markus Rosjat  wrote:
> > just something I notice while trying out stuff with doas and my python 
> > scripts. If you do a mistake and have a syntax error in the doas.conf 
> > file you can easily look you self out from root privilages  :(
> 
> If you aren't sure about a change you're about to make, keep a spare
> root shell open (or at least keep the editor open - save the file
> but don't exit - and test on another terminal).

When editing files, most of the time I go back to the shell using ^Z (editor go
in background), I do what's related to the file (try doas, restart httpd until
it works, etc..). And I use fg when I need to come back to the editor.

When playing with doas or sshd, I would recommend for doas to keep a root shell
opened in case you screw the file. And for sshd, when restarting it on a remote
machine, try to connect to it before exiting your current ssh session.

Re: spamd does not update /var/db/spamd

[Solene Rapenne]

Chris Narkiewicz  wrote:
> Hi,
> 
> I'm trying to use spamd to block spam using graylisting, but the spamd 
> database is not updated.
> 
> I run /usr/libexec/spamd -v -d to see what's happening and I definitely 
> see hosts connecting to it:
> 
> (GREY) 209.85.219.176: mytestem...@gmail.com> -> 
> Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from 
>  to 
> added  209.85.219.176
> mail-yb1-f176.google.com
> 
> 
> 209.85.219.176 connected for 11 seconds.
> 
> I also tried to submit an email using Python SMTP library and I 
> confirmed 451 Temporary failure response.
> 
> But when I browse /var/db/spamd, there is nothing there.
> 
> My spamd is running and is referring to a correct file:
> 
> # ps aux | grep spamd
> _spamd   93211  0.0  0.1  9672  1492 ??  Isp5:29AM0:00.00 spamd: 
> (pf  update) (spamd)
> _spamd   59023  0.0  0.5 10012  4836 ??  Ip 5:29AM0:00.02 spamd: 
> [priv] (greylist) (spamd)
> _spamd   13468  0.0  0.1  9640  1172 ??  Ip 5:29AM0:00.00 spamd: 
> (/var/db/spamd update) (spamd)
> 
> Database file has correct perms:
> 
> # ls- l /var/db/spamd
> -rw-r--r--  1 _spamd  _spamd  65536 Oct 30 05:30 /var/db/spamd
> 
> # spamdb /var/db/spamd
> 
> 
> My spamd config is default.
> OpenBSD 6.3.
> 
> What is wrong with it?
> 
> Best regards,
> Chris

do you run spamd-setup(8)?

Re: migrate python script from sudo to doas

[Solene Rapenne]

Markus Rosjat  wrote:
> hi all,
> 
> I have some old python scripts that using os.spawnl to execute stuff 
> like useradd  combined with sudo. This worked just fine on systems with 
> sudo installed  but these days we have doas and its totally enough for 
> things I use to do so I said to myself "lets update these old scripts 
> ..." . In code this was basically replasing os.spawnl with 
> subprocess.check_call  but when I run this the useradd command doesnt 
> get executed by the script. On the cmd it does, so this works on cmd:
> 
> doas useradd -u 666 -g =uid -s /sbin/nologin -d 
> /var/mail/domain.tld/vmailuser0666 vmailuser0666
> 
> but in the script I with the code like this:
> 
>   exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id,
> '-g =uid',
> '-s /sbin/nologin',
> '-d %s' % mb_parent_dir,
> user_name])
> 
> I get an exception that seems to be related to the fact that doas isnt 
> really working here
> 
> doas: Authorization failed <- this comes from the script even the 
> provided password is correct
> 
> Traceback (most recent call last):
>    File "/root/scripts/mb_add", line 244, in 
>      mb_addresses)
>    File "/root/scripts/mb_add", line 174, in add_mailbox
>      user_name])
>    File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call
>      raise CalledProcessError(retcode, cmd)
> subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', 
> '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 
> 'vmailuser666']' returned non-zero exit status 1
> 
> So does someone had some issues with migrating scripts from sudo to 
> doas, then some help or hintw would be very appreciated.
> 
> 
> regards

hi

what openbsd version are you using?
did you try the command outside of python?

There were issues with doas a few days ago in snapshots.

Re: vmm setup example for AMD FX-8300 system

[Solene Rapenne]

Tracy Bales  wrote:
> I have a fresh install of 6.3-AMD64 running on an AMD FX-8300 8 core
> system.  I have created a 10G disk image.  I then started the vm to boot
> the bsd.rd so I can install OpenBSD 6.3-AMD64 into this disk image.  Here
> are my issues:
> 
> 1)  The screen is really slow when the OpenBSD installer starts.  I have to
> keep pressing the space bar for the screen to update text output so I can
> see the full prompts.  I noticed in several Google searches that people
> suggest using SSH instead of CU to connect to the vm to get around the slow
> screen output.  My question is how do I connect to the vm if the vm does
> not have an OS running on it to accept the SSH connection?
> 
> 2)  I set sysctl.conf to "net.inet.ip.forwarding=1", added the following to
> the end of my default pf.conf: "pass out on egress from !(egress) nat-to
> (egress)" and then set hostname.vether0 to "inet 192.168.1.1 255.255.255.0
> 192.168.1.255".  Finally I rebooted the machine.  SSH does not work to
> connect to the vm.  My question, I use "vmctl console 1" and the installer
> asks for the location of the install sets and I tell it http, however it
> does not connect to the network...what am I missing to get the network to
> pass traffic to the vm?
> 
> 3)  Is there on online example that shows a step-by-step process for
> getting thru an OS installation using vmm?  I have tried at least 5
> different examples from Google searches and I notice that all of the
> examples stop at the point where the bsd.rd is started on the vm for the
> first time which points me back to issue number 1 detailed above.
> 
> Any help would be greatly appreciated.

1) not sure if related, but you need to set the serial console at boot if you
use a 6.3 iso. On the upcoming 6.4 iso, it will "just work" in vmm. The console
is only for installing and debugging, once you installed the system and got the
network to work, you drop to ssh. But it shouldn't be that slow...

2) how did you start the VM? Does it use a local network interface or not? (-L
flag) or "local" keyword. The pf NAT example in vmctl(8) is the following:

pass out on $ext_if from 100.64.0.0/10 to any nat-to $ext_if

3) there is no official example of installing a system under vmm nor I've heard
about any plan to do so. Only OpenBSD is well supported and the installation is
very straightforward, and Linux should work if you enable serial line (but it
may requires some tweaks, I don't know).

Re: Clarification about mfs/tmpfs on /tmp

[Solene Rapenne]

 wrote:
> Dear OpenBSD Community,
> 
> I have been playing around with OpenBSD for ~2 weeks now, and I find
> myself very much at home in a system that puts correctness and careful
> development first. Needless to say that I have already made my first
> donation; I sincerely thank the developers for their time and effort.
> 
> I plan to commit fully to OpenBSD on my laptop as soon as 6.4 stable
> is out, but before doing so, I have one remaining question:
> 
> I would like to have either an mfs or tmpfs instance mounted at /tmp.
> I have already managed this by using an appropriate entry in fstab,
> but I have noticed, that the system also works, if fstab contains NO
> entry for /tmp.
> 
> The first part of is: What is the default behavior in this case? Is an
> instance of mfs/tmpfs mounted with default parameters?
> 
> The second part to my question is: What is the key difference between
> mfs and tmpfs? Should I prefer one over the other?
> 
> The last part of my question concerns caching chromium data in /tmp.
> I have read that the OpenBSD chromium port has been "pledged" and
> "unveiled". Does this have any influence over whether I can run
> chrome --disk-cache/dir=/tmp/chrome?
> 
> Thank you for taking the time to read my question.
> 
> Kind regards,
> R.

hello,

if you don't put any /tmp in fstab, /tmp comes from the / partition, which
doesn't have nodev and nosuid mount options, and which is very tiny.

tmpfs has been disabled: see
https://marc.info/?l=openbsd-tech=148173068424515=2

main difference between mfs and tmpfs. mfs is a ffs mounted from memory and
will use the memory reserved for it, while tmpfs will use memory only when it's
really used. If you give 500 MB to mfs, it will be instantly used in your
memory, even if you have 0 file in it.

I don't know for chromium.

Re: Some highlights: Emacs 21.4 and 25.3

[Solene Rapenne]

Matthew Graybosch  wrote:
> On Tue, Oct 2, 2018, at 9:02 AM, Roderick wrote:
> > 
> > I see, openbsd 6.3 offers Emacs 21.4 as port. May I ask, what is special
> > in this old version of Emacs?
> 
> Hi, Rodrigo. I think the maintainers are keeping GNU Emacs 21.4 around 
> because its graphical version isn't built against GTK, unlike the more recent 
> releases.

emacs 25 has a X11 flavour -athena which do not use gtk, but you need to build
it from ports, there is no package for it.

Re: VMWare tools - VM does not shut down

[Solene Rapenne]

Le 25 septembre 2018 18:22:57 GMT+02:00, Torsten  a écrit :
>Hi!
>
>I'm working on a project with a large number of highly customized
>OpenBSD6.3 based appliances.
>
>On each of these machines VMWare reports VMWare tools to be "installed
>and ready". However, when I try to actually do something like shutdown,
>reboot or sleep, there simply is no reaction. The machine remains up
>and
>running.
>
>When I run a standard OpenBSD 6.3 machine on the same hypervisor,
>everything works fine, so in general everything seems to be functional.
>But we must have missed something when building these individual
>appliances. I just cannot figure out what that could be. I read "man
>vmt" but I couldn't figure if vmt would require some service that's
>normally started by rc, which in our appliances is not being started.
>In
>fact, the appliances do not use the OpenBSD init system at all but
>replace them with some custom init.
>
>What are we missing?
>
>Thanks in advance!
>T.

I just read your message as "we run modified openbsd and it doesn't work, but 
official openbsd work" 

It's hard to help you.

Re: hijack client DNS query to localhost cache in the router

[Solene Rapenne]

Edgar Pettijohn  wrote:
> 
> On Sep 22, 2018 11:21 PM, Fung  wrote:
> >
> > simple router build with OpenBSD
> > Wan a.b.c.d
> > Lan 192.168.0.1/24
> > Unbound run for DNS cache in 127.0.0.1
> >
> >
> > we want:
> > no mater a client pc set dns to any address (  8.8.8.8 or 9.9.9.9 )
> > all clients' dns query are redirect to the localhost cache in the router 
> >
> >
> > Can we achieve using pf.conf?
> > how? test no work with  rdr-to or divert-to
> >
> > -
> > pf.conf
> >
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > pass in quick proto udp from any to any port 53 rdr-to 127.0.0.1 port 53
> > pass
> >
> 
> DNS can go tcp also.
> 
> > --
> > unbound.conf
> > server:
> > interface: 192.168.0.1
> > interface: 127.0.0.1
> > access-control: 192.168.0.0/24 allow
> > access-control: 127.0.0.0/8  allow
> > do-not-query-localhost: no
> > hide-identity: yes
> > hide-version: yes
> >
> > forward-zone:
> >     name: "."
> >     forward-addr: 1.2.3.4  # IP of the upstream resolver
> >

you can try this, it's from vmctl(8)

 If desired, DNS queries originating from guest VMs can be redirected to a
 different DNS server with an entry in the host machine's /etc/pf.conf
 similar to the following:

   pass in proto udp from 100.64.0.0/10 to any port domain \
 rdr-to $dns_server port domain

just add same rule for tcp too

Re: Non-copyleft IRC servers

[Solene Rapenne]

Eric Pruitt  wrote:
> Does anyone have recommendations for a maintained IRC server that
> doesn't have a copyleft license? There are only a few listed on
> https://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_daemons,
> and they don't seem to be maintained. Any runtime is fine, but I'm
> partial to C, and DCC support would be nice but isn't a hard
> requirement.
> 
> Thanks,
> Eric

net/ngircd is fine

Re: Remiss on my personal and server security practices, offering server usage to outsiders

[Solene Rapenne]

Chris Bennett  wrote:
> I have not opened up my server before for full usage of email, web,
> database, etc. before. So I'm a total noob on really good security
> practices.
> 
> Proper owner:group all over the place. Not covered in hier (7).

look at security(8), especially the mtree part

Re: ssh -Y behaviour change

[Solene Rapenne]

Brett Mahar  wrote:
> On Wed, 12 Sep 2018 08:13:27 +0200
> Solene Rapenne  wrote:
> 
> | Brett Mahar  wrote:
> 
> | > I recently updated my amd-64-current machine to the Sept 7th snapshot 
> (previous snapshot was July 17th).
> | > 
> | > Prior to update both firefox and iridium browsers were able to be run 
> using 'ssh -Y' as another user on the same machine. Now they do not run - 
> firefox never finishes launching and iridium has a popup windown that says 
> 'page unresponsive'.
> ... 
> | > Is there some config I can change so this will work again?
> | > 
> | > Thanks,
> | > Brett.
> 
> 
> 
> | 
> | I think you are supposed to use ssh -XY when using a remote X11 app.
> | 
> 
> Hi Solene,
> 
> That was not the behaviour before and unfortunately still does not work now.
> 
> Cheers,
> Brett.

do you have X11Forwarding yes in your sshd_config?

If so, can you check output if you add -v to ssh command line, lines related to
x11?

Re: ssh -Y behaviour change

[Solene Rapenne]

Brett Mahar  wrote:
> Hi to all in OpenBSD-land!
> 
> I recently updated my amd-64-current machine to the Sept 7th snapshot 
> (previous snapshot was July 17th).
> 
> Prior to update both firefox and iridium browsers were able to be run using 
> 'ssh -Y' as another user on the same machine. Now they do not run - firefox 
> never finishes launching and iridium has a popup windown that says 'page 
> unresponsive'.
> 
> I looked in the man page, mailing list archives and FAQ for following current 
> but could not see any config options that might allow this script to work 
> again.
> 
> My script:
> 
> #!/bin/ksh
> 
> ssh -Y -i /home/brett/.ssh/web_id _web@127.0.0.1 \
> '/usr/local/bin/firefox https://www.coil.com' \
> 2>&1 >/dev/null &
> 
> I know `ssh -X` is more secure, I use this when I can but use the `ssh -Y` 
> version when I need ability to copy and paste.
> 
> Is there some config I can change so this will work again?
> 
> Thanks,
> Brett.

I think you are supposed to use ssh -XY when using a remote X11 app.

Re: NodeJS apps on Httpd?

[Solene Rapenne]

Bogdan Kulbida  wrote:
> Hi Mike,
> 
> Why don’t you run a “usual” nodejs server (probably  multiple proceses) and
> proxy requests into it via httpd?
> 
> Question: Any objections or security concerns?

httpd doesn't have proxy feature, only fastcgi

Re: how to install perl modules w/ dependencies that mix packages & CPAN

[Solene Rapenne]

Jonathan Thornburg  wrote:
> What's the "OpenBSD way" to install Perl modules which don't exist
> as packages?
> 
> The usual Perl idiom for "install module foo & all of its (recursive)
> dependencies" is "cpan install foo", but this fetches all dependencies
> from CPAN, ignoring any OpenBSD packages which may exist.  What I'd like
> is something like "cpan install foo", but with the semantics that for
> each dependency, if there's OpenBSD package in /etc/installurl which
> is the same module version as the latest CPAN version, then install
> the OpenBSD package instead.  Is there a utility already around which
> does this?

You can use perlbrew if you need some perl CPAN modules and don't mix
them with the base system. It will recompile a perl version with your
regular user, and so you will be able to use cpan as your regular user,
the local perl won't mix with the system wide one.

Re: OpenBSD does not recognize my wireless card on 2018 laptop.

[Solene Rapenne]

"Lic. Cardozo"  wrote:
> Hello y'all.
> 
> A totally newbie and non english speaker here.
> 
> My case is simple. Today I receive my new computer, a DELL Inspiron 7000 
> 2-in-1, with AMD Ryzen 7, etc.
> It came with Windows 10, and there everything worked fine. But I want to 
> start the *nix experience,
> so I installed openBSD 6.3 -that was easy-, and when I tried to configure de 
> wireless device, I just can't.
> I read the ifconfig man pages, internet forums, I even did research in that 
> subject in the previous weeks,
> 'cause I know that the wireless connection was difficult to set in some 
> models.
> Right now, I tried everything I can think about.
> -I can't connect with a RJ45, because that doesn't come with my machine.
> -I put all the firmware from the openBSD repository in an USB stick and 
> plugged it into the laptop
> -I mounted /dev/sd1i /mnt
> -I executed dmesg, and read that my wireless card was an Atheros...
> -I ran " fw_update -p /mnt ". Just like that or specifing the name of the 
> Atheros firmware.
> -Since that doesn't work, I extracted and copied manually the content of the 
> .tgz to /etc/firmware.
> -And no matter how many times I did it, and how many times I reboot, when I 
> run "if config", I don't seem
> to see the proper device recognized by the system.
> Any idea, 'cause I don't know what else can I do.
> 
> vendor "Atheros", unknown product 0x0042 (class network subclass 
> miscellaneous, rev 0x31) at pci1 dev 0 function 0 not configured

Hello

Your wifi card is not configured, that's why it doesn't show up in
ifconfig output. Except writing the missing driver there is nothing you
can do here. You can still buy a cheap ~10€ usb wifi card or an
usb->ethernet adapter.

Re: Cannot set swap priority to "move" swap on another disk.

[Solene Rapenne]

Eric Huiban  wrote:
> Hello,
> 
> With "6.3 release" version, i'm unable to set swap priority with fstab 
> using the following :
> 
> 2e04cb867188f137.b none swap sw,priority=0
> e7f9094bf357d407.b none swap sw,priority=1
> 
> I get the following result :
> 
> $ swapctl
> Device  512-blocks Used    Avail Capacity  Priority
> /dev/sd0b 21941640    0 21941640 0%    0
> /dev/sd1b 62524916    0 62524916 0%    0
> Total 84466556    0 84466556 0%
> 
> Using "swapctl -a -p 1 e7f9094bf357d407.b" present the very same result.
> Same for "swapctl -a -p 1 /dev/sd0b".
> Also tried an hypothetic reboot...
> 
> Do you have an idea on what i missed here ?
> 
> Regards,
> Eric.

Hello,

I tried on amd64 6.3 and on amd64 -current and I have not been able to
reproduce the issue.

What is the result if you remove your 2 swaps with 

# swapctl -d e7f9094bf357d407.b
# swapctl -d 2e04cb867188f137.b 

and that you type

# swapctl -A

after this, you should see the priorities correctly assigned after
typing "swapctl".

Re: how to find reason for computer pausing often?

[Solene Rapenne]

Derek Sivers  wrote:
> This past month or so, my Lenovo T440s laptop has started doing strange 
> 2-second pauses at random intervals, sometimes a few times per minute.
> 
> How would you look for the source of this trouble?  There's nothing in 
> /var/log showing when it happens.  No log entries added there.  Where else 
> would you look?
> 
> The easiest way to spot it in action is with a simple ls :
> 
> cd /tmp
> mkdir a b c
> time ls a
> 0m00.00s real 0m00.00s user 0m00.01s system
> time ls b
> 0m03.22s real 0m00.00s user 0m00.01s system  # there is the 
> random pause
> time ls c
> 0m00.00s real 0m00.00s user 0m00.00s system
> time ls b
> 0m00.00s real 0m00.00s user 0m00.00s system
> 
> I've tried it running OpenBSD 6.3 RELEASE, STABLE, and CURRENT.  Happens with 
> all.
> 
> I wiped the entire drive (dd if=/dev/zero) then re-installed from scratch, 
> and it still happens.
> 
> It happens whether running X or just in the initial raw console without 
> startx.
> 
> I know it isn't an OpenBSD problem, but any suggestions where you'd look if 
> it was you?
> 
> Thank you.
> 
> - Derek

Hi Derek

I think that your hard drive is failing. Is it a SSD? If no, it's
typical of an old failing hard disk.

Could you try to mount a mfs filesystem and see if your example makes a
pause? That should not trigger any disk read as it's an in-memory
filesystem, if it doesn't block that mean that the hard disk is failing.

Re: Keeping clear out of history

[Solene Rapenne]

Ken M  wrote:
> OK, so confession 1, I am a long time bash user
> confession 2 all of my ksh experience is on solaris
> 
> However in a when in Rome moment I am realizing how much I like ksh in 
> openbsd,
> but one minor thing. I don't like how much clear ends up in my history file. 
> So
> I am wondering what I can do to suppress a command going to history.
> 
> 
> Lets put my .profile here for reference
> 
> # $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $
> #
> # sh/ksh initialization
> 
> . /etc/ksh.kshrc
> 
> PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:$HOME/.local/bin
> PS1="[\u@\h: \W]$ "
> HISTFILE=$HOME/.ksh_history
> HISTSIZE=1000
> export PATH HOME TERM PS1 HISTFILE HISTSIZE
> 
> # For now clearing out clear from history when starting
> sed -i '/^clear$/d' $HISTFILE
> 
> bind -m '^L'=clear'^J'
> # I wish this worked
> # bind -m '^L'=clear'^J';sed -i '$d' $HISTFILE
> 
> alias ll='ls -l'
> alias la='ls -la'
> alias watch='gnuwatch'
> 
> 
> As you can see I tried adding the ; sed after my bind, I also tried it with &&
> sed and that did not work. Both of course remove the sed from history and not
> the clear. I guess I could remove the 2nd to last line. But before I go that 
> sed
> route is there a cleaner way to prevent a command from going to the HISTFILE?
> 
> Ken

you can use HISTCONTROL=ignoredups so you would have only one entry for "clear"
in your history

Re: pf - NAT not working after systemboot

[Solene Rapenne]

Thomas Huber  wrote:
> Hi misc,
> 
> my current pf setup works fine but I face the problem, that NAT does not
> work directly after system boot. Only when a do a
> 
> # pfctl -f /etc/pf.conf
> 
> after the booting things a working correctly.
> Note: I don´t make any changes to pf.conf.
> 
> Anybody any idea?
> 
> General Setup:
> Hardware: PCengines APU2c4
> 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> 2x pppoe(4):  ADSL-uplink.
> 
> Thanks!
> 
> Here is the pf.conf:
> 
> table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
>203.0.113.0/24 }
> set block-policy drop
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 from vlan:network nat-to (pppoe0)
> match out on pppoe1 from vlan:network nat-to (pppoe1)
> block in quick on pppoe from  to any
> block return out quick on pppoe from any to 
> block all
> pass out quick inet
> 
> pass out on vlan to vlan:network
> pass in quick on vlan from vlan:network to vlan
> 
> pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
> least-states sticky-address
> pass in on vlan proto tcp to port https route-to {(pppoe0 pppoe0:network),
> (pppoe1 pppoe1:network)} source-hash
> 
> block return in on vlan from vlan64:network to vlan32:network
> block return in on vlan inet proto tcp from any to any port 25
> pass in on egress inet proto icmp all
> pass in on egress inet proto tcp from any to (egress) port ssh


I think it's due to pppoe0 not initialized when pf starts. Same thing
happens using tun0 from OpenVPN for example.

Re: Problem from OpenBSD User

[Solene Rapenne]

Le 25 juillet 2018 03:27:56 GMT+02:00, "樊 少冰"  a écrit :
>Hello, OpenBSD developers.
>
>I like OpenBSD very much because of its security and stability.
>
>But, as an UNIX-like system, it has some traditional problem such as no
>integrated graphical operating environment (not means X but a completed
>desktop environment system like Gnome). So, I tried to install the
>Gnome software.
>
>Although I tried hard to install and run Gnome, I always get a "Failed
>connect to system bus: No such file or dictionary." error message. So I
>want to ask you to give me a practical way to install the desktop
>environment on OpenBSD 6.3 and furthermore, advise you to integrated
>desktop environment into the system for making the system easier to
>use.
>
>Sobin

Hello

When you installed gnome, you should have been told to read files in 
/usr/local/share/doc/pkg-readmes for special requirements of packages. The file 
gnome in it will tell you it requires some daemons to run, and how to start thel

Re: Best way to serve files to Windows?

[Solene Rapenne]

John Long writes:

> Hi,
>
> I have minidlna working fine on OpenBSD. However this doens't help with
> Roon media software since they don't have anything for OpenBSD,
> unsurprisingly. Roon doesn't want to support dlna.
>
> I have my Windows foobar2000 appliance roped-off from my LAN because I
> don't trust Windows boxes on my network. So I would like to set up some
> way to serve the files to Windows from OpenBSD. I guess that is
> CIFS/SAMBA?
>
> Is this secure over the network? I have not done this before and I
> don't know what's involved. Is there an approved CIFS implementation to
> use?
>
> Thanks,
>
> /jl

Hello,

I would recommend samba. You can also try using NFS, I've heard that
windows can mount NFS shares.

About the security thing, I don't know if the protocol used by samba is
secure between clients, but you can still run a VPN between your openbsd
box and the Windows client to allow connecting to the samba share
securely.

regards

Re: dump/restore and crontab(5)

[Solene Rapenne]

trondd writes:

> On Mon, July 2, 2018 8:14 am, Ed Ahlsen-Girard wrote:
>> Having clobbered my crontab (5) file in error (-r and -e are close) I
>> merrily went to my level 0 dump to restore it. It's present on the dump
>> (which is to file) but the restored file is zero bytes.
>>
>> Should I have run those dumps manually instead of as cron jobs?
>>
>> --
>>
>> Edward Ahlsen-Girard
>> Ft Walton Beach, FL
>>
>
> I'd have to look later to see if my dumps are coreectly grabbing the
> crontabs.  But first, try looking in /var/backups either on disk, or in
> your dump.
>
> Tim.

Indeed, you can find your last file in
/var/backups/var_cron_tabs_root.backup or
/var/backups/var_cron_tabs_root.current

Those files are created by security(8) script, which should be run every
day at 1h30.

Re: dump/restore and crontab(5)

[Solene Rapenne]

Ed Ahlsen-Girard writes:

> Having clobbered my crontab (5) file in error (-r and -e are close) I
> merrily went to my level 0 dump to restore it. It's present on the dump
> (which is to file) but the restored file is zero bytes.
>
> Should I have run those dumps manually instead of as cron jobs?

What arguments did you use to backup with dump?

What arguments did you use to restore with restore?

If you found the file using restore, then it should not be zero-length.

Re: Buying new laptop, looking for feedback

[Solene Rapenne]

Solene Rapenne writes:

> Hello,
>
> I need a new laptop for work, OpenBSD compatible. The lenovo T470s seems
> interesting (i7, SSD 512GB, 14", 1920x1080) for a price < 1500 euros.
>
> Could someone confirm me that it works out of the box? If you know a
> recent model (that I can still buy online) with similar specs, feedback
> is welcome too.
>
> thx

I would like to thank everybody who answered to this thread. Finally I
asked my workplace for a T470 and they ordered a T480.

What works:
- suspend / resume 
- iwm0
- em0
- intel 3D integrated
- touchpad with 2 finger scroll works out of the box
- sound
- dock station
- batteries (one is soldered to allow switching battery on the fly)
- bios include a feature to switch Fn and Ctrl.

What doesn't work:
- Fn + brightness key doesn't change brightness, I have to use
  xbacklight command.


Didn't tried:
- SD card reader
- smartcard reader
- fingerprint reader
- webcam
- audio jack
- all i/o, I've seen usb type-C, thunderbolt etc...

Re: Partitioning recommendations for 6.3?

[Solene Rapenne]

Le 26 juin 2018 16:49:57 GMT+02:00, lea.chesco...@tutanota.com a écrit :
>Personally, what i always do, (i dont know if its the best practice,
>but it fixes my storage space problems, as i always use -stable, and
>build the updated ports) is to make a symlink in /home
>
>Initial configuration
>  $ cd /home
>  $ doas mkdir ports
>  $ doas chown -R user:wsrc ports
>  $ cd ports
>  $ cd build
>  $ mkdir -p wrkobjdir distdir plist bulk_cookies update_cookies
>pkgrepo
>Make symlinks in /usr
>  $ cd /usr
>  $ doas ln -s /home/ports .
>Edit /etc/mk.conf
>  $ doas vi /etc/mk.conf
>  SUDO=/usr/bin/doas
>  WRKOBJDIR=/home/ports/build/wrkobjdir
>  DISTDIR=/home/ports/build/distdir
>  PLIST_DB=/home/ports/build/plist
>  BULK_COOKIES_DIR=/home/ports/build/bulk_cookies
>  UPDATE_COOKIES_DIR=/home/ports/build/update_cookies
>  PACKAGE_REPOSITORY=/home/ports/build/pkgrepo
>  FETCH_PACKAGES=Yes
>
>
>26. Jun 2018 11:23 by sol...@perso.pw :
>
>
>>
>> John Long writes:
>>
>>> Been a while and don't have my other OpenBSD boxes accessible.
>>>
>>> What are the recommended partitions and appropriate sizes for people
>>> who want to track stable and possibly build the whole ports tree?
>>>
>>> Thanks,
>>>
>>> /jl
>>
>> hello
>>
>> If you want to do a bulk build (aka whole ports tree), read bulk(8)
>(in
>> ports/infrastructure/man/), it says that you need at least 100 GB of
>> disk.
>>
>>
>>1. Choose master machine setup and create partitions
>>
>> Setup a master machine with enough room for a chroot, say
>> /build.  Assuming you are using a cluster of machines, this
>> chroot should contain NFS exportable partitions for
>distfiles,
>> plists, and packages (one single partition can be used for
>> simplicity).  A full setup requires on the order of 50GB for
>> distfiles and 50GB for packages.

It has the drawback that you have to
set wxallowed on /home

You could also avoid the symlink
by adding PORTSDIR=/home/ports

Re: Partitioning recommendations for 6.3?

[Solene Rapenne]

John Long writes:

> Been a while and don't have my other OpenBSD boxes accessible.
>
> What are the recommended partitions and appropriate sizes for people
> who want to track stable and possibly build the whole ports tree?
>
> Thanks,
>
> /jl

hello

If you want to do a bulk build (aka whole ports tree), read bulk(8) (in
ports/infrastructure/man/), it says that you need at least 100 GB of
disk.


   1. Choose master machine setup and create partitions

Setup a master machine with enough room for a chroot, say
/build.  Assuming you are using a cluster of machines, this
chroot should contain NFS exportable partitions for distfiles,
plists, and packages (one single partition can be used for
simplicity).  A full setup requires on the order of 50GB for
distfiles and 50GB for packages.

Re: How to copy n bytes from stdin to stdout?

[Solene Rapenne]

Maximilian Pichler writes:

> dd bs=1 count=1234567 will copy 1234567 bytes and then stop, but it's slow.
>
> I can't seem to think of a faster command that also works in the
> presence of short reads and blocking. There is ghead -c from coreutils
> in ports, but this should be possible in base, no?
>
> Max

it's slow because it flushes the output every byte, what would you
expect? Maybe you should do in a different manner.

Re: Poor browser performance in OpenBSD

[Solene Rapenne]

Максим writes:

> Hello.
> I'm using Firefox and Chromium (from packages) to browse the internet on 
> OpenBSD 6.3 (amd64).
> The problem is that their performance in OpenBSD is very poor compared to 
> other OSes.
> Loading pages is slow, watching online video is possible but the 
> responsiveness of the browser becomes awful.
>
> Do I need additional settings to fix this?
>

In my opinion this is normal on OpenBSD

Re: Intranet routing with dynamic IPs

[Solene Rapenne]

giant@cock.email writes:

> Hi everyone,
>
> I have a routing question which I don't know how to solve. I have two
> routers. Both are connected to my ISP and get a dynamic IP. Both are
> also connected to a local VLAN. I'd like to use the local VLAN for any
> traffic in between the two and the ISP for everything else. Basically,
> it should be like:
>
>   # Router A
>   1.2.3.x (DHCP)
>   10.0.0.1/30
>   10.0.1.1/24
>
>   # Router B
>   2.3.4.x (DHCP)
>   10.0.0.2/30
>   10.0.2.1/24
>
>   # Network A: 10.0.1.0/24
>   route 0.0.0.0/0 via 10.0.0.1
>   route 2.3.4.x/32 via 10.0.0.2
>
>   # Network B: 10.0.2.0/24
>   route 0.0.0.0/0 via 10.0.0.2
>   route 1.2.3.x/32 via 10.0.0.1
>
> I've tried doing this with BGP with a config like this (on Router A,
> by example):
>
>   AS 65001
>   router-id 10.0.0.1
>   network inet connected
>
>   neighbor 10.0.0.2 {
>   remote-as 65002
>   }
>
> The problem here is that a computer in Network A will now try to use
> Router B to connect to IP-address 2.3.4.5, whereas I want it to use
> Router A.
>
> I'd appreciate if anyone could lead me in the right direction
> here. The reason why I'm doing is: I want to keep two networks
> separate, letting them browse the Internet with different IP
> addresses, but use the immediate link between the local routers for
> better performance.
>
> Kind regards,
> John Longe

hello

I'm not sure to understand your need. You don't need BGP for
this. Adding a route on router A, accessing network B through router B
is all you need. Computers on the dhcp client of A will use router A as
a default gateway and then will be able to reach network B computers.

And then, do the same on the other router.

Or maybe I totally missed your need.

Re: Snapshot upgrade to 6.2 -> 6.2 : kernel relink issue

[Solene Rapenne]

Rick Ballard writes:

> Yes, typo in the subject header. My correction and your reply crossed on
> the wires.
>
> Anyway this was a -current snapshot upgrade from 6.2 -> 6.3.
>

Did you do 6.2 -> 6.3 -> snapshot or 6.2 -> snapshot?

The latter isn't supported and can lead to unexpected behavor. If you
did the first case, maybe you missed some instructions from the upgrade
guide.

Re: Snapshot upgrade to 6.2 -> 6.2 : kernel relink issue

[Solene Rapenne]

Rick Ballard writes:

> I can log to the console and have a functioning router/firewall.
>
> OpenBSD 6.3-current (RAMDISK_CD) #41: Sat May 19 22:45:21 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD

Hello, what version did you upgrade from and to and how did you proceed?

Your subject has no meaning. It seems you are running latest snapshot
while your subject refers to 6.2 release.

Re: readability on phones - man pages on gopher

[Solene Rapenne]

x...@dr.com writes:

> The "viewport" meta tag significantly improves readability and
> usability on my phone when I add it to http://man.openbsd.org pages:
>
> [meta name="viewport" content="width=device-width, initial-scale=1.0"]
>
> It was suggested to me by a Microsoft Edge engineer as a fix for
> mobile-unfriendly web sites. It was apparently invented by Apple
> however, and is also recommended by Mozilla.
>
> Mozilla and Safari docs:
> https://developer.mozilla.org/en-US/docs/Mozilla/Mobile/Viewport_meta_tag
> https://developer.apple.com/library/content/documentation/AppleApplications/Reference/SafariWebContent/UsingtheViewport/UsingtheViewport.html
>
> My test results:
> - Microsoft Edge on Windows 10 Mobile (phone): significant improvement
>
> - Chrome on OpenBSD-current: unaffected
> - Firefox on OpenBSD-current: unaffected
> - Lynx on OpenBSD-current: unaffected
> - Microsoft Edge on Windows 10: unaffected
> - Internet Explorer on Windows 10: unaffected
>
> My test site (with before/after html and screenshots):
> https://viewports.github.io/
>
> I hope and suspect that this will improve things for other small
> screen devices too -- such as Android and iOS phones -- but I am
> unable to test that.


You can try gopher://perso.pw/ to read man pages through gopher. It's
totally up to the client to define how to display it. DiggieDog on
android works fine.

Re: Viewport for man.openbsd.org -- readability on phones

[Solene Rapenne]

x...@dr.com writes:

> The "viewport" meta tag significantly improves readability and
> usability on my phone when I add it to http://man.openbsd.org pages:

See no offence here, I wonder what is the context leading to read man
pages on a phone?

Buying new laptop, looking for feedback

[Solene Rapenne]

Hello,

I need a new laptop for work, OpenBSD compatible. The lenovo T470s seems
interesting (i7, SSD 512GB, 14", 1920x1080) for a price < 1500 euros.

Could someone confirm me that it works out of the box? If you know a
recent model (that I can still buy online) with similar specs, feedback
is welcome too.

thx

Re: Troubleshooting rl instability on OpenBSD 6.1

[Solene Rapenne]

Stuart Longland writes:

> On 29/04/18 18:08, Solene Rapenne wrote:
>>
>> Stuart Longland writes:
>>
>>> Hi all,
>>>
>>> I've got an Advantech UNO-1150G industrial PC running OpenBSD 6.1 acting
>>> as an ADSL router, public NTP server and DNS server.  dmesg info:
>>>
>>>> OpenBSD 6.1 (GENERIC) #291: Sat Apr  1 13:49:08 MDT 2017
>>
>> OpenBSD 6.1 isn't supported anymore, please upgrade.
>>
>
> Upgrade what?  The OS, the router?  If I'm 100% certain that moving to
> 6.2/6.3 will fix rl, then sure, but this answer is not helpful, as I've
> been battling this problem for over a month.

Maybe your issue is fixed in 6.2 or 6.3, who knows. 6.1 isn't supported
anymore and you use it on a router connecting to the Internet. I can
only recommend upgrading.

Re: Problem with OpenBSD as nfs client

[Solene Rapenne]

philippe@laposte.net writes:

> Hi, 
>
> First, im new with OpenBSD 6.3 that i run in Virtualbox. 
>
> I try to setup a NFS share : 
> server is Fedora workstation 28 
> - exports file looks like this 
> /home/filip/Documents 192.168.1.1238 (rw) 
> /home/filip/Public 192.168.1.128 (rw) 
> Of course NFS is active on the server 
>
> client is Openbsd 6.3 and i have this message when i try to mount a share : 
>
> filip@openbsd:~$ sudo mount -t nfs 192.168.1.85:/home/filip/Documents 
> /mnt/nfs_Documents/ 
> NFS Portmap: RPC: Program not registered 
>
> I will be happy to find a solution after long time on google without succes. 
> Thanks for help 
> Philippe. 

Something is wrong on your NFS server

Re: Troubleshooting rl instability on OpenBSD 6.1

[Solene Rapenne]

Stuart Longland writes:

> Hi all,
>
> I've got an Advantech UNO-1150G industrial PC running OpenBSD 6.1 acting
> as an ADSL router, public NTP server and DNS server.  dmesg info:
>
>> OpenBSD 6.1 (GENERIC) #291: Sat Apr  1 13:49:08 MDT 2017

OpenBSD 6.1 isn't supported anymore, please upgrade.

Re: Regarding latest errata

[Solene Rapenne]

Theo de Raadt writes:

> Official release date of 6.3 is April 15.  Yes, the release went out
> the door early, but the *official* date is April 15.

The release date is wrong in index.html, following patch fix the date to
April 15 th.

Index: index.html
===
RCS file: /cvs/www/index.html,v
retrieving revision 1.724
diff -r1.724 index.html
107c107
<   The current release is OpenBSD 6.3, released Apr 
2, 2018.
---
>   The current release is OpenBSD 6.3, released Apr 
> 15, 2018.

[Patch] remove xdm reference from X(7)

[Solene Rapenne]

Hello

I don't know if it's the right place to submit a diff.

The man page X(7) refers to xdm(1) in "SEE ALSO".

I also found that the first line of the file is a comment with a
character 't' alone.


Index: X.man
===
RCS file: /cvs/xenocara/doc/xorg-docs/man/X.man,v
retrieving revision 1.4
diff -u -p -r1.4 X.man
--- X.man   30 Aug 2015 13:32:02 -  1.4
+++ X.man   14 Mar 2018 17:43:15 -
@@ -1,4 +1,3 @@
-.\" t
 .\"
 .\" Copyright (c) 1994, 2004  The Open Group
 .\" Copyright \(co 2000  The XFree86 Project, Inc.
@@ -1217,7 +1216,6 @@ the appropriate instance name can be pla
 .BR xclock (__appmansuffix__),
 .BR xcmsdb (__appmansuffix__),
 .BR xconsole (__appmansuffix__),
-.BR xdm (__appmansuffix__),
 .BR xdpyinfo (__appmansuffix__),
 .BR xfd (__appmansuffix__),
 .BR xfs (__appmansuffix__),

Re: firefox and ssh(1) -D behaviour vs. localhost

[Solene Rapenne]

Hello,

In the options menu when you set the proxy address there is a field with 
addresses that should not use the proxy. From my memory, localhost is in it by 
default, you should remove it.

Kind regards 

Le 24 mars 2016 23:03:58 GMT+01:00, Adam Thompson  a 
écrit :
>When using "ssh -D" to establish a SOCKS-type proxy, I can specify the 
>bind_address for the local end of the connection, but how do I control 
>the bind address on the far end?
>
>I'm accustomed to using -D to remotely administer various web services 
>that are behind a firewall/bastion-host instead of using commercial VPN
>
>software, but I ran into a situation today that doesn't seem to permit 
>it: accessing "localhost".
>
>The remote server has a web-based management service that only binds to
>
>0.0.0.0, but only accepts connections *from* 127.0.0.1 and [::1].
>
>First, I can't seem to convince Firefox to connect to "localhost" or 
>"127.0.0.1" using a SOCKS proxy.
>
>Second, I can't figure out a way to get sshd(8) on the remote side to 
>use 127.0.0.1 as a source address when hitting the public IP address.  
>(Yes, the web service rejects connections from its own public IP 
>addresses, too.)
>
>I can accomplish the task with -L instead, which works well, but that 
>approach doesn't scale nearly as easily when I'm connecting to a wide 
>variety of systems in quick succession, and it fails utterly when the 
>remote app insists on constantly rewriting its own URL to a canonical 
>value (because of the wrong port#).
>
>Is there any way to do what I want with -D instead of -L ?
>
>And is the second problem (source IP) just an artifact of Firefox 
>refusing to even send the request over the SOCKS tunnel in the first
>place?
>
>Thanks,
>-Adam