webmin to admin OpenBSD
Hello all, Will I be able to completely admin all parts (servs etc.) of OpenBSD using webmin? does anyone has any such experience? thank you.
the backend...
Hello Group, sorry this is slightly off topic, but i was curious. (that) What database technology (Oracle, MysQL, Postgres...) does Google use for its database need? both in its plethora of apps and internally to manage the company! and i turned to some of the brightest minds in the industry, i have access to, for solid answer :) Thank you. -BG ~~aapka kalyan ho~~
web development on OpenBSD
Hello, I plan to develop a money management app for personal use on OpenBSD. Since I am not big on any backend /prog.language I have decided to ask the experts, what should i choose. Based on the consensus and depth of a response, I will devote my time studying that language/server and try to build this app. requirement: Browser based app. with AJAX (multiuser if possible) my_hardware_limitation: 40gig disk, 1GB RAM , no video RAM, pentium 4 CPU 2GHz Level of expertise: starter which components will be a good fit?: 1. Backend: MySQL or SQLite 2. webserver: apache or Lighttpd 3. development language: PHP or Java or Javascript (and XML I guess) Thanks in advance. -BG ~~aapka kalyan ho~~
solaris 10. 'most' secure OS?
From Sun's own mouth: ...Solaris 10 OS, the most secure OS worldwide holding 176 records... is that so? ~~aapka kalyan ho~~
upgrading FVWM to 2.4
Hello, I figure that i will need to give some runtime arguments to following commands for upgrading my fvwm installation. as per README from fvwm package... can someone tell me what is the right value for PREFIX and EPREFIX? Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, `make install' will install all the files in `/usr/local/bin', `/usr/local/lib' etc. You can specify an installation prefix other than `/usr/local' using `--prefix', for instance `--prefix=$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIRmodifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIRC header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIRlocale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIRps documentation [DOCDIR] Since I did not do that (I do not knwo where is OpenBSD installing fvwm related stuff) I guess after running the following sequence, i have two versions installed on my system... [host]/tmp # ./configure # make # make install so that, from an xterm window $ which fvwm /usr/X11R6/bin/fvwm $ $ fvwm -version [FVWM][main]: Fvwm Version 2.2.5 compiled on Aug 8 2007 at 23:03:41 [FVWM][main]: ERROR can't open display $ $ /usr/local/bin/fvwm -version FVWM version 2.4.20 compiled on Jan 7 2008 at 11:33:48 with support for: ReadLine, XPM, GNOME WM hints, Shape, SM, Xinerama $ can someone tell the right values for PREFIX and EPREFIX? thx, -BG ~~aapka kalyan ho~~
Re: How to find all package files
1. to find list of installed files/pkg: $ locate 2. /var/db/pkg has list of all installed pkgs 3. get list of online pkgs: $ cat online_pkg_list # to download list of latest online pkgs available: today=`date +%Y%m%d` ftp -o ~/mydata/online_pkgs.$today ftp://anonymous:[EMAIL PROTECTED]/pub/OpenBSD/4.2/packages/i386/index.txt $ 4. now getting details of the above pkgs from website. so that i can browse the file locally for the info i am looking for: $ cat get_pkg_detail #get details on the pkgs available online: today=`date +%m%d` touch ~/localpkgdir/pkg_details.$today; rm ~/localpkgdir/pkg_details.$today for pkg in `cat ~/localpkgdir/online_pkgs.$today` do echo Details for $pkg ~/localpkgdir/pkg_details.$today lynx -dump http://www.openbsd.org/4.2_packages/i386/$pkg-long.html ~/localpkgdir/pkg_details.$today 2~ /localpkgdir/pkg_details_err_tmp grep -i startfile ~/localpkgdir/pkg_details_err_tmp ~/localpkgdir/pkg_details_err echo --- ~/localpkgdi r/pkg_details.$today echo --- ~/localpkgdi r/pkg_details.$today echo ~/localpkgdir/pkg_details.$today echo ~/localpkgdir/pkg_details.$today done # now retrying errored URLs for url in `awk '{print $NF}' ~/localpkgdir/pkg_details_err` do echo Details for $url ~/localpkgdir/pkg_details.$today lynx -dump $url ~/localpkgdir/pkg_details.$today echo --- ~/localpkgdi r/pkg_details.$today echo --- ~/localpkgdi r/pkg_details.$today echo ~/localpkgdir/pkg_details.$today echo ~/localpkgdir/pkg_details.$today done thx. -BG ~~aapka kalyan ho~~ - Original Message From: Russell Gadd [EMAIL PROTECTED] To: misc@openbsd.org Sent: Monday, January 7, 2008 9:33:22 AM Subject: How to find all package files I am new to OpenBSD and I am not sure what is the correct way to find packages. For example I have tried to install the xfce window manager, and at first I looked at the list of files in the packages list and there were a lot of files with xfce in the name / description. I looked for one which said something like this is the main package for xfce4 so that installing that and all dependencies would do the job, but couldn't find such a file. I resorted to looking for xfce in the INDEX and using all files where this was mentioned, i.e. forming a list with grep xfce INDEX | cut -d | -f 1 | sed 's/$/.tgz/g' /tmpdir/xfce4pkglist then pkg_add `cat /tmpdir/xfce4pkglist` I realise that for such a package there would be some parts which were optional, so needed to be separated out, but I thought there must be a more reliable way to determine which files to include. Is there a better way to do this? Russell
Re: upgrading FVWM to 2.4
Ted / Johan, thx. i downloaded 2.4.20 tar from fvwm site and ran ./configure --prefix /usr/X11r6 (otherwise default /usr/local) and then make and then make install after that i was able to use the new fvwm version. -BG. ~~aapka kalyan ho~~ - Original Message From: Ted Unangst [EMAIL PROTECTED] To: badeguruji [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Monday, January 7, 2008 5:04:01 PM Subject: Re: upgrading FVWM to 2.4 On 1/7/08, badeguruji [EMAIL PROTECTED] wrote: I figure that i will need to give some runtime arguments to following commands for upgrading my fvwm installation. as per README from fvwm package... pkg_add fvwm2 is a lot easier...
error while adding amavisd....
root:84# pkg_add amavisd-new-2.3.2p0.tgz arc-5.21op0: complete Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: 550 Failed to open file. Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: 550 Failed to open file. Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: 550 Failed to open file. Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/: 550 Failed to open file. Can't find freeze-2.5 /usr/sbin/pkg_add: freeze-2.5:Fatal error root:85# what can i do to correct this? i didnt find this file at the specified location. i am looking for pre-compiled pkgs only. thx. -BG ~~aapka kalyan ho~~
process tree in openbsd.
i found this here: http://www.tonns.org/ptree/ thx. -BG ~~Kalyan-mastu~~
Re: process tree in openbsd.
for those who need. sorry if you do not. ~~aapka kalyan ho~~ - Original Message From: Diana Eichert [EMAIL PROTECTED] To: misc@openbsd.org Sent: Saturday, December 29, 2007 11:39:05 PM Subject: Re: process tree in openbsd. On Sat, 29 Dec 2007, badeguruji wrote: i found this here: http://www.tonns.org/ptree/ thx. -BG What is the point to your post?
Re: Postfix(chroot) and Postgresql
I want to setup postfix and dovecot. i want to authenticate my users thru ldap. for that i have installed openldap server package. Is there a place where i can find some 'ponited' help on how to build such an 'email users' database? i do not want to have unix logins for them. i am searching on google and have not found anything yet. i am therefore looking into generic ldap manuals. (i do not want to be a ldap guru) thank you. -BG ~~Kalyan-mastu~~ - Original Message From: Craig Skinner [EMAIL PROTECTED] To: misc@openbsd.org Sent: Saturday, December 1, 2007 7:12:54 AM Subject: Re: Postfix(chroot) and Postgresql On Sat, Dec 01, 2007 at 12:07:54AM +0100, Bengt Frost wrote: Someone out there have any suggestions how use Postfix (and Dovecot) with PostgreSQL? Pull the user data from PostgreSQL and generate the files: /etc/sasldb2.db (copy to /var/spool/postfix/etc postfix reload) /etc/cram-md5.pwd e.g: have a cron driven perl script check for changes to the user tables in the last 15 mins if so, then generate new files. Stops PostgreSQL becoming a bottleneck when under high load (a spam attack). Ok. Not quite sure I'm following you. You mean pull user data from PostgreSQL and generate flat(db) user file for smtp-auth using p5-Authen-SASL-2.10p0 ... Aye, using whatever you fancy, probably loads of modules on CPAN that will do most of what you want for your site. Perl is in base, so you wont run the risk of a broken port of ruby/python/whatever stopping you working after an upgrade. Same for /etc/postfix/{aliases,canonical.map,virtual.map} As your site grows, you can punt the flat files out across your mail farm from your central db/admin box, use rdist or something similar. Then pull out 'other' Postfix data maps via (f.ex) Perl script across my 'mail farm'. Not sure yet how to do it - but I figure it out. PostgreSQL is brilliant as you can have views of multiple tables, such as user id passwd, then reference another accounts table with foriegn keys to see if payment is upto date, how much they paid (disk quota). Then from this one view, just select * and dump that data into flat files, then push to your front line smtp, imap, webmail, shell... boxes. No fancy SQL in the scripts, let the DB do the work for you with views stored procedures. (Your business logic is separate from the oily bits of service implementation) Implement another service, such as web hosting accounts, then just write another SQL view, and another Perl script to config apache, etc, etc. My basic point is this: you can go to a lot of bother to get some services to auth against SQL, then you want to bring up another service and there is no way of using SQL directly, so you write some scripts to generate flat files. Then you bring up another service, So why not just do it that way from the beginning? After all, the app was developed to use flat files, so as a mere user of an app, why fight against the developer? How about - using OpenLDAP? Same thing. Flat files are fast and reliable, and are basically the only way to give users shell access (mutt/pine) on OpenBSD as login wont auth against LDAP or SQL. -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
postfix config....
is this ok? proxy_interfaces = www.fistofiron.com (as i am behind dsl router and the IP will change) does this is what writer mean by symbolic name? # The proxy_interfaces parameter specifies the network interface # addresses that this mail system receives mail on by way of a # proxy or network address translation unit. This setting extends # the address list specified with the inet_interfaces parameter. # # You must specify your proxy/NAT addresses when your system is a # backup MX host for other domains, otherwise mail delivery loops # will happen when the primary MX host is down. # #proxy_interfaces = proxy_interfaces = www.fistofiron.com thank you. -BG ~~Kalyan-mastu~~ - Original Message From: johan beisser [EMAIL PROTECTED] To: badeguruji [EMAIL PROTECTED] Cc: Craig Skinner [EMAIL PROTECTED]; misc@openbsd.org Sent: Tuesday, December 25, 2007 3:31:27 PM Subject: Re: Postfix(chroot) and Postgresql On Dec 25, 2007, at 12:57 PM, badeguruji wrote: I want to setup postfix and dovecot. i want to authenticate my users thru ldap. for that i have installed openldap server package. Is there a place where i can find some 'ponited' help on how to build such an 'email users' database? i do not want to have unix logins for them. i am searching on google and have not found anything yet. i am therefore looking into generic ldap manuals. (i do not want to be a ldap guru) http://wiki.dovecot.org/VirtualUsers http://wiki.dovecot.org/AuthDatabase/SQL I think everything you asked about is documented right there.
https access error www.fistofiron.com
Hello, I am hosting www.fistofiron.com on a home network behind dsl link. i am able to pull up the site on netscape sometimes, and sometimes it gives error (timeout). it is a very small page. i am not sure, if there is some configuration error. $ lynx -dump https://www.fistofiron.com Looking up www.fistofiron.com Making HTTPS connection to www.fistofiron.com Retrying connection without TLS. Looking up www.fistofiron.com Making HTTPS connection to www.fistofiron.com Alert!: Unable to make secure connection to remote host. lynx: Can't access startfile https://www.fistofiron.com/ plz. advice. thank you. -BG ~~Kalyan-mastu~~
Re: prob: dynamic xterm window and icon titles [OpenBSD 4.2]
Hello, After sourcing .profile file inside X with .Xdefaults, the PS1 and xterm title settings were run. (It runs .profile once and sets the PS1 variable to be used inside X) But the issue of dynamic xterm title remains as such. It seems the PS1 (in ksh) is not able to pass the special character the way writer intended hence not producing desired consequences. Can someone tell why setting of PS1 in this way is not producing desired behavior? (desired: dynamic xterm title which changes as i change directories etc.). As suggested here: http://tldp.org/HOWTO/Xterm-Title-4.html $ PS1='\033]0;[EMAIL PROTECTED]: ${PWD##${HOME}/}\007$ ' K]0;[EMAIL PROTECTED]: /home/badeguruji7$ ^ ^ supposed to be Bell character (producing '-') supposed to be Esc character Thank you. -BG ~~Kalyan-mastu~~ - Original Message From: Ben Calvert [EMAIL PROTECTED] To: badeguruji [EMAIL PROTECTED] Sent: Tuesday, December 18, 2007 5:36:24 PM Subject: Re: prob: dynamic xterm window and icon titles [OpenBSD 4.2] On Dec 18, 2007, at 12:55 PM, badeguruji wrote: hello, following code is not working from my .profile (so i commented it), even when i start the system with X. I am using system provided fvwm. when i start without X, it sets the PS1 variable correctly, but even that is lost (to standard $ prompt) once i start X. http://openbsd.org/faq/faq8.html#ksh I want to have my xterm window title to reflect: pwd, hostname and user_id dynamically. I am using ksh. i think you'll find, that in general, the faq is pretty thorough. you can generally save lots of time by looking there first. thank you. -BG Ben
prob: dynamic xterm window and icon titles [OpenBSD 4.2]
hello, following code is not working from my .profile (so i commented it), even when i start the system with X. I am using system provided fvwm. when i start without X, it sets the PS1 variable correctly, but even that is lost (to standard $ prompt) once i start X. in my .profile #case $TERM in # xterm*) # HOST=`hostname` # HOST=${HOST%%.*} # PS1='\033]0;[EMAIL PROTECTED]: ${PWD##${HOME}/}\007$ ' # ;; #*) # PS1='[EMAIL PROTECTED]:\w\$ ' # ;; #esac from command line; gives following output and also does not change window title etc. $ HOST=`hostname` $ HOST=${HOST%%.*} $ PS1='\033]0;[EMAIL PROTECTED]: ${PWD##${HOME}/}\007$ ' K]0;[EMAIL PROTECTED]: /home/badeguruji7$ -it seems this terminal is not understanding escape seq well and printing them on screen... Whereas following is working perfectly ok from command prompt; but when place in .profile gives various errors... $ echo -ne \033]0;[EMAIL PROTECTED] `pwd`\007 this is changing window/icon title properly $ PS1='[EMAIL PROTECTED]:\w\$ ' [EMAIL PROTECTED]:~$ can someone help. I found out that my machine is using vt220 terminal. I want to have my xterm window title to reflect: pwd, hostname and user_id dynamically. I am using ksh. thank you. -BG ~~Kalyan-mastu~~
openssl bug report by HP
does this also affects folks who are using it on openbsd? http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01299773 thx. BG ~~Kalyan-mastu~~
A very good OpenLDAP tutorial - Notes
http://www.acay.com.au/~oscarp/tutor/ for all new Openldap users. thx, and sorry if you don't need this. -BG ~~Kalyan-mastu~~
PLEASE DO NOT PUBLISH MY LAST email!!!! [ Re: Real men don't attack straw men]
Hello Moderator, I would not like to publish my below (last) email to this mailing list. As i do not want to offend anyone. That is not my intention. thank you. -BG ~~Kalyan-mastu~~ - Original Message From: badeguruji [EMAIL PROTECTED] To: David Walker [EMAIL PROTECTED]; misc@openbsd.org Sent: Wednesday, December 12, 2007 9:38:07 PM Subject: Re: Real men don't attack straw men David, wonderful writeup! there is a guy here at work, he is full of extra(sometimes called crap or standup), nobody takes him seriously. He is always talking(trying to discuss) religion/philosophy/societies/real-estate/what-not! etc... which people quietly skip. BUT once in a while, he says something which sucks otherwise sane and hardworking people into his nonsense... and then we see: trying-to-talk-sense vs nonsense. Its hilarious, and complete waste of time. We have moved him to midnight shift: to help midniters stay awake. mud: more you try to wash it, more muddy it becomes... Love you all. -BG ~~Kalyan-mastu~~ - Original Message From: David Walker [EMAIL PROTECTED] To: misc@openbsd.org Sent: Wednesday, December 12, 2007 6:40:28 PM Subject: Re: Real men don't attack straw men Richard. Belief systems are vital for living. Every conscious act is the result of a belief. Thoughts are the waters from which belief systems are distilled. None of us know everything. We know very little. In our desire to provide for ourselves a framework to live by, many ideas we have are distilled into beliefs - without full possession of all the pertinent evidence. This is pragmatic. How we get things done. We can classify beliefs as critical or trivial. The only important step is that we scan for evidence that disallows. Vigilantly. Why? There are two types of belief system. Sanity. Valid belief systems. No evidence available that disallows the belief. Psychosis. Invalid belief systems. Evidence exists which disallows the belief. As a result of our imperfect knowledge our belief systems are initially weak. When we come across new evidence relating to one of our beliefs we recognize the need to re-evaluate. That engenders the possibility of relegating the belief to the scrap heap. We imagine life without it and see chaos instead of opportunity. That can be scary. The scare can lead to resistance. For many of our beliefs, no matter our resistance, life steps in and shows us the error of our ways. Awareness of this process, sometimes through much pain, leads to acceptance. Why? As we grow we realize the bigger danger is that we allow untenable beliefs to to remain. Somehow, the effort required to be vigilant is not as hard to muster as the effort to swim against the current. Furthermore, when we re-evaluate beliefs and find they are still tenable they become more useful. We turn straw houses into stone. We become a bit wiser. As we move through life we generally learn about ourselves and the way we resist re-evaluating our beliefs. One common method is to play the man and not the ball. This is an attempt at sidestepping and sending standard input to /dev/null with exit 0. We do this by calling the emotion subroutine. Although this is insightful programming - we recognize the conditions that cause an error in our software - we do not deal with them skillfully but rather program them out. The real sadness is not the harm we do to others but rather the opportunity we deny ourselves to pull down our straw houses and build stone ones. One method used to resist re-evaluation is mislabelling. This is another emotion subroutine. If one method is daring and another careful most men might see possibility of success in either. However applying labels such as reckless and foolhardy turns brave into dangerous. Likewise if cautious becomes stereotypical and mainstream who would achieve anything by choosing it? Computer software is an industry. It is not life or death. It is not killing babies. It is not tipping cows over. The licenses are (electronic) pieces of paper. Nothing about the licensing is bad. Nothing about the licensing is wrong. Nothing about the licensing is immoral. Nothing about the licensing is unethical. Absolutely nothing about the licensing has to do with your conscience. You may not like them. They may differ from yours. They are only labellable with the terms you choose in two ways. They are an affront to humanity. I expect to see media coverage and/or rebellion. They are an affront to other business. I expect to see other software manufacturers causing a stink. Instead there is one group swimming against the current. I would expect in either of these two cases the government to step in. After all, the government regulates industry for the people. If the licenses are bad and wrong, etcetera that is under the government's purview. Trade practices acts, etcetera. None of the labels fit. Richard Stallman wrote
Re: Real men don't attack straw men
David, wonderful writeup! there is a guy here at work, he is full of extra(sometimes called crap or standup), nobody takes him seriously. He is always talking(trying to discuss) religion/philosophy/societies/real-estate/what-not! etc... which people quietly skip. BUT once in a while, he says something which sucks otherwise sane and hardworking people into his nonsense... and then we see: trying-to-talk-sense vs nonsense. Its hilarious, and complete waste of time. We have moved him to midnight shift: to help midniters stay awake. mud: more you try to wash it, more muddy it becomes... Love you all. -BG ~~Kalyan-mastu~~ - Original Message From: David Walker [EMAIL PROTECTED] To: misc@openbsd.org Sent: Wednesday, December 12, 2007 6:40:28 PM Subject: Re: Real men don't attack straw men Richard. Belief systems are vital for living. Every conscious act is the result of a belief. Thoughts are the waters from which belief systems are distilled. None of us know everything. We know very little. In our desire to provide for ourselves a framework to live by, many ideas we have are distilled into beliefs - without full possession of all the pertinent evidence. This is pragmatic. How we get things done. We can classify beliefs as critical or trivial. The only important step is that we scan for evidence that disallows. Vigilantly. Why? There are two types of belief system. Sanity. Valid belief systems. No evidence available that disallows the belief. Psychosis. Invalid belief systems. Evidence exists which disallows the belief. As a result of our imperfect knowledge our belief systems are initially weak. When we come across new evidence relating to one of our beliefs we recognize the need to re-evaluate. That engenders the possibility of relegating the belief to the scrap heap. We imagine life without it and see chaos instead of opportunity. That can be scary. The scare can lead to resistance. For many of our beliefs, no matter our resistance, life steps in and shows us the error of our ways. Awareness of this process, sometimes through much pain, leads to acceptance. Why? As we grow we realize the bigger danger is that we allow untenable beliefs to to remain. Somehow, the effort required to be vigilant is not as hard to muster as the effort to swim against the current. Furthermore, when we re-evaluate beliefs and find they are still tenable they become more useful. We turn straw houses into stone. We become a bit wiser. As we move through life we generally learn about ourselves and the way we resist re-evaluating our beliefs. One common method is to play the man and not the ball. This is an attempt at sidestepping and sending standard input to /dev/null with exit 0. We do this by calling the emotion subroutine. Although this is insightful programming - we recognize the conditions that cause an error in our software - we do not deal with them skillfully but rather program them out. The real sadness is not the harm we do to others but rather the opportunity we deny ourselves to pull down our straw houses and build stone ones. One method used to resist re-evaluation is mislabelling. This is another emotion subroutine. If one method is daring and another careful most men might see possibility of success in either. However applying labels such as reckless and foolhardy turns brave into dangerous. Likewise if cautious becomes stereotypical and mainstream who would achieve anything by choosing it? Computer software is an industry. It is not life or death. It is not killing babies. It is not tipping cows over. The licenses are (electronic) pieces of paper. Nothing about the licensing is bad. Nothing about the licensing is wrong. Nothing about the licensing is immoral. Nothing about the licensing is unethical. Absolutely nothing about the licensing has to do with your conscience. You may not like them. They may differ from yours. They are only labellable with the terms you choose in two ways. They are an affront to humanity. I expect to see media coverage and/or rebellion. They are an affront to other business. I expect to see other software manufacturers causing a stink. Instead there is one group swimming against the current. I would expect in either of these two cases the government to step in. After all, the government regulates industry for the people. If the licenses are bad and wrong, etcetera that is under the government's purview. Trade practices acts, etcetera. None of the labels fit. Richard Stallman wrote in this thread: non-free software to be unethical and antisocial. with a clear conscience to someone. I might say the act was bad, or I might say it was good, depending on the details not specified. On non-free software. then those users have done something bad. On installing non-free software. endorses it and takes on the ethical responsibility for it. On making it easier to install non-free software. Richard Stallman said on BSD
complete working ssl config for newbees..... Notes
After doing a lot of head banging, i was able to get it working (so far) # openssl version OpenSSL 0.9.7j 04 May 2006 # uname -a OpenBSD ironhost.fistofiron.com 4.2 GENERIC#375 i386 # this setting causes lot of errors, hence i have commented it. #prompt = no# this option is generating lot of errors. I referred my sites especially: http://www.faqs.org/docs/securing/chap24sec196.html below is working fine: # # cat openssl.cnf # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # Plus, # I have configured it for generating CA cert too. # RANDFILE= /dev/arandom dir = /etc/ssl # working dir for all operations [ ca ]# section for CA settings default_ca= CA_default # default CA settings section title [ CA_default ]# default settings for CA certs = $dir/certs# dir to keep issued certificates new_certs_dir = $dir/ca.db.certs # dir for new certs crl_dir = $dir/crl # dir for issued cert revoc lists serial = $dir/ca.db.serial # file contains the current serial no. database= $dir/ca.db.index # certificate database index file crl = $dir/crl.pem # the current CRL certificate = $dir/certs/ca.crt # file containing CA certificate private_key = $dir/private/ca.key # the private key corrosponding # to CA certificate default_days= 3650 # valid for 10 years default_crl_days = 30 # how long before next CRL default_md = sha1 # md5 for older software and is weaker preserve= no# whether to preserve the order of DN # fields to match the order passed in email_in_dn = no policy = policy_match # section to tell which fields in certs # must match that of CA, or are mandetory x509_extensions = usr_cert # directives for CA when signing a cert # Make new requests easier to sign - allow two subjects with same name # (Or revoke the old certificate first.) unique_subject = no # Comment out the following two lines for the traditional # (and highly broken) format. nameopt = default_ca certopt = default_ca [ policy_match ]# OIDs that must be same as that of CA countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. All values are system default. [ policy_anything ] # all possible options for policy... countryName = optional stateOrProvinceName = optional localityName= optional # this is not in policy_match section organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### # the req section is used by openssl req command, it creates and process # certificate requests in PKCS#10 format. also creates self signed certs # for use as root CA. [ req ] # directives to process and create cert requests default_bits= 1024 # key size for new cert request default_keyfile = privkey.pem # def key name for any newely generated cert default_md = sha1 # message digest algorithm default was md5 #prompt = no# this option is generating lot of errors. string_mask = nombstr # permitted characters distinguished_name= req_distinguished_name # suggest was root_ca__distinguished_name attributes = req_attributes# section used when generating cert x509_extensions = v3_ca # section ext to add to self signed cert req_extensions = v3_req# [non CA] Used when requesting certs, # adds more extnsions to cert request ### # below section not used right now #[ root_ca_distinguished_name ] #commonName = FistOfIron MO #countryName = US #stateOrProvinceName = Missouri #localityName = St.Louis #0.organizationName = fistofiron.org #emailAddress = [EMAIL PROTECTED] # [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #--- countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (city, district)
Re: freeBSD7.0 advertised.
first thing first. i am sending emails on this list because i have already made my decision to use OpenBSD. my intention is not arguing about which OS is better. I understand (for myself) that, OpenBSD is best (for me). But, a good thing (that presentation attempt), is a good thing. And, to wish (or ask if it is already there) to have such good thing for us too, is not a bad thing... I promise, when I know about OpenBSD in so much depth, I will put out something like that myself. ~~Kalyan-mastu~~ - Original Message From: visc [EMAIL PROTECTED] To: misc@openbsd.org Sent: Sunday, December 9, 2007 2:35:46 AM Subject: Re: freeBSD7.0 advertised. On 8-Dec-07, at 10:57 PM, STeve Andre' wrote: On Sunday 09 December 2007 00:27:01 badeguruji wrote: Hello, Is there anything on OpenBSD like the one below for FreeBSD. It presents material very clearly and cleanly, makes look freebsd very attractive. http://people.freebsd.org/~kris/scaling/7.0 Preview.pdf Thank you. -BG Not really. OpenBSD doesn't attempt to market itself. You can look at the 4.2 page to see all the new things in 4.2, or scroll back in time by looking at earlier pages. Given that a new release comes out every six months, releases don't tend to have a lot of show-biz flash to them. They give useful data but aren't for the masses. Really, you want to do a lot of reading on the web site. Do that and you'll get good idea of what OpenBSD is about. --STeve Andre' Newbie commenter here, but I feel the need to chime in. It my be the rum talking, but i digress.. As somebody who has thought very long and hard about leaving the OSX church, and then which open source system to support, and then which *bsd to support, I hope my choice of OpenBSD can at least be heard. There is a comic related to the 4.2 release (which I'm too lazy to find and reference at the moment) in which puffy and other related creatures are in a race. Yes, I know the comic was OpenBSD produced and centric, but it hit home anyway. There is a frame that shows a Daemon (representative of FreeBSD) racing a penguin. That kind of solidified for me the feeling I always had using FreeBSD that it was trying to be/compete with Linux. Don't get me wrong, I applaud the FreeBSD team, but I'm not interested in another religious OS argument. I can get that with OSX vs Windows. I love arguing OS vs OS with people, but my choice to support OpenBSD was based on the fact that it doesn't want to play that game. It's an OS to choose based on it's merits, not it's name. OpenBSD is not trying to supplant another OS, it is not trying to become a religion, it is simply trying to be a secure and proper BSD implementation. And that's what I want. Advertising would certainly help where it's needed, ie cash and hardware, but that is a secondary goal (from my understanding). You have here an OS with modest yet commendable goals that isn't making OS penis size it's number one goal. OpenBSD has it's goals and it is trying to achieve them. Yes, I'd love to see OpenBSD ads out there. But there needs to be a balance between hey, I'm awesome, use me. and Wow, that's awesome, I'll buy a CD. FreeBSD is in the same boat. The beauty of OpenBSD is that it tries to exist on it's merits. To me, OpenBSD's merits are greater than FreeBSDs. Ultimately people need to be pointed to donate their time/money/ efforts to projects that they see value in. I know OpenBSD is fairly stuffy puffy in it's philosopy, but that's what it is. People who agree with that ideal will seek it out. Yes, it'd be great to see magazine ads, but ultimately the great paradox comes into play - OpenBSD needs donations to progress - progress can't happen without users - users want a good product - a good product in this arena needs donations. /ramble off
error while creating CA
Hello, although i have setup the default country_code to 2 characters only (US). I was not able to find out why, am i getting below error, while trying to setup my own CA: # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem Generating a 2048 bit RSA private key ..+++ .+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - problems making Certificate Request 13175:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2 # file permissions: # pwd /etc/ssl # ls -ltr total 348 drwxr-xr-x 2 root wheel 512 Aug 28 11:00 lib -r--r--r-- 1 root bin 895 Aug 28 11:00 x509v3.cnf -r--r--r-- 1 root bin151917 Aug 28 11:00 cert.pem drwxr-xr-x 4 root wheel 512 Nov 21 23:00 orig.dir.with.contents drwxr-xr-x 2 root wheel 512 Nov 25 21:01 crl drwxr-xr-x 2 root wheel 512 Nov 25 21:01 newcerts -rw-r--r-- 1 root wheel 0 Nov 25 21:01 certindex.txt -rw-r--r-- 1 root wheel 7 Nov 25 21:01 serial drwxr-xr-x 2 root wheel 512 Nov 27 22:23 issuedcerts -r--r--r-- 1 root bin 6889 Dec 6 10:50 openssl.cnf drwx-- 2 root wheel 512 Dec 9 00:12 private # ls -l private total 4 -rw-r--r-- 1 root wheel 1743 Dec 9 00:13 cakey.pem # ls -l issuedcerts # ls -l newcerts # here is my config file: $ cat /etc/ssl/openssl.cnf # # OpenSSL example configuration file. # This is mostly being used for generation ofcertificate requests. # Plus, # I have configured it for generating CA cert too. # RANDFILE= /dev/arandom dir = /etc/ssl # working dir for all operations [ ca ] # section for CA settings default_ca = CA_default# default CA settings section title [ CA_default ] # default settings for CA certs = $dir/issuedcerts # dir to keep issued certificates new_certs_dir = $dir/newcerts # dir for new certs crl_dir = $dir/crl # dir for issued cert revoc lists serial = $dir/serial # file contains the current serial no. database= $dir/certindex.txt# certificate database index file crl = $dir/crl/ca-crl.pem # the current CRL certificate = $dir/ca-cert.pem # file containing CA certificate private_key = $dir/private/ca-key.pem # the private key corrosponding # to CA certificate default_days= 3650 # valid for 10 years default_md = sha1 # md5 for older software and is weaker preserve= no# whether to preserve the order of DN # fields to match the order passed in email_in_dn = no policy = policy_match # section to tell which fields in certs # must match that of CA, or are mandetory x509_extensions = usr_cert # directives for CA when signing a cert # Make new requests easier to sign - allow two subjects with same name # (Or revoke the old certificate first.) unique_subject = no # Comment out the following two lines for the traditional # (and highly broken) format. nameopt = default_ca certopt = default_ca [ policy_match ]# OIDs that must be same as that of CA countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. All values are system default. [ policy_anything ] # all possible options for policy... countryName = optional stateOrProvinceName = optional localityName= optional # this is not in policy_match section organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### # the req section is used by openssl req command, it creates and process # certificate requests in PKCS#10 format. also creates self signed certs # for use as root CA. [ req ] # directives to process and create cert requests default_bits= 2048 # key size for new cert request default_keyfile = privkey.pem # def key name for any newely generated cert default_md = sha1 # message digest algorithm default was md5 prompt = no
Re: error while creating CA
Thank you Nick. I setup default values for this section, as i read on net, but it seems it is not working like that. After i changed the value of contryName variable as you pointed (instead of depending on default value variable for supplying default value), it is NOT giving that error now. But now, it is giving following error: and i checked the documentation, and the variable seems to be a valid variable. I do not know why it is giving error? I am running the same command... is my config for this section ok? [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #--- countryName = US#Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (city, district) 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) commonName = Common Name (FQDN, hostname, IP, or your name) commonName_max = 64 emailAddress= Email Address emailAddress_max= 64#original cnf file from install had 64/sample had 40 # default values for above countryName_default = US stateOrProvinceName_default = Georgia localityName_default= ATL, GA 0.organizationName_default = Fist of Iron organizationalUnitName_default = TestWebMail ~~Kalyan-mastu~~ - Original Message From: Nick Guenther [EMAIL PROTECTED] To: OpenBSD-Misc misc@openbsd.org Sent: Sunday, December 9, 2007 4:53:06 PM Subject: Re: error while creating CA On 12/9/07, badeguruji [EMAIL PROTECTED] wrote: Hello, although i have setup the default country_code to 2 characters only (US). I was not able to find out why, am i getting below error, while trying to setup my own CA: # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem Generating a 2048 bit RSA private key ..+++ .+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - problems making Certificate Request 13175:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2 # here is my config file: [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #- -- countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 ^ your country name is not set to 'US' like you think it is? -Nick
Re: error while creating CA
sorry the error is: # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem Generating a 2048 bit RSA private key ..+++ ...+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - problems making Certificate Request 1993:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:/usr/src/lib/libssl/src/crypto/x509/x509name.c:285:name=countryName_min # ~~Kalyan-mastu~~ - Original Message From: badeguruji [EMAIL PROTECTED] To: Nick Guenther [EMAIL PROTECTED]; OpenBSD-Misc misc@openbsd.org Sent: Sunday, December 9, 2007 7:15:13 PM Subject: Re: error while creating CA Thank you Nick. I setup default values for this section, as i read on net, but it seems it is not working like that. After i changed the value of contryName variable as you pointed (instead of depending on default value variable for supplying default value), it is NOT giving that error now. But now, it is giving following error: and i checked the documentation, and the variable seems to be a valid variable. I do not know why it is giving error? I am running the same command... is my config for this section ok? [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #--- countryName = US#Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (city, district) 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) commonName = Common Name (FQDN, hostname, IP, or your name) commonName_max = 64 emailAddress= Email Address emailAddress_max= 64#original cnf file from install had 64/sample had 40 # default values for above countryName_default = US stateOrProvinceName_default = Georgia localityName_default= ATL, GA 0.organizationName_default = Fist of Iron organizationalUnitName_default = TestWebMail ~~Kalyan-mastu~~ - Original Message From: Nick Guenther [EMAIL PROTECTED] To: OpenBSD-Misc misc@openbsd.org Sent: Sunday, December 9, 2007 4:53:06 PM Subject: Re: error while creating CA On 12/9/07, badeguruji [EMAIL PROTECTED] wrote: Hello, although i have setup the default country_code to 2 characters only (US). I was not able to find out why, am i getting below error, while trying to setup my own CA: # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem Generating a 2048 bit RSA private key ..+++ .+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - problems making Certificate Request 13175:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2 # here is my config file: [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #- -- countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 ^ your country name is not set to 'US' like you think it is? -Nick
openssl creating CA, getting error; plz. advice.
Hello, while trying to setup my own CA i am getting below error: # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem Generating a 2048 bit RSA private key ..+++ .+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - problems making Certificate Request 13175:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2 # file permissions: # pwd /etc/ssl # ls -ltr total 348 drwxr-xr-x 2 root wheel 512 Aug 28 11:00 lib -r--r--r-- 1 root bin 895 Aug 28 11:00 x509v3.cnf -r--r--r-- 1 root bin151917 Aug 28 11:00 cert.pem drwxr-xr-x 4 root wheel 512 Nov 21 23:00 orig.dir.with.contents drwxr-xr-x 2 root wheel 512 Nov 25 21:01 crl drwxr-xr-x 2 root wheel 512 Nov 25 21:01 newcerts -rw-r--r-- 1 root wheel 0 Nov 25 21:01 certindex.txt -rw-r--r-- 1 root wheel 7 Nov 25 21:01 serial drwxr-xr-x 2 root wheel 512 Nov 27 22:23 issuedcerts -r--r--r-- 1 root bin 6889 Dec 6 10:50 openssl.cnf drwx-- 2 root wheel 512 Dec 9 00:12 private # ls -l private total 4 -rw-r--r-- 1 root wheel 1743 Dec 9 00:13 cakey.pem # ls -l issuedcerts # ls -l newcerts # here is my config file: $ cat /etc/ssl/openssl.cnf # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # Plus, # I have configured it for generating CA cert too. # RANDFILE= /dev/arandom dir = /etc/ssl # working dir for all operations [ ca ] # section for CA settings default_ca = CA_default# default CA settings section title [ CA_default ] # default settings for CA certs = $dir/issuedcerts # dir to keep issued certificates new_certs_dir = $dir/newcerts # dir for new certs crl_dir = $dir/crl # dir for issued cert revoc lists serial = $dir/serial # file contains the current serial no. database= $dir/certindex.txt# certificate database index file crl = $dir/crl/ca-crl.pem # the current CRL certificate = $dir/ca-cert.pem # file containing CA certificate private_key = $dir/private/ca-key.pem # the private key corrosponding # to CA certificate default_days= 3650 # valid for 10 years default_md = sha1 # md5 for older software and is weaker preserve= no# whether to preserve the order of DN # fields to match the order passed in email_in_dn = no policy = policy_match # section to tell which fields in certs # must match that of CA, or are mandetory x509_extensions = usr_cert # directives for CA when signing a cert # Make new requests easier to sign - allow two subjects with same name # (Or revoke the old certificate first.) unique_subject = no # Comment out the following two lines for the traditional # (and highly broken) format. nameopt = default_ca certopt = default_ca [ policy_match ]# OIDs that must be same as that of CA countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. All values are system default. [ policy_anything ] # all possible options for policy... countryName = optional stateOrProvinceName = optional localityName= optional # this is not in policy_match section organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### # the req section is used by openssl req command, it creates and process # certificate requests in PKCS#10 format. also creates self signed certs # for use as root CA. [ req ] # directives to process and create cert requests default_bits= 2048 # key size for new cert request default_keyfile = privkey.pem # def key name for any newely generated cert default_md = sha1 # message digest algorithm default was md5 prompt = no string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name #
freeBSD7.0 advertised.
Hello, Is there anything on OpenBSD like the one below for FreeBSD. It presents material very clearly and cleanly, makes look freebsd very attractive. http://people.freebsd.org/~kris/scaling/7.0 Preview.pdf Thank you. -BG ~~Kalyan-mastu~~
rouge IPs / user
I am getting constant hacking attempt into my computer from following IPs. Although, I have configured my ssh config and tcp-wrappers to deny such attempts. But I wish some expert soul in this community 'fix' this rouge hacker for ever, for everyones good. This hacker could be spoofing the IPs, but i have only the IPs in my message logs(and a url)... 218.6.16.30 195.187.33.66 202.29.21.6 60.28.201.57 218.24.162.85 wpc4643.amenworld.com 202.22.251.23 219.143.232.131 220.227.218.21 124.30.42.36 -for community. -BG ~~Kalyan-mastu~~
Re: rouge IPs / user
Thanks guys. Steve, you were able to understand my concern/wish. Yes, I have posted the same issue earlier, that time i was looking for a solution for 'myself', this time i wish: if something can be done 'for everyone', so i publicized the IPs hacker('net lice') was coming from. I was adviced for pf, but right now a simple ssh-config and hosts.allow/deny is serving me fine. I will learn and use pf in due course. And seriously, 'anything' in self-defense is not violence (or e-violence) - I am not going in hackers' territory to teach him a lesson, i am only trying to build a wall [by asking the experts] which can save all those who are NOT-hacking into other people's computers, and want to operate in a secure environment (with-in those walls) Aren't all security experts, just building their own islands with the problem [of unsecure space] remaining as it always was? we should try to build a secure 'atmosphere' where 'clouds of all colors/density' can freely glide with less caution in mind? A frame-work for internet security like Java, where all different kind of web-servers(and all other apps for that matter) can concentrate on their job, rather then worrying about security - is needed. thank you. -BG --- Nick Guenther [EMAIL PROTECTED] wrote: On Dec 7, 2007 1:03 PM, Daniel Ouellet [EMAIL PROTECTED] wrote: badeguruji wrote: I am getting constant hacking attempt into my computer from following IPs. Although, I have configured my ssh config and tcp-wrappers to deny such attempts. But I wish some expert soul in this community 'fix' this rouge hacker for ever, for everyones good. Not sure that I understand what you are asking. I think he's advocating e-violence of some sort? Hahahahahahah. ~~Kalyan-mastu~~
binary installed? or not?
Hello, On solaris, i can do: grep name /var/sadm/install/contents and see whether it is installed or not, also location etc. But, How can i do it on OB? where is the system map? to see whether/where name is installed. Thanks in advance for your guidance. -BG ~~Kalyan-mastu~~
Re: indexing the internet
hmm... i checked dmoz.org, noble idea, but a lot of hardwork, and it might fail in the longrun. There is one major hurdle in its future, since lot of people are adding content to web everyday and most of them are not following any guideline, so it is: 1. very difficult for a small subset of humans to catalog for all of the internet-publishers. 2. it is unfair, in the name of free/opensource, to expect a subset of people to clean others' mess. Back to the original topic: For one thing, Perhaps one part of the problem can be solved very easily. Since every document created on any OS has date and timestamp attached to it. AND, most of the publishing on web is on Apache, what if the basic behavior of apache is set to read this info, and show document/page creation and modification date on top/in the beginning, of the 'web-page/document'. And it should be available to the search engines as small lightweight string as well? technical papers and HOWTO's relevance is actually the relevance of their content, with passing of time. So, to intelligently figure that out is going to be too resource consuming for the computing in general. ultimately humans will have to follow some documenting guidelines to keep information useful and 'at our fingertips'. Else it(information) will be like it is now, scattered and lost in web-space. *and hence, google's search engine if does not change with time, will be a thing of past within next 4 years. Thank you. -BG --- Lars Noodin [EMAIL PROTECTED] wrote: badeguruji wrote: ... just making it a habit to add the date and version on top will make it easy to 'index the web', and will help the newcomer to understand and decide... ... There are a lot of people who should know better who do not do that, regardless of the benefits. Probably the best bet would be to find how people are making the documents and see if the tools' creators cannot be convinced to make the tool default to add a date / time stamp. I've written to a few authors and asked when they first published material. Perhaps it is time for an all-out campaign to tidy up legacy documents. -Lars ~~Kalyan-mastu~~
Re: Paper about memory speed with multi-core CPUs
With all due respect to all contributors on the internet. It seems lot of BSD/unix notes and other documentation is scattered all over the internet in hapzard way. which newcomers find thru google(1) and then try to use it. Most of the time date and version etc. is not mentioned in the document or the URL - which makes it difficult to realize (to a newcomer) whether the info is still applicable/valid? and should be used? I guess all such contributors need to mention the date_of_publication and software_version_used on the top of their submission. we need to learn from newspaper websites who 'arrange' their stories chronologically, and a look at the url on these sites tell the date of the story! just making it a habit to add the date and version on top will make it easy to 'index the web', and will help the newcomer to understand and decide... I am sending it here as this can only be straightened out by some well known developers in the unix/linux/bsd community. thanks again to all the techis who have ever posted 'how-2s' on the internet! -BG (1)in that sense googles' text search engine is also not doing a proper job. so it leaves some room... ~~Kalyan-mastu~~ - Original Message From: Alexey Suslikov [EMAIL PROTECTED] To: misc@openbsd.org Sent: Monday, November 26, 2007 4:37:18 AM Subject: Paper about memory speed with multi-core CPUs Johan Mson Lindman wrote: http://people.redhat.com/drepper/cpumemory.pdf - Alexey. Is this paper from the same Drepper as is posting in the URL below? http://sources.redhat.com/ml/libc-alpha/2000-08/msg00053.html Yes. But it's up to you - to leave yourself in 2000. - Alexey.
indexing the internet
With all due respect to all contributors on the internet. It seems lot of BSD/unix notes and other documentation is scattered all over the internet in hapzard way. which newcomers find thru google(1) and then try to use it. Most of the time date and version etc. is not mentioned in the document or the URL - which makes it difficult to realize (to a newcomer) whether the info is still applicable/valid? and should be used? I guess all such contributors need to mention the date_of_publication and software_version_used on the top of their submission. we need to learn from newspaper websites who 'arrange' their stories chronologically, and a look at the url on these sites tell the date of the story! just making it a habit to add the date and version on top will make it easy to 'index the web', and will help the newcomer to understand and decide... I am sending it here as this can only be straightened out by some well known developers in the unix/linux/bsd community. thanks again to all the techis who have ever posted 'how-2s' on the internet! -BG (1)in that sense googles' text search engine is also not doing a proper job. so it leaves some room... ~~Kalyan-mastu~~ - Original Message From: Alexey Suslikov [EMAIL PROTECTED] To: misc@openbsd.org Sent: Monday, November 26, 2007 4:37:18 AM Subject: Paper about memory speed with multi-core CPUs Johan Mson Lindman wrote: http://people.redhat.com/drepper/cpumemory.pdf - Alexey. Is this paper from the same Drepper as is posting in the URL below? http://sources.redhat.com/ml/libc-alpha/2000-08/msg00053.html Yes. But it's up to you - to leave yourself in 2000. - Alexey. (sorry changed the tag line)... ~~Kalyan-mastu~~
[plz. help] constant attack from: 201.244.17.162, 222.231.60.88, 82.207.116.209....
I just discovered by chance that, someone is constantly trying to break into my openbsd box from: 201.244.17.162 [corporativos24417-162.etb.net.co] 203.113.85.26 211.20.79.85 71.159.221.78 82.207.116.209 whois details on each IP go to South America, Bangkok, Taiwan... all over the world! Although i have sent email to the email address in whois output, but the attacker may be spoofing the IP. By the pattern of attempt i can tell it is the same user. I am asking the communitie's help to how to block and, more properly, punish this unethical user. this user is running the attack constantly. I will have to shutdown the box for now and come back at later time when someone had posted some solution on the list. My box is behind router-NAT which is allowing ssh. I am not sure how this guy can get to my box which has pvt IP address from the internet thru the firewall. I looked for blocking access depending on source IP in my dsl-router, but it is not that versatile. I have now also setup hosts.allow and DenyUsers/Groups in ssh config. is that enough? here are some excerts from my logs: Nov 9 03:24:51 myserver sshd[15822]: Did not receive identification string from 218.76.217.234 Nov 10 16:55:19 myserver sshd[29183]: Did not receive identification string from 82.207.116.209 Nov 10 16:58:58 myserver sshd[21261]: Failed password for root from 82.207.116.209 port 35194 ssh2 Nov 10 16:58:59 myserver sshd[5372]: Received disconnect from 82.207.116.209: 11: Bye Bye Nov 17 07:41:15 myserver sshd[3254]: Failed password for root from 219.145.142.30 port 55232 ssh2 Nov 17 07:41:15 myserver sshd[27682]: Received disconnect from 219.145.142.30: 11: Bye Bye Nov 21 07:51:16 myserver sshd[12865]: Did not receive identification string from 201.244.17.162 Nov 21 07:53:38 myserver sshd[18020]: reverse mapping checking getaddrinfo for corporativos24417-162 .etb.net.co [201.244.17.162] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 21 07:53:38 myserver sshd[18020]: Failed password for root from 201.244.17.162 port 56137 ssh2 Nov 21 07:53:38 myserver sshd[19158]: Received disconnect from 201.244.17.162: 11: Bye Bye and, Nov 21 08:20:56 myserver sshd[13104]: Did not receive identification string from 222.231.60.88 Nov 21 15:58:25 myserver sshd[16851]: Did not receive identification string from 82.207.116.209 Nov 21 16:00:46 myserver sshd[23577]: Failed password for root from 82.207.116.209 port 55925 ssh2 Nov 21 16:00:46 myserver sshd[6084]: Received disconnect from 82.207.116.209: 11: Bye Bye and, Nov 22 00:46:33 myserver sshd[18504]: Did not receive identification string from 61.159.228.193 Nov 22 08:41:41 myserver sshd[2410]: Did not receive identification string from 71.159.221.78 Nov 22 08:42:25 myserver sshd[9687]: Failed password for root from 71.159.221.78 port 63731 ssh2 Nov 22 08:42:25 myserver sshd[8814]: Received disconnect from 71.159.221.78: 11: Bye Bye and, Nov 23 23:14:08 myserver sshd[26235]: Failed password for root from 211.20.79.85 port 54407 ssh2 Nov 23 23:14:08 myserver sshd[16180]: Received disconnect from 211.20.79.85: 11: Bye Bye this is interesting... $ whois 71.159.221.78 ATT Internet Services SBCIS-SIS80 (NET-71-128-0-0-1) 71.128.0.0 - 71.159.255.255 ECLIPSE MARKETING-060311011540 SBC07115922107229060311011557 (NET-71-159-221-72-1) 71.159.221.72 - 71.159.221.79 # ARIN WHOIS database, last updated 2007-11-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. $ $ whois 201.244.17.162 OrgName:Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address:Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country:UY ReferralServer: whois://whois.lacnic.net NetRange: 201.0.0.0 - 201.255.255.255 CIDR: 201.0.0.0/8 NetName:LACNIC-201 NetHandle: NET-201-0-0-0-1 Parent: NetType:Allocated to LACNIC NameServer: NS.LACNIC.NET NameServer: NS2.DNS.BR NameServer: TINNIE.ARIN.NET NameServer: NS-SEC.RIPE.NET NameServer: SEC3.APNIC.NET NameServer: NS3.AFRINIC.NET Comment:This IP address range is under LACNIC responsibility Comment:for further allocations to users in LACNIC region. Comment:Please see http://www.lacnic.net/ for further details, Comment:or check the WHOIS server located at whois.lacnic.net RegDate:2003-04-03 Updated:2006-10-23 OrgTechHandle: LACNIC-ARIN OrgTechName: LACNIC Whois Info OrgTechPhone: OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2007-11-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for
Re: confused on openssl....
Thanks Jeff. When I referenced the web, i got two very good (i think) docs, both of them seem to to store ssl related stuff (keys, config, revocation database, index etc.) in non-standard locations. Now these users look very experienced to me(looking at their .cnf file), with ssl. So perhaps they would be able to handle any issue arising out of non-standard locations, but i am concerned (this is my first time with ssl-config/implementation). i am trying to follow: 1. http://marc.info/?l=tomcat-userm=106293430225790w=2 2. http://www.flatmtn.com/computer/Linux-SSLCertificates.html Thanks again. -BG --- Jeff Quast [EMAIL PROTECTED] wrote: On Thu, Nov 22, 2007 at 06:58:11PM -0800, badeguruji wrote: Hello all, I am sorry to ask this dumb question here. but after going thru several web-pages. i am not able to figure start with mapages, man 8 ssl where should i build my base directories to start creating certificates for CA and http/imap server? ssl(8) says: The certificates reside in the /etc/ssl directory, with the keys in the /etc/ssl/private directory. ~~Kalyan-mastu~~
confused on openssl....
Hello all, I am sorry to ask this dumb question here. but after going thru several web-pages. i am not able to figure out that: where should i build my base directories to start creating certificates for CA and http/imap server? like for e.g should it be under /root/ssl/ private crl certs... or should be under /etc/ssl/ ??? how important it is in light of security and accessibility and convention - for applications to use it? I appreciate your advice. Thank you. BG ~~Kalyan-mastu~~
xinetd support
is it supported on openbsd? http://www.xinetd.org/ thank you. BG ~~Kalyan-mastu~~
FAM issue; how to fix
after i created another account on my machine: $ id uid=1002(..x..) gid=20(staff) groups=20(staff), 5(operator), 31(guest) $ and login using it, and started kde with startkde. I am not able to run konqrer the kde browser. I do not have firefox, if i install that, will it be ok? I am able to login and run thebrowser properly as root and another user I get following error in plenty in messages log: Nov 16 22:43:22 myopenbsdpc famd[1183]: Warning! Started by inetd, so -L (local_only) option is being ignored! Nov 16 22:43:23 myopenbsdpc famd[1183]: kqueue can't monitor more than 886 files Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke applications.menu, dev = 0, ino = 7437 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke applications-merged, dev = 0, ino = 7448 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke kde-information.menu, dev = 0, ino = 7450 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke kde-screensavers.menu, dev = 0, ino = 7452 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke kde-settings.menu, dev = 0, ino = 7453 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke /etc/xdg/menus, dev = 0, ino = 7436 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke kde-essential.menu, dev = 0, ino = 7449 Nov 16 22:43:37 myopenbsdpc famd[1183]: kqueue can't revoke kde-multimedia-music.menu, dev = 0, ino = 7457 Is there any security concern here? famd has some issues with the number of open files, thats th eonly thing i was able to understand from below: http://monkey.org/freebsd/archive/freebsd-ports/200503/msg00683.html please advice. thank you. BG ~~Kalyan-mastu~~
Best ISP hosting services on OpenBSd?
Hello all, I am sure someone has done this research before. (so before i go and try to (re)invent the wheel) I want to request, the intelligent ones, to share their knowledge and research of the best internet isp (on OpenBSD only) available on the internet today. I am looking for 'dedicated server hosting' where i can put my own apps. Thanks in advance. -BG ~~Kalyan-mastu~~
Re: Best ISP hosting services on OpenBSd?
thanks, is there an comparison table somewhere? ~~Kalyan-mastu~~ - Original Message From: C. Bensend [EMAIL PROTECTED] To: misc@openbsd.org Sent: Sunday, November 11, 2007 12:48:39 PM Subject: Re: Best ISP hosting services on OpenBSd? I am sure someone has done this research before. (so before i go and try to (re)invent the wheel) I want to request, the intelligent ones, to share their knowledge and research of the best internet isp (on OpenBSD only) available on the internet today. I am looking for 'dedicated server hosting' where i can put my own apps. I'm a big fan of M5 Hosting (http://www.m5hosting.com/). Their prices are *very* reasonable for dedicated servers, and they will be happy to install OpenBSD. Their support is good, they have KVM-over-IP if you need it, and they use Paypal which is very convenient (for me, at least). Benny -- If it's true that our species is alone in the universe, then I'd have to say that the universe aimed rather low and settled for very little.-- George Carlin
paramtere not supported anymore? kern.machdep getting error .... (kde/gnome...)
Hello, while trying to configure kde for openbsd. i referred to this document: http://www.openbsdsupport.org/obsd_desktop.html Check if kern.machdep is set to 1 in your /etc/sysctl.conf file. If not, change it. You can use sysctl -w kern.machdep=1 to activate it without rebooting. but when i add that to sysctl, i get following error at system startup time: (which i also get when i try command line) # sysctl -w kern.machdep=1 sysctl: second level name machdep in kern.machdep is invalid # I tried to look into internet for definition of macdep but found nothing. what is it and what are its effects? All things are not ok here(some related issues) kde does not start properly on system startup. i have to ssh into the system from another host and start kde with 'startkde' command. and then it runs fine. 1. i do not get logon screen when i power on the system. 2. after starting x or kde from cmdline (from a ssh session from another machine), i can only end the gui session and do not get oiption to shutdown the system. 3. from a ssh session, i can only start kde as root, it fails as another user i am researching but could not solve the puzzle yet. any/all help is appreciated. Here are my changes to main config files to get x/kde running. (x is running fine on this box otherwise) 0./etc/sysctl.conf no change as i installed X with initial install and it already has : machdep.allowaperture=2 1. rc.conf.local kdm_flags= 2. /etc/rc.local if [ X${kdm_flags} != XNO ]; then /usr/local/bin/kdm ${kdm_flags} ; echo -n 'kdm ' fi 3./etc/X11/xinit/xinitrc #xclock -geometry 50x50-1+1 #xconsole -iconic #xterm -geometry 80x24 #fvwm || xterm /usr/local/bin/startkde 4./etc/X11/xdm/Xsession case $# in 1) case $1 in failsafe) /usr/X11R6/bin/xterm -geometry 80x24-0-0 do_exit ;; kde | default) /usr/local/bin/startkde do_exit ;; gnome) /usr/local/bin/gnome-session do_exit ;; esac esac #/usr/X11R6/bin/xterm #/usr/X11R6/bin/fvwm /usr/local/bin/startkde thank you. BG ~~Kalyan-mastu~~
plane simple vanilla X and 3 errors:
(EE) Unable to locate/open config file (EE) Failed to load module dri (module does not exist, 0) (EE) Failed to load module fbdev (module does not exist, 0) i am worried about last 2. any advice is appreciated. thank you. BG ~~Kalyan-mastu~~
Re: why am i only able to run Gnome in safe mode? (getting error)
thank you. Actually after trying various things i did that, and it stopped complaining(i am a little concerned about changing file permissions until i am very sure), and i could logon using gnome-desktop. but there were not many utilities/toys in gnome i guess (i checked the list of 'gnome' pkgs available on openbsd.org and found i have installed all). so i have now uninstalled complete gnome and firefox packages. Also one thing to note is i installed firefox before gnome. it shares some lib with gnome. My future approach would be a little more cautious and i will install 1)base-GUI-environment and then 2)any other GUI-based app. even though it seems having no impact and fvwm is already there with base X installation! -BG ~~Kalyan-mastu~~ - Original Message From: Genadijus Paleckis [EMAIL PROTECTED] To: badeguruji [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Thursday, November 8, 2007 1:56:50 AM Subject: Re: why am i only able to run Gnome in safe mode? (getting error) take a look at http://www.mail-archive.com/misc@openbsd.org/msg50994.html badeguruji wrote: Hello, Please help OR guide to me to any resource which describes installing gnome in clean clear steps on a new openBSD installation. (I am ready to uninstall and reinstall gnome if needed) i tried to install gnome in below order: gnome-desktop-2.18.2p0: gnome-session-2.18.2p0 gdm-2.18.2 I am only able to run gnome is safe mode. This post has the exact issue i am facing (only error in the log file is little different, which is shown below) http://www.webservertalk.com/message1134770.html --as per the solution in the above post user changed permissions on his home dir. i am logging in as root. should i change my root permissions? currently they are: drwx-- 14 root wheel 1024 Nov 7 07:01 root The errors in the log file: (==) Log file: /var/log/Xorg.0.log, Time: Wed Nov 7 05:46:56 2007 (EE) Unable to locate/open config file New driver is i810 (==) Using default built-in configuration (55 lines) (EE) Failed to load module dri (module does not exist, 0) (EE) Failed to load module fbdev (module does not exist, 0) FreeFontPath: FPE /usr/X11R6/lib/X11/fonts/misc/ refcount is 2, should be 1; fixing. FreeFontPath: FPE /usr/X11R6/lib/X11/fonts/misc/ refcount is 2, should be 1; fixing. # I am also getting below error on message log: Nov 7 00:12:46 ironhost gdm[12200]: gdm_slave_exec_script: Failed starting: /etc/X11/gdm/Init/Default please advice. thank you. BG ~~Kalyan-mastu~~
can pkg_ util do this?
It is desired for each installed pkg/file to store info about time of install( HMSms ) original install folder. original install permissions. and original size/checksum. is it already there? is it tough to do? -BG ~~Kalyan-mastu~~
when was a pkg installed !!!
Hello, i ran pkg_info with all common options but none tell me when was the pkg installed!!! can someone help? thx in advance. BG ~~Kalyan-mastu~~
why am i only able to run Gnome in safe mode? (getting error)
Hello, Please help OR guide to me to any resource which describes installing gnome in clean clear steps on a new openBSD installation. (I am ready to uninstall and reinstall gnome if needed) i tried to install gnome in below order: gnome-desktop-2.18.2p0: gnome-session-2.18.2p0 gdm-2.18.2 I am only able to run gnome is safe mode. This post has the exact issue i am facing (only error in the log file is little different, which is shown below) http://www.webservertalk.com/message1134770.html --as per the solution in the above post user changed permissions on his home dir. i am logging in as root. should i change my root permissions? currently they are: drwx-- 14 root wheel 1024 Nov 7 07:01 root The errors in the log file: (==) Log file: /var/log/Xorg.0.log, Time: Wed Nov 7 05:46:56 2007 (EE) Unable to locate/open config file New driver is i810 (==) Using default built-in configuration (55 lines) (EE) Failed to load module dri (module does not exist, 0) (EE) Failed to load module fbdev (module does not exist, 0) FreeFontPath: FPE /usr/X11R6/lib/X11/fonts/misc/ refcount is 2, should be 1; fixing. FreeFontPath: FPE /usr/X11R6/lib/X11/fonts/misc/ refcount is 2, should be 1; fixing. # I am also getting below error on message log: Nov 7 00:12:46 ironhost gdm[12200]: gdm_slave_exec_script: Failed starting: /etc/X11/gdm/Init/Default please advice. thank you. BG ~~Kalyan-mastu~~
Re: when was a pkg installed !!!
that is true. especially if you notice that installing one pkg install all the other it depends on. there has to be some way in pkg_info to reflect this info that: how and when was 'any' pkg installed? otherwise i would be disappointed. -BG ~~Kalyan-mastu~~ - Original Message From: Matthias Kilian [EMAIL PROTECTED] To: misc@openbsd.org; badeguruji [EMAIL PROTECTED] Sent: Wednesday, November 7, 2007 4:51:09 PM Subject: Re: when was a pkg installed !!! On Wed, Nov 07, 2007 at 05:16:53PM -0500, Josh Grosse wrote: i ran pkg_info with all common options but none tell me when was the pkg installed!!! $ ls -l /var/db/pkg/your package here No. Those files and directories are also touched when depending packages are installed or updated. -- MCSE - Microsoft Certified Spongiform Encephalitis -- Dominik Rudisch in dtj, 11.3.2001