Re: Rate limit the httpd web server for signup requests
On Tue, Jun 11, 2024 at 10:41:33PM +, Martin wrote: > But what useful methods exists that prevent spamming a HTML signup form > from stuffing the database with useless signups? > > Naturally the accounts that haven't been validated one way or another > gets deleted, but the initial signup is a problem as thousands upon > thousands of requests are stored before deletion. Out of curiosity, what exactly is the issue here? >From what you've told us it seems as if the genuine signups are being validated by some external means, (such as a confirmation email loop or sms which doesn't require manual intervention by you), and fake signups are stored for a temporary period before being deleted automatically. So the intended result is being achieved. Anything you add to detect fake signups from being submitted is almost guaranteed to have a negative effect on some or all of your genuine users. Why is it a problem to have 'thousands' of requests stored temporarily, if those are later deleted? Is this database using a lot of storage? Is parsing it using a lot of CPU? If that's the issue then presumably either your code is very inefficient or you're using underpowered hardware.
Re: Rate limit the httpd web server for signup requests
On Thu, Jun 13, 2024 at 04:30:27AM -0700, Paul Pace wrote: > On 6/12/24 10:32 PM, Chris Bennett wrote: > > It's not perfect, but I have a long list of regexes that I know are spam > > that I have my Perl code that processes the form block. Trying to block > > from a log is not very helpful. It can let through thousands of the same > > spam attempts before the log catches up to the attempts reaching the log, > > which is a pretty long time. > > I was just wondering if you've tried requiring email or SMS link to unique > signup URL? > If it's a form to make a payment, it just gets sent off to another site. If it's a general contact us form, I just try to keep the spam down to a bearable level. Every couple of months I add new regexes. Speaking of which, I really need to do that now. Form spam is now annoying again. I do use an email address for each form and nothing else. That way I can just pick a day to wade through the trash. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
Re: Rate limit the httpd web server for signup requests
On 6/12/24 10:32 PM, Chris Bennett wrote: It's not perfect, but I have a long list of regexes that I know are spam that I have my Perl code that processes the form block. Trying to block from a log is not very helpful. It can let through thousands of the same spam attempts before the log catches up to the attempts reaching the log, which is a pretty long time. I was just wondering if you've tried requiring email or SMS link to unique signup URL? Thank you, Paul
Re: Rate limit the httpd web server for signup requests
On Tue, Jun 11, 2024 at 10:41:33PM +, Martin wrote: > I already do some rate limiting with stateful tracking options for PF, > which works really great for the stuff I use it for. > > I also use block lists of known bad IP addresses etc. > > But what useful methods exists that prevent spamming a HTML signup form > from stuffing the database with useless signups? > > Naturally the accounts that haven't been validated one way or another > gets deleted, but the initial signup is a problem as thousands upon > thousands of requests are stored before deletion. > > I have tried blocking by IP, but this is difficult as the IP changes > faster than it can be blocked. > > The User Agent is spoofed with random garbage. > > Honey pot empty hidden fields gets detected and ignored. > > Randomly generated form IDs that gets submitted and validated using a > session cookie also doesn't work as the cookie is just stored and then > send along. > > A simple CAPTCHA reduces some of the irrelevant noise, but the more > sophisticated bots solves the CAPTCHA. > > Using Cloudflare's or Google's CAPTCHA is frowned upon by the real > users, which I fully understand. > > So I was wondering, if some other clever method can reduce the noise? > It's not perfect, but I have a long list of regexes that I know are spam that I have my Perl code that processes the form block. Trying to block from a log is not very helpful. It can let through thousands of the same spam attempts before the log catches up to the attempts reaching the log, which is a pretty long time. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
Re: Rate limit the httpd web server for signup requests
Jun 12, 2024 00:56:47 Martin : > A simple CAPTCHA reduces some of the irrelevant noise, but the more > sophisticated bots solves the CAPTCHA. > > Using Cloudflare's or Google's CAPTCHA is frowned upon by the real > users, which I fully understand. > > So I was wondering, if some other clever method can reduce the noise? Testing and knowing all the possible solutions to fight "3rd kind intelligence spammers" seems a little overwhelming to me, it appears to me like the story to search for a firewall that solve every security problem. Indeed just consider that a parameter of curl allow you to simulate any post submission. And the problem eventually could be exactly this, the why of the existance of these advanced clients tools. [ ... ] For now, I just implememted my own captcha asking to solve a simple math and that eventually can be enriched for future research.. Some simple php code, easy stuff, happy to share it. -Dan
Re: Rate limit the httpd web server for signup requests
No perfect solution exists, but the following may help. 1) Parse the logs of your web application and ban any IP that attempts to create multiple accounts. Not great because you may have multiple users sharing the same public IP. It only works ok if you automate it via cronjob scripts. 2) Require the user to provide an external means of identification (such as an email address or a phone number) whose existence must be verified before his account is activated. Not great because bots may use disposable addresses/numbers, it delays the activation for legitimate users, and it requires more effort to implement than 1). 3) Alternative capchas. If your site is not that big of a target, you can get away with some naive captcha (such as Captcheck) without annoying your users too much. The problem is (as you have already noticed) naive captchas are not that hard to break for persistent bots; meanwhile complex captchas are bad for users. Maybe try different capctha solutions until you find one that sticks. Martin wrote: But what useful methods exists that prevent spamming a HTML signup form from stuffing the database with useless signups?
Re: Rate limit the httpd web server for signup requests
On 2024-06-11 15:41, Martin wrote: I already do some rate limiting with stateful tracking options for PF, which works really great for the stuff I use it for. I also use block lists of known bad IP addresses etc. But what useful methods exists that prevent spamming a HTML signup form from stuffing the database with useless signups? Naturally the accounts that haven't been validated one way or another gets deleted, but the initial signup is a problem as thousands upon thousands of requests are stored before deletion. I have tried blocking by IP, but this is difficult as the IP changes faster than it can be blocked. The User Agent is spoofed with random garbage. Honey pot empty hidden fields gets detected and ignored. Randomly generated form IDs that gets submitted and validated using a session cookie also doesn't work as the cookie is just stored and then send along. A simple CAPTCHA reduces some of the irrelevant noise, but the more sophisticated bots solves the CAPTCHA. Using Cloudflare's or Google's CAPTCHA is frowned upon by the real users, which I fully understand. So I was wondering, if some other clever method can reduce the noise? I haven't tried it and I'm not sure how useful it is in your case, but mCaptcha uses proof of work. https://mcaptcha.org/ Paul
Rate limit the httpd web server for signup requests
I already do some rate limiting with stateful tracking options for PF, which works really great for the stuff I use it for. I also use block lists of known bad IP addresses etc. But what useful methods exists that prevent spamming a HTML signup form from stuffing the database with useless signups? Naturally the accounts that haven't been validated one way or another gets deleted, but the initial signup is a problem as thousands upon thousands of requests are stored before deletion. I have tried blocking by IP, but this is difficult as the IP changes faster than it can be blocked. The User Agent is spoofed with random garbage. Honey pot empty hidden fields gets detected and ignored. Randomly generated form IDs that gets submitted and validated using a session cookie also doesn't work as the cookie is just stored and then send along. A simple CAPTCHA reduces some of the irrelevant noise, but the more sophisticated bots solves the CAPTCHA. Using Cloudflare's or Google's CAPTCHA is frowned upon by the real users, which I fully understand. So I was wondering, if some other clever method can reduce the noise?
Re: disk encryption for remote server
I keep a /crypt noauto partition that I mount manually by passphrase via ssh after the server is booted. And don't keep 'sensitive' info in other partitions... On Mon, May 27, 2024 at 11:57 AM <04-psyche.tot...@icloud.com> wrote: > Thanks all for your thoughts. > > Regarding the remote serial console access, unfortunately, it is not > possible in my case. > I do not have IPMI or something similar :( > > On Mon, 27 May 2024 at 08:17, Manuel Giraud < > manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote: > >> Stefan Kreutz writes: >> >> > Can you access the machine's serial console, maybe redirected over IP? >> >> I concur that a remote serial console access (maybe via a web interface >> serviced by your provider) is your best option here. >> >> I used to do (almost) FDE without console access but here is list of >> drawbacks/requirements: >> >> - It is not really FDE because / was not encrypted >> >> - It required patching /etc/rc with the patch at the end of this >> message >> >> - The "/root/sshd" from this patch is a self-contained sshd >> without the need of any external library. It is *not* a copy >> of /usr/sbin/sshd and you have to compile it yourself (and I >> don't remenber how) >> >> >> Best regards, >> -- >> Manuel Giraud >> >
Re: disk encryption for remote server
Thanks all for your thoughts. Regarding the remote serial console access, unfortunately, it is not possible in my case. I do not have IPMI or something similar :( On Mon, 27 May 2024 at 08:17, Manuel Giraud < manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote: > Stefan Kreutz writes: > > > Can you access the machine's serial console, maybe redirected over IP? > > I concur that a remote serial console access (maybe via a web interface > serviced by your provider) is your best option here. > > I used to do (almost) FDE without console access but here is list of > drawbacks/requirements: > > - It is not really FDE because / was not encrypted > > - It required patching /etc/rc with the patch at the end of this > message > > - The "/root/sshd" from this patch is a self-contained sshd > without the need of any external library. It is *not* a copy > of /usr/sbin/sshd and you have to compile it yourself (and I > don't remenber how) > > > Best regards, > -- > Manuel Giraud >
Re: disk encryption for remote server
Stefan Kreutz writes: > Can you access the machine's serial console, maybe redirected over IP? I concur that a remote serial console access (maybe via a web interface serviced by your provider) is your best option here. I used to do (almost) FDE without console access but here is list of drawbacks/requirements: - It is not really FDE because / was not encrypted - It required patching /etc/rc with the patch at the end of this message - The "/root/sshd" from this patch is a self-contained sshd without the need of any external library. It is *not* a copy of /usr/sbin/sshd and you have to compile it yourself (and I don't remenber how) --- rc.orig Wed Jul 27 15:23:24 2011 +++ /etc/rc Thu Jul 28 15:28:28 2011 @@ -294,8 +294,18 @@ exit 1 ;; 8) - echo "Automatic file system check failed; help!" - exit 1 + echo "Automatic file system check failed; help (from outterspace)!" + ifconfig em0 a.b.c.d netmask 255.255.255.0 + route -qn add default a.b.c.1 + mount -uw / + /root/sshd -De \ + -o PasswordAuthentication=no \ + -o ChallengeResponseAuthentication=no \ + -o UsePrivilegeSeparation=no \ + -o UseDNS=no + mount -ur / + route -qn flush + ifconfig em0 down delete ;; 12) echo "Boot interrupted." Best regards, -- Manuel Giraud
Re: disk encryption for remote server
On Sun, May 26, 2024 at 08:33:59PM +0100, 04-psyche.tot...@icloud.com wrote: Hi everyone, Is there any way to use disk encryption without having physical access to the device? You could use a USB keydisk (make sure you, and your assistant on the remote server, have copious backup(s) of this!) as an encryption device, as per this document: https://www.openbsd.org/faq/faq14.html#softraidFDE Cheers Ampie A few potential ideas: - is there a way to enter the encryption passphrase via ssh? - is there a way to create a non encrypted partition on the same hard drive, where the keydisk would be stored, and automatically used? (For various reasons, an external usb key is not feasible). And yes, I realize this would weaken the security significantly, but I'd still like to know if it's feasible? My guess is that it's not possible, but I wanted to ask to make sure. Cheers, Jake
Re: disk encryption for remote server
On Sun, May 26, 2024 at 08:33:59PM +0100, 04-psyche.tot...@icloud.com wrote: > Is there any way to use disk encryption without having physical access to > the device? Yes, it is possible. But I think you are talking about full disk encryption and want to enter a passphrase at the bootloader prompt. > - is there a way to enter the encryption passphrase via ssh? To enter a passphrase at the boot prompt you need to set up remote access to the console of that device. Depending on the setup you have, this might be easy, difficult or impossible. If that is not an option, one possibility is to do a regular non-encrypted installation and create a softraid crypto volume just for storing specific data. This can then be mounted from a regular ssh session after the kernel has booted. It's also possible to hard-code a passphrase in the bootloader code. We have used this technique for years for local development machines that need to be running the softraid code but are otherwise not storing data that needs to be protected by a passphrase. These two ideas can also be used together.
Re: disk encryption for remote server
Can you access the machine's serial console, maybe redirected over IP? On Sun, May 26, 2024 at 08:33:59PM GMT, 04-psyche.tot...@icloud.com wrote: > Hi everyone, > > Is there any way to use disk encryption without having physical access to the > device? > > A few potential ideas: > - is there a way to enter the encryption passphrase via ssh? > - is there a way to create a non encrypted partition on the same hard drive, > where the keydisk would be stored, and automatically used? (For various > reasons, an external usb key is not feasible). And yes, I realize this would > weaken the security significantly, but I'd still like to know if it's > feasible? > > My guess is that it's not possible, but I wanted to ask to make sure. > > Cheers, > Jake
disk encryption for remote server
Hi everyone, Is there any way to use disk encryption without having physical access to the device? A few potential ideas: - is there a way to enter the encryption passphrase via ssh? - is there a way to create a non encrypted partition on the same hard drive, where the keydisk would be stored, and automatically used? (For various reasons, an external usb key is not feasible). And yes, I realize this would weaken the security significantly, but I'd still like to know if it's feasible? My guess is that it's not possible, but I wanted to ask to make sure. Cheers, Jake
Re: Hardware recommendation for small form factor, noiseless, server
Thanks a lot to you all for these recommendations.
Re: Hardware recommendation for small form factor, noiseless, server
Дана 24/05/08 02:37PM, Karsten Pedersen написа:
> [...] The C program can be as simple as compiling "Hello World" to exhibit the
> issue. Takes about 15 seconds to compile "Hello World". [...]
On a Lenovo IdeaPad 3-15IGL05 81WQ[1] laptop:
$ time sh -c "printf '#include \\nint main() { puts(\"Hello,\
world!\"); }\\n' | cc -o hello -xc -"
0m01.24s real 0m00.16s user 0m00.42s system
15 seconds? What is happening in the background? Ports compilation while
encoding video?
[1]: https://psref.lenovo.com/Product/IdeaPad/IdeaPad_3_15IGL05
Re: Hardware recommendation for small form factor, noiseless, server
> What exactly is "good" with OpenBSD? I summarize the issues in my last email > So again, what is "slow"? The machine running OpenBSD. Compared to similar ThinkCenters I have (m73 Tiny and m92 Tiny). Also a Raspberry Pi 3 (running OpenBSD at lowest freq). It seems not to be the SSD disk because the "slowness" is present when writing to MFS mounts. > 14 Watts for compilation or just idling? Just at idle. Granted OpenBSD tends to run quite hot compared to alternatives it still seems to draw more than the m73 and m93p. > What issues? I mention them in the last email > Might be, but you didn't checked by tests. Yes, of course you have to > use the same "C program" as before. I tested against different operating systems and different hardware. As mentioned there is definitely something up with this combo but I haven't had time to explore further. Hence my general note to avoid this machine if people can for now (if they want something guaranteed working). The C program can be as simple as compiling "Hello World" to exhibit the issue. Takes about 15 seconds to compile "Hello World". It doesn't need to be a "test" to suspect things aren't quite right here. > I suspect something different, I guess it is from the black / red > combination of the case colors. This is a broken combination and a > dangerous one in art and design. The m73 and m92 have similar case colors. So it is definitely not that ;)
Re: Hardware recommendation for small form factor, noiseless, server
2024-05-07T09:54:23Z "Karsten Pedersen" : > > Second-hand Lenovo M710q tiny with a wifi-card could also work: > > https://dmesgd.nycbug.org/index.cgi?do=view=5296 > > A quick note that the slightly older M625q (with an AMD processor) isn't > quite so good with OpenBSD. > It runs overly slow and I have yet had time to figure out why. Interestingly, > even on apm -H it takes > longer to compile a C program than a Raspberry Pi 3. It also takes 14 Watts > so the power management > isn't quite there yet. These issues aren't present with Linux or FreeBSD. > > It was ~£30 and completely fanless, so will almost be the perfect hardware > for a home server once > these issues can be resolved. > > In short, the M710q with Intel processor might be the better choice. I > suspect it is to do with the > pstate stuff that the issues are arrising from. > > Karsten I have an M700 10J0 and it works great. I don't use a wifi card so I can't say anything about that. I believe hibernation doesn't work very well (it gets stuck with unpacking or something like that when booting), but other than that I haven't had any issues with it. It's a solid machine I can recommend.
Re: Hardware recommendation for small form factor, noiseless, server
> A quick note that the slightly older M625q (with an AMD processor) isn't > quite so good with OpenBSD. What exactly is "good" with OpenBSD? > It runs overly slow and I have yet had time to figure out why. So again, what is "slow"? > Interestingly, even on apm -H it takes longer to compile a C program than a > Raspberry Pi 3. It also takes 14 Watts so the power management isn't quite there yet. These issues aren't present with Linux or FreeBSD. "A C program"? Well, that is interesting. 14 Watts for compilation or just idling? > It was ~ Ł30 and completely fanless, so will almost be the perfect hardware > for a home server once these issues can be resolved. What issues? > In short, the M710q with Intel processor might be the better choice. Might be, but you didn't checked by tests. Yes, of course you have to use the same "C program" as before. > I suspect it is to do with the pstate stuff that the > issues are arrising from. I suspect something different, I guess it is from the black / red combination of the case colors. This is a broken combination and a dangerous one in art and design. > Karsten You are welcome.
Re: Hardware recommendation for small form factor, noiseless, server
> Second-hand Lenovo M710q tiny with a wifi-card could also work: > https://dmesgd.nycbug.org/index.cgi?do=view=5296 A quick note that the slightly older M625q (with an AMD processor) isn't quite so good with OpenBSD. It runs overly slow and I have yet had time to figure out why. Interestingly, even on apm -H it takes longer to compile a C program than a Raspberry Pi 3. It also takes 14 Watts so the power management isn't quite there yet. These issues aren't present with Linux or FreeBSD. It was ~£30 and completely fanless, so will almost be the perfect hardware for a home server once these issues can be resolved. In short, the M710q with Intel processor might be the better choice. I suspect it is to do with the pstate stuff that the issues are arrising from. Karsten
Re: Hardware recommendation for small form factor, noiseless, server
Second-hand Lenovo M710q tiny with a wifi-card could also work: https://dmesgd.nycbug.org/index.cgi?do=view=5296 Jan Stary írta 2024. máj.. 7, K-n 08:47 órakor: > On May 06 21:03:17, mytraddr...@gmail.com wrote: >> Hi all, >> >> can anyone please advise on what computer I can purchase with the following >> requirements: >> >> - fully supports OpenBSD >> - no noise >> - good quality wifi >> - small form factor preferably >> - processor does not need to be fast (no highly intensive compute load) >> - low RAM need >> - needs 1 TB of hard drive at least >> - will be used only remotely, for basic and low-intensity server-type >> applications (no desktop use) >> - under $500 > > PC Engiunes APU2, with a wifi card plugged in, > and most of the $500 buying the 1 TB storage. > > > > OpenBSD 7.5-current (GENERIC.MP) #34: Sat Apr 27 21:19:57 MDT 2024 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 2112446464 (2014MB) > avail mem = 2027487232 (1933MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7ee97040 (13 entries) > bios0: vendor coreboot version "v4.19.0.1" date 01/31/2023 > bios0: PC Engines apu2 > acpi0 at bios0: ACPI 6.0 > acpi0: sleep states S0 S1 S4 S5 > acpi0: tables DSDT FACP SSDT MCFG TPM2 APIC HEST IVRS SSDT SSDT DRTM > HPET > acpi0: wakeup devices PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) > UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4) > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimcfg0 at acpi0 > acpimcfg0: addr 0xf800, bus 0-63 > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD GX-412TC SOC, 998.17 MHz, 16-30-01, patch 07030105 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT > cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB > 64b/line 16-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: AMD GX-412TC SOC, 998.44 MHz, 16-30-01, patch 07030105 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT > cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB > 64b/line 16-way L2 cache > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: AMD GX-412TC SOC, 998.37 MHz, 16-30-01, patch 07030105 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT > cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB > 64b/line 16-way L2 cache > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 3 (application processor) > cpu3: AMD GX-412TC SOC, 998.31 MHz, 16-30-01, patch 07030105 > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT > cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB > 64b/line 16-way L2 cache > cpu3: smt 0, core 3, package 0 > ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins > ioapic1 at mainbus0: apid 5 pa 0xfec2, version 21, 32 pins > acpihpet0 at acpi0: 14318180 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus -1 (PBR4) > acpiprt2 at acpi0: bus 1 (PBR5) > acpiprt3 at acpi0: bus -1 (PBR6) > acpiprt4 at acpi0: bus 2 (PBR7) > acpiprt5 at acpi0: bus -1 (PBR8) > acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS > acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS > acpicpu2 at acpi0
Re: Hardware recommendation for small form factor, noiseless, server
On May 06 21:03:17, mytraddr...@gmail.com wrote: > Hi all, > > can anyone please advise on what computer I can purchase with the following > requirements: > > - fully supports OpenBSD > - no noise > - good quality wifi > - small form factor preferably > - processor does not need to be fast (no highly intensive compute load) > - low RAM need > - needs 1 TB of hard drive at least > - will be used only remotely, for basic and low-intensity server-type > applications (no desktop use) > - under $500 PC Engiunes APU2, with a wifi card plugged in, and most of the $500 buying the 1 TB storage. OpenBSD 7.5-current (GENERIC.MP) #34: Sat Apr 27 21:19:57 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2112446464 (2014MB) avail mem = 2027487232 (1933MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7ee97040 (13 entries) bios0: vendor coreboot version "v4.19.0.1" date 01/31/2023 bios0: PC Engines apu2 acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP SSDT MCFG TPM2 APIC HEST IVRS SSDT SSDT DRTM HPET acpi0: wakeup devices PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD GX-412TC SOC, 998.17 MHz, 16-30-01, patch 07030105 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD GX-412TC SOC, 998.44 MHz, 16-30-01, patch 07030105 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD GX-412TC SOC, 998.37 MHz, 16-30-01, patch 07030105 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD GX-412TC SOC, 998.31 MHz, 16-30-01, patch 07030105 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins ioapic1 at mainbus0: apid 5 pa 0xfec2, version 21, 32 pins acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PBR4) acpiprt2 at acpi0: bus 1 (PBR5) acpiprt3 at acpi0: bus -1 (PBR6) acpiprt4 at acpi0: bus 2 (PBR7) acpiprt5 at acpi0: bus -1 (PBR8) acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu4 at acpi0: no cpu matching ACPI ID 4 acpicpu5 at acpi0: no cpu matching ACPI ID 5 acpicpu6 at acpi0: no cpu matching ACPI ID 6 acpicpu7 at acpi0: no cpu matching ACPI ID 7 acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 com0 at acpi0 COM1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo com0: console com1 at acpi0 COM2 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo amdgpio0 at acpi0 GPIO uid 0 addr 0xfed81500/0x300 irq 7, 184 pi
Re: Hardware recommendation for small form factor, noiseless, server
On Mon, May 06, 2024 at 09:03:17PM +0100, James Johnson wrote: > Hi all, > > can anyone please advise on what computer I can purchase with the following \ > requirements: > - fully supports OpenBSD > - no noise > - good quality wifi > - small form factor preferably > - processor does not need to be fast (no highly intensive compute load) > - low RAM need > - needs 1 TB of hard drive at least > - will be used only remotely, for basic and low-intensity server-type > applications \ > (no desktop use) > - under $500 > > Thanks! > James The recommendation on the OpenBSD Router Guide site works really well: https://openbsdrouterguide.net/#the-hardware There are several different models.
Re: Hardware recommendation for small form factor, noiseless, server
On Mon, May 06, 2024 at 09:03:17PM +0100, James Johnson wrote: > Hi all, > > can anyone please advise on what computer I can purchase with the following > requirements: > > - fully supports OpenBSD > - no noise > - good quality wifi > - small form factor preferably > - processor does not need to be fast (no highly intensive compute load) > - low RAM need > - needs 1 TB of hard drive at least > - will be used only remotely, for basic and low-intensity server-type > applications (no desktop use) > - under $500 > > Thanks! > James You can get a Fujistu Futro S920 with a quad-core AMD GX-424GC @2.4GHz, up to 8Gb RAM, for around €75. Models with a GX-222GC (dual-core @2.1GHz) or a GX-415GA (quad-core @1.5Ghz) go for even less. Stick a wifi card and a 2.5" disk in it, and bob's your uncle. I have one as (very) low traffic web + mail server, and another as a development machine running a VM with Alpine Linux hosting docker containers (which works better than I anticipated, honestly). dmesg for a model with a GX-222CG dual-core @2.2GHz (no wifi, though): OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8213266432 (7832MB) avail mem = 7943299072 (7575MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xacfdc018 (55 entries) bios0: vendor FUJITSU // American Megatrends Inc. version "V4.6.5.4 R1.16.0 for D3313-G1x" date 08/13/2018 bios0: FUJITSU FUTRO S920 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT TCPA MCFG HPET SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices LAN1(S4) LAN2(S4) LAN3(S4) SBAZ(S4) EHC1(S4) EHC2(S4) EHC3(S4) XHC0(S4) GFX_(S3) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD GX-222GC SOC with Radeon(TM) R5E Graphics, 2196.02 MHz, 16-30-01, patch 07030106 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP CNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL 3,HWPSTATE,ITSC,BMI1,IBPB,XSAVEOPT cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD GX-222GC SOC with Radeon(TM) R5E Graphics, 2196.05 MHz, 16-30-01, patch 07030106 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP CNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL 3,HWPSTATE,ITSC,BMI1,IBPB,XSAVEOPT cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 3 pa 0xfec0, version 21, 24 pins ioapic1 at mainbus0: apid 4 pa 0xfec01000, version 21, 32 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (GPP0) acpiprt2 at acpi0: bus -1 (GPP1) acpiprt3 at acpi0: bus -1 (GPP2) acpiprt4 at acpi0: bus -1 (GPP3) acpiprt5 at acpi0: bus -1 (GFX_) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 com0 at acpi0 UAR0 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo com0: console acpicmos0 at acpi0 com1 at acpi0 UAR1 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo "FUJ02E3" at acpi0 not configured acpibtn0 at acpi0: PWRB tpm0 at acpi0 TPM_ 1.2 (TIS) addr 0xfed4/0x5000, device 0x001a15d1 rev 0x10 acpicpu0 at acpi0: C2(0@400 io@0x414), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@400 io@0x414), C1(@1 halt!), PSS acpivideo0 at acpi0: VGA_ acpivout0 at acpivideo0: LCD_ acpivideo1 at acpi0: VGA_ cpu0: 2196 MHz: speeds: 2200 2000 1800 1600 1400 1200 1000 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "AMD 16h Root Complex" rev 0x00 radeondrm0 at pci0 dev 1 function 0 "ATI Mullins" rev 0x06 drm0 at radeondrm0 radeondrm0: msi azalia0 at pci0 dev 1 function 1 "ATI Radeon HD Audio" rev 0x00: msi azalia0: no supported codecs pchb1 at pci0 dev 2 function 0 "AMD 16h Host" rev 0x00 ppb0 at pci0 dev 2 function 2 "AMD 16h PCIE" rev 0x00: msi pci1 at ppb0 bus 1 re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G (0x4c00), msi, address 4c:52:62:11:13:ef rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0 ccp0 a
Re: Hardware recommendation for small form factor, noiseless, server
I recently switched my RockPro64 over to OpenBSD and so far everything works nicely with it. I had trouble getting it to boot at first, but it was my fault for not fully reading the installation instructions[1], and assuming that I could simply `dd` the provided miniroot75.img to an SD card and boot. In fact you also have to write bootloader firmware to certain constant addresses on the SD card, depending on which board you use. I also would have been lost without a UART USB adapter. [1] https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64
Re: Hardware recommendation for small form factor, noiseless, server
For various values of 'fully supports', I have multiple odroid HC4 units, and they all run very well. I've booted them with OpenBSD to play with it, but inevitably switched back to Linux. No built-in WiFi, but it has a single USB socket that you could plug in a WiFi/Bluetooth dongle. -JD. > On May 6, 2024, at 4:03 PM, James Johnson wrote: > > Hi all, > > can anyone please advise on what computer I can purchase with the following > requirements: > > - fully supports OpenBSD > - no noise > - good quality wifi > - small form factor preferably > - processor does not need to be fast (no highly intensive compute load) > - low RAM need > - needs 1 TB of hard drive at least > - will be used only remotely, for basic and low-intensity server-type > applications (no desktop use) > - under $500 > > Thanks! > James
Hardware recommendation for small form factor, noiseless, server
Hi all, can anyone please advise on what computer I can purchase with the following requirements: - fully supports OpenBSD - no noise - good quality wifi - small form factor preferably - processor does not need to be fast (no highly intensive compute load) - low RAM need - needs 1 TB of hard drive at least - will be used only remotely, for basic and low-intensity server-type applications (no desktop use) - under $500 Thanks! James
Re: Restic rest server broken with relayd.
Hi Stuart.
Stuart Henderson wrote:
> On 2024-04-10, a...@abiscuola.com wrote:
> > Is there a way to restore the previous behaviour in relayd(8)
>
> Only by reverting the commit etc.
>
> > or, is there a known workaround for restic, in this case?
>
> That's probably a question for restic really (or possibly the
> requirement is coming from a 3rd party REST library).
>
> > I know that relayd(8) is right
>
> It seems a little strict to me.
Yes and no.
I mean, while I agree that it looks a bit too strict, the restic
developers are wrong assuming that *any* proxy, put between a
restic HTTP server (that might not even be the packaged
restic-rest-server) and the client would return the headers as
they expect and they are also wrong assuming that the content-length
will be the same between a HEAD call and a GET call.
They even told me that there is no reason why a proxy would mangle
the response headers. Probably they never had to deal with a setup
in a classic corporate network.
That said, IMHO relayd(8) should have shipped with an option, in the
configuration file, to restore the previous behaviour, while
keeping the new one the default.
>
> To my eye, the older version of the HTTP spec requires it ("The
> Content-Length entity-header field indicates the size of the
> entity-body, in decimal number of OCTETs, sent to the recipient or, in
> the case of the HEAD method, the size of the entity-body that would have
> been sent had the request been a GET").
>
> That's been replaced now but it's still permitted: "The server SHOULD
> send the same header fields in response to a HEAD request as it would
> have sent if the request had been a GET, except that the payload header
> fields (Section 3.3) MAY be omitted."
It's permitted, but not mandatory. This is, of course, on the client
program to fix properly.
Anyway. I worked around the problem by putting the restic server behind
a simple TCP relay in relayd(8). Of course, I also needed to change the
public port, but that's a minor nuisance.
Being able to keep the 443 would have been better.
--
absc
Re: Restic rest server broken with relayd.
On 2024-04-10, a...@abiscuola.com wrote:
> Is there a way to restore the previous behaviour in relayd(8)
Only by reverting the commit etc.
> or, is there a known workaround for restic, in this case?
That's probably a question for restic really (or possibly the
requirement is coming from a 3rd party REST library).
> I know that relayd(8) is right
It seems a little strict to me.
To my eye, the older version of the HTTP spec requires it ("The
Content-Length entity-header field indicates the size of the
entity-body, in decimal number of OCTETs, sent to the recipient or, in
the case of the HEAD method, the size of the entity-body that would have
been sent had the request been a GET").
That's been replaced now but it's still permitted: "The server SHOULD
send the same header fields in response to a HEAD request as it would
have sent if the request had been a GET, except that the payload header
fields (Section 3.3) MAY be omitted."
--
Please keep replies on the mailing list.
Restic rest server broken with relayd.
Hi all. I've updated my server to OpenBSD 7.5, where relayd(8) works as a reverse proxy for a bunch of services, including the restic-rest-server from ports. However, with the change in version 1.87 of the usr.sbin/relayd/relay_http.c file, relayd(8) stopped forwarding the content-length header in response to HEAD requests. The restic client, before doing anything, does a HEAD request to understand the size of the repository config file but, of course, restic gives up because of the absence of the content-length header in the respone. Is there a way to restore the previous behaviour in relayd(8) or, is there a known workaround for restic, in this case? I know that relayd(8) is right and, luckily, the important files are backed-up locally using just http, so it's not an emergency. Thanks in advance. -- absc
Re: sftp server empty password login
On Tue, 26 Mar 2024 10:28:11 +0100 Sylvain Saboua wrote: > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes you probably also want DisableForwarding there. otherwise everyone can use your machine as a proxy. this happened to me with a similar setup to allow anonymous git cloning. some spammer figured it out and used my server as a relay. don't be me ... ;)
Re: sftp server empty password login
On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua wrote: [...] > /bin/true is not in the /etc/shells file on my system. > Did you suggest I should add it ? I did suggest that as a possible resolution to your problem. Since your problem is now resolved, I wouldn't change it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sftp server empty password login
Problem solved, thank you !
Just removing the password asterisk using vipw was enough :
$ grep media /etc/passwd
media::2000:2000::/home/media:/sbin/nologin
and I am now able to log in, from the local network
(still need to open my ISP's box port and confirm that it
works remotely)
Le 2024-03-26 13:26, Darren Tucker a écrit :
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua
wrote:
[...]
# useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
/bin/true is not in the /etc/shells file on my system.
Did you suggest I should add it ?
`# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
I meant that I could still not login sftp://media@lap after setting
a password using the passwd command.
--
Sylvain Saboua
www.saboua.xyz
Re: sftp server empty password login
Sylvain Saboua writes: [...] > $ more /etc/ssh/sshd_config # relevant extracts and changes : > ... > PermitRootLogin no > ... > # override default of no subsystems > #Subsystem sftp/usr/libexec/sftp-server -d /home/media > Subsystem sftp internal-sftp # -d /home/media > > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes Hi, I have a setup that looks like this (except I'm using pubkey authentication). The only other difference I see is that I have not specified the "-d" option for the internal-sftp command. It is not clear to me (by manpages) if it should be the same as ChrootDirectory or a path *under* ChrootDirectory. Maybe you could try to remove this "-d" option. -- Manuel Giraud
Re: sftp server empty password login
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua wrote:
[...]
> # useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
> `# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
sftp server empty password login
I have been using the secure shell for remote maintenance on my local machine for some time. I wish to go one step further and implement a secure file transfer server, where user(s) could download files from a read-only /home/media directory as well as upload their own files to /home/media/pub Ideally this would be done via passwordless/empty password login. I have done some research (manpages) and configuration but still fail to connect from another machine on the same local network. obsd configuration : # useradd -g media -s /sbin/nologin -u 2000 -v media # usermod -G media sylvain $ more /etc/ssh/sshd_config # relevant extracts and changes : ... PermitRootLogin no ... # override default of no subsystems #Subsystem sftp/usr/libexec/sftp-server -d /home/media Subsystem sftp internal-sftp # -d /home/media Match User media ForceCommand internal-sftp -d /home/media ChrootDirectory /home/media PasswordAuthentication yes AuthenticationMethods none PermitEmptyPasswords yes $ ll -d /home/media /home/media/pub drwxr-xr-x 16 root wheel 512 Mar 25 17:42 /home/media/ drwxr-xr-x 3 media media 512 Mar 25 17:42 /home/media/pub/ failed connexion attempt from second local machine (just pressing Enter at password prompt): Last login: Tue Mar 26 09:46:37 on ttys001 sylvain@sylvainmac ~ % sftp media@10.0.0.11 media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: media@10.0.0.11: Permission denied (). Connection closed sylvain@sylvainmac ~ % Attempting to login using a password (after definition using `# passwd media') does not work either. What am I doing wrong ? Thank you -- Sylvain Saboua www.saboua.xyz
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
On Mon, February 5, 2024 1:13 pm, Crystal Kolipe wrote: > On Mon, Feb 05, 2024 at 12:56:39PM -, beecdadd...@danwin1210.de wrote: > >> wow that's unreadable on my browser is that 75M I'm seeing? and doesn't even >> work as a readable site Ill be reading that for the rest of life thanks >> > > The linked page passes HTML and CSS validation: > > > https://validator.nu > > > https://jigsaw.w3.org/css-validator > > > Therefore, if it is not rendering correctly in your browser, please open a > bug report with the authors of your browser. is not a bug, Links displays HTML and CSS just fine! don't insult Links text on the site is just close together hard to read > > If you do not want to install a standards compliant web browser to read the > material, the text of the article is also available on our Gemini site. that is cool > And what is "75M"? If you mean 75 megabytes, the page weight is nowhere near > that value. You may be using a compromised browser which is downloading > malware from elsewhere, or having script injected by a malicious third party. I maybe did math wrong said like 75xxx bytes or something I read 1/3 of text.. I almost fell asleep the only thing I gathered from that text is that yes I think I will use OpenZFS on FreeBSD, have it connect not to internet but to my other OpenBSD box thich will be securer and face internet thanks guys, I know RAID isn't THE solution, but I can't afford mirroring or have another site for another backup it will protect me against bitrot, has check-sums for everything and I can rollback because I do make stupid mistakes very stupid.. I did multiple times rm file * by accident instead of rm file.* I thought it was more but didn't check.. now I do rm -i haha but someone said that filesystem can also get corrupted and I think to myself how what do they think?
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
On Mon, Feb 05, 2024 at 12:56:39PM -, beecdadd...@danwin1210.de wrote: > wow that's unreadable on my browser > is that 75M I'm seeing? and doesn't even work as a readable site > Ill be reading that for the rest of life thanks The linked page passes HTML and CSS validation: https://validator.nu https://jigsaw.w3.org/css-validator Therefore, if it is not rendering correctly in your browser, please open a bug report with the authors of your browser. If you do not want to install a standards compliant web browser to read the material, the text of the article is also available on our Gemini site. And what is "75M"? If you mean 75 megabytes, the page weight is nowhere near that value. You may be using a compromised browser which is downloading malware from elsewhere, or having script injected by a malicious third party.
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
wow that's unreadable on my browser is that 75M I'm seeing? and doesn't even work as a readable site Ill be reading that for the rest of life thanks On Mon, February 5, 2024 3:37 am, David Rinehart wrote: > > This is a good read: > https://research.exoticsilicon.com/articles/backup_strategies > > > > On Sun, 2024-02-04 at 19:02 +, beecdadd...@danwin1210.de wrote: > >> hello >> >> I will make a storage server, and RAID just has to be on it, right? >> >> >> is RAID6 in work or maybe plans, I would like to know what about RAID5 + >> CRYPTO or RAID6 + CRYPTO? >> I read these >> https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ >> and from it https://marc.info/?t=15434869341=1=2 >> >> >> encryption is a must, I won't have it unencrypted what about RAID controller >> like RAID6 and software RAIDC combination? it would be cool to have >> redundancy like RAID6 and secure data with CRYPTO.. >> RAID1C is too expensive >> >> >> does anyone run multi-TB storage servers with OpenBSD? what raid do you run, >> what about hardware raid? I fear/dislike hardware raid but I never tried it >> I want to live without OpenZFS/FreeBSD, butnot without encryption and >> redundancy >> >> I don't have to be able to boot from it (canbe other disk which also >> maybe in RAID1C), but would be nice >> >> >> I know OpenBSD is not meant to be run as big fancy storage server >> with maybe complicated reliability like RAID6 + CRYPTO, but what you expect? >> everyone loves OpenBSD and wants to use it for everything, not FreeBSD >> >> thank you I am sorry if I ask too much, I don't demand, just nice request >> > >
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
On Sun, February 4, 2024 9:55 pm, Nick Holland wrote: > On 2/4/24 14:02, beecdadd...@danwin1210.de wrote: >> hello >> >> I will make a storage server, and RAID just has to be on it, right? > > mybbe... (more later) > >> is RAID6 in work or maybe plans, I would like to know >> what about RAID5 + CRYPTO or RAID6 + CRYPTO? >> I read these >> https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ >> and from it >> https://marc.info/?t=15434869341=1=2 > > best to start with authoritative sources that are up to date. > https://man.openbsd.org/softraid > > you will note no reference to RAID6 in there. Nor one-layer > softraid 5C, like there is 1C. I know I read `man bioctl` instead.. > Is it "in the works"? how would that matter? If it is there, you > can use it. If it isn't...you can't. If it is "in the works", it > still isn't there. So...I'd suggest just assuming it isn't there, > and if it is added (or you add it), upgrade at your next HW refresh. > >> encryption is a must, I won't have it unencrypted >> what about RAID controller like RAID6 and software RAIDC combination? >> it would be cool to have redundancy like RAID6 and secure data with CRYPTO.. >> RAID1C is too expensive > > "RAID1C is too expensive" -- define expensive? with parity-RAID you get more storage meaning more bang for buck > You can get a Really Big SATA disk for the price of a good HW RAID controller, > and a good HW RAID controller generally requires a big, power hungry chassis. > Oh...and if you are going to run HW RAID, you MUST have spare HW on-hand > because you can't just take the drives off RAID controller X and put them on > the RAID controller you just managed to find two years later when you need > it and hope it will work. And of course, that implies a second chassis, > because these things tend to work together. someone said HW RAID bad today because it doesn't check parity, so to do that need to have good HW raid controller (doesn't exist anymore?) and disks with 520-byte sectors (also doesn't exist unless some lucky expensive entterprise) so I think HW RAID is a no-go :( I want many TB, and possibly expandble (on same RAID array) HW raid also sounds to be too complicated and also more failure prone? because like OpenZFS checks parity because it has check-sums of parity, and with 520-byte sectors the 512bytes used for data, but the 8 for check-sum of parity, and also HW RAID controller has to support that >> does anyone run multi-TB storage servers with OpenBSD? what raid do you run, >> what about hardware raid? I fear/dislike hardware raid but I never tried it >> I want to live without OpenZFS/FreeBSD, butnot without encryption and redundancy > > HW RAID works, but you better understand your controller. Most people get > their system running, pat themselves on the back, and are 100% hosed when > they need to replace a drive and have no idea how. HW raid is usually a > little easier to figure out how to get running without reading the > instructions, but much harder to figure out when things go wonky. I think so, too > (granted, SW raid, you have to figure out how to detect and swap out a > failed drive, but my SW RAID is more similar to yours than my HW RAID is > to yours, and thus, I can probably help you out more. x the number of > people on misc@ :) heh I am glad people use stuff like this here.. I don't have RAID yet, but plan on getting it.. my budget maybe 400$ starter but want to increase as time goes and money comes, I would do it a non-standard homemade chassie so it's cheap and put some DIY strap-with-spunge so it's non-vibrator >> I don't have to be able to boot from it (canbe other disk which also maybe in >> RAID1C), but would be nice >> >> I know OpenBSD is not meant to be run as big fancy storage server with maybe >> complicated reliability like RAID6 + CRYPTO, but what you expect? everyone >> loves OpenBSD and wants to use it for everything, not FreeBSD > > Realistically, for home use, I suspect OpenBSD will be more-than-sufficient > for most people. You just don't need the World's Fastest for most > applications. Case in point: I was whining to myself about the removal of > softdeps from OpenBSD recently...it is a HUGE performance hit for a few of > the systems I manage. But you know what I discovered? Worst case, even > though one backup went from two hours to eight or more hours, it doesn't > change what I accomplish in a day. Wickedly fast is fun. But the real > performance problem is usually me. It would work fine for many business > uses, too. what you mean removal of softdep? doesn't h
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
This is a good read: https://research.exoticsilicon.com/articles/backup_strategies On Sun, 2024-02-04 at 19:02 +, beecdadd...@danwin1210.de wrote: > hello > > I will make a storage server, and RAID just has to be on it, right? > > is RAID6 in work or maybe plans, I would like to know > what about RAID5 + CRYPTO or RAID6 + CRYPTO? > I read these > https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ > and from it > https://marc.info/?t=15434869341=1=2 > > encryption is a must, I won't have it unencrypted > what about RAID controller like RAID6 and software RAIDC combination? > it would be cool to have redundancy like RAID6 and secure data with > CRYPTO.. > RAID1C is too expensive > > does anyone run multi-TB storage servers with OpenBSD? what raid do > you run, > what about hardware raid? I fear/dislike hardware raid but I never > tried it > I want to live without OpenZFS/FreeBSD, butnot without encryption and > redundancy > > I don't have to be able to boot from it (canbe other disk which also > maybe in > RAID1C), but would be nice > > I know OpenBSD is not meant to be run as big fancy storage server > with maybe > complicated reliability like RAID6 + CRYPTO, but what you expect? > everyone > loves OpenBSD and wants to use it for everything, not FreeBSD > > thank you I am sorry if I ask too much, I don't demand, just nice > request >
Re: questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
On 2/4/24 14:02, beecdadd...@danwin1210.de wrote: hello I will make a storage server, and RAID just has to be on it, right? mybbe... (more later) is RAID6 in work or maybe plans, I would like to know what about RAID5 + CRYPTO or RAID6 + CRYPTO? I read these https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ and from it https://marc.info/?t=15434869341=1=2 best to start with authoritative sources that are up to date. https://man.openbsd.org/softraid you will note no reference to RAID6 in there. Nor one-layer softraid 5C, like there is 1C. Is it "in the works"? how would that matter? If it is there, you can use it. If it isn't...you can't. If it is "in the works", it still isn't there. So...I'd suggest just assuming it isn't there, and if it is added (or you add it), upgrade at your next HW refresh. encryption is a must, I won't have it unencrypted what about RAID controller like RAID6 and software RAIDC combination? it would be cool to have redundancy like RAID6 and secure data with CRYPTO.. RAID1C is too expensive "RAID1C is too expensive" -- define expensive? You can get a Really Big SATA disk for the price of a good HW RAID controller, and a good HW RAID controller generally requires a big, power hungry chassis. Oh...and if you are going to run HW RAID, you MUST have spare HW on-hand because you can't just take the drives off RAID controller X and put them on the RAID controller you just managed to find two years later when you need it and hope it will work. And of course, that implies a second chassis, because these things tend to work together. does anyone run multi-TB storage servers with OpenBSD? what raid do you run, what about hardware raid? I fear/dislike hardware raid but I never tried it I want to live without OpenZFS/FreeBSD, butnot without encryption and redundancy HW RAID works, but you better understand your controller. Most people get their system running, pat themselves on the back, and are 100% hosed when they need to replace a drive and have no idea how. HW raid is usually a little easier to figure out how to get running without reading the instructions, but much harder to figure out when things go wonky. (granted, SW raid, you have to figure out how to detect and swap out a failed drive, but my SW RAID is more similar to yours than my HW RAID is to yours, and thus, I can probably help you out more. x the number of people on misc@ :) I don't have to be able to boot from it (canbe other disk which also maybe in RAID1C), but would be nice I know OpenBSD is not meant to be run as big fancy storage server with maybe complicated reliability like RAID6 + CRYPTO, but what you expect? everyone loves OpenBSD and wants to use it for everything, not FreeBSD Realistically, for home use, I suspect OpenBSD will be more-than-sufficient for most people. You just don't need the World's Fastest for most applications. Case in point: I was whining to myself about the removal of softdeps from OpenBSD recently...it is a HUGE performance hit for a few of the systems I manage. But you know what I discovered? Worst case, even though one backup went from two hours to eight or more hours, it doesn't change what I accomplish in a day. Wickedly fast is fun. But the real performance problem is usually me. It would work fine for many business uses, too. thank you I am sorry if I ask too much, I don't demand, just nice request OpenBSD Softraid RAID6 isn't a thing (yet?). OpenBSD Softraid RAID5C isn't a thing (yet?). Layered RAID isn't officially supported, but it works. Layering crypto on top of a HW RAID works in every sense. Softraid doesn't even know it is on HW RAID and doesn't care (though bioctl can be used to monitor both). Expecting the system to come up on its own with manually layered softraid is not wise. If you want to layer your RAID, you will probably want to have your boot partitions/drives be RAID1C (or just RAID1), then the data stored on a big softraid "drive". I would suggest NOT putting the layered RAID volumes in /etc/fstab, but rather have some kind of manual script that you run post boot to bring up the big data storage drives. This way, when the power goes out and you need an fsck on your array, you don't have to go to the box to do it, you can do it remotely. RAID1 wins a lot of awards for just plain simplicity, and thus, some versatility. So I'd suggest reconsidering your "need" for RAID5, and see if you can get by with RAID1C on a big pair of drives. And as for my "mybbe" on automatically assuming you need RAID on a storage server, you MIGHT just find that multiple stand-alone systems will give you better redundancy for some applications. RAID helps if your disk fails, but there are a lot of other things that fail on storage servers, and for SOME applications, having a whole other machine ready to roll is a better solution. Granted, my F
questions about RAID5C, RAID6, RAID6C, can Openbsd be a good storage-server OS?
hello I will make a storage server, and RAID just has to be on it, right? is RAID6 in work or maybe plans, I would like to know what about RAID5 + CRYPTO or RAID6 + CRYPTO? I read these https://www.reddit.com/r/openbsd/comments/r4bydk/encrypted_raid6_support/ and from it https://marc.info/?t=15434869341=1=2 encryption is a must, I won't have it unencrypted what about RAID controller like RAID6 and software RAIDC combination? it would be cool to have redundancy like RAID6 and secure data with CRYPTO.. RAID1C is too expensive does anyone run multi-TB storage servers with OpenBSD? what raid do you run, what about hardware raid? I fear/dislike hardware raid but I never tried it I want to live without OpenZFS/FreeBSD, butnot without encryption and redundancy I don't have to be able to boot from it (canbe other disk which also maybe in RAID1C), but would be nice I know OpenBSD is not meant to be run as big fancy storage server with maybe complicated reliability like RAID6 + CRYPTO, but what you expect? everyone loves OpenBSD and wants to use it for everything, not FreeBSD thank you I am sorry if I ask too much, I don't demand, just nice request
Re: How to access Xauthority for VNC Server
Hi Stuart, Sorry for the slow response. I have created the file /home/aretter/.xsession with the mode 755 and the owner and group 'aretter'. The file contains the single line: x0vncserver -display :0 -PasswordFile ~/.vnc/passwd I rebooted the system, logged in on the console as `aretter` and ran `ps -A` unfortunately there is no `x0vncserver` running. I grep'd for `x0nvserver` in the log files within /var/log and found nothing. Any ideas, how can I figure out why this isn't working? > This would run as your uid and with X environment variables intact so no > faffing with XAUTHORITY needed. Does this mean that I should see an XAUTHORITY environment variable after I login on the console? If so, I don't see anything like that reported by `env`. Kind regards. Adam. On Wed, 3 Jan 2024 at 00:34, Stuart Henderson wrote: > > On 2024-01-02, Adam Retter wrote: > > > > XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver > > -display :0 -PasswordFile ~/.vnc/passwd > > > > It is not clear to me how I can set this up so that x0vncserver can > > access the correctly named auth file each time the machine restarts, > > and also under which account it would be considered best practice to > > run x0vncserver... Should I run it under my user account, the `_x11` > > account, or an account created just for that purpose? > > Ideally the VNC Server would start during system startup also. > > It won't help for system startup, but you can add the x0vncserver > command (backgrounded with &) from .xsession to run after login. > This would run as your uid and with X environment variables intact so > no faffing with XAUTHORITY needed. > > (I would recommend listening to localhost only and connecting via ssh > port-forwarding; for unix VNC clients "-via $hostname localhost" runs > the ssh command for you). > > > > -- > Please keep replies on the mailing list. > -- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk
Re: How to access Xauthority for VNC Server
Hello there • Adam Retter [2024-01-02 23:14]: > Apologies but I am a little bit unclear about how X authfiles should > work in OpenBSD. > > I have started with a fresh OpenBSD 7.4 install, and I opted to > install the X Window System. My goal is to be able to export my > display over VNC as I have no access to the mouse and keyboard of the > machine. > > I have installed the VNC Server software by running as root - pkg_add tigervnc > > To be able to run the VNC Server, it needs access to the X Authority > file. I want to ideally run the VNC Server under a non-root account. I > have found an authority file under /etc/X11/xenodm/authdir/authfiles/ > however its name seems to be randomly decided each time xenodm is > started during System boot. For example at present it is > /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM but that will change if > the system is rebooted. > > To run the VNC Server, I think I need to execute something like the > following command: > > XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver > -display :0 -PasswordFile ~/.vnc/passwd > > It is not clear to me how I can set this up so that x0vncserver can > access the correctly named auth file each time the machine restarts, > and also under which account it would be considered best practice to > run x0vncserver... Should I run it under my user account, the `_x11` > account, or an account created just for that purpose? > Ideally the VNC Server would start during system startup also. > > I also note that the auth files such as > /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM are owned by the `_x11` > account and group, and are only readable by the owner (mode 0600). > > Please advise on the best way to set this up? You might want to look at Xvnc rather than x0vncserver. Xvnc is started by vncserver, which you can run as your normal user. > Kind regards. Adam. Here's a setup that used to work at some point, it could give you some ideas. Note how vncserver is started in the user's tmux session -- this way I can attach to it and see what is going on. To run at startup, you could either add a line to rc.local, or (ab)use crontab's @reboot facility. In /etc/rc.local echo -n ' VNC' su -l -c '/home//bin/runxvnc.sh 2>&1' >/dev/null & Then in /home//bin/runxvnc.sh #!/bin/sh tmux new-session -d -s Xvnc \ /usr/local/bin/vncserver :2 \ -geometry 1920x1080 \ -depth 32 \ -fg \ -xstartup ~/.vnc/xstartup \ -interface 127.0.0.1 \ -rfbport 5901 \ -rfbauth ~/.vnc/passwd \ -alwaysshared And in ~/.vnc/xstartup #!/bin/sh unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources export LC_CTYPE="en_US.UTF-8" /usr/local/bin/startxfce4 > -- > Adam Retter > > skype: adam.retter > tweet: adamretter > http://www.adamretter.org.uk > -- -- Kirill Miazine
Re: How to access Xauthority for VNC Server
On 2024-01-02, Adam Retter wrote: > > XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver > -display :0 -PasswordFile ~/.vnc/passwd > > It is not clear to me how I can set this up so that x0vncserver can > access the correctly named auth file each time the machine restarts, > and also under which account it would be considered best practice to > run x0vncserver... Should I run it under my user account, the `_x11` > account, or an account created just for that purpose? > Ideally the VNC Server would start during system startup also. It won't help for system startup, but you can add the x0vncserver command (backgrounded with &) from .xsession to run after login. This would run as your uid and with X environment variables intact so no faffing with XAUTHORITY needed. (I would recommend listening to localhost only and connecting via ssh port-forwarding; for unix VNC clients "-via $hostname localhost" runs the ssh command for you). -- Please keep replies on the mailing list.
How to access Xauthority for VNC Server
Apologies but I am a little bit unclear about how X authfiles should work in OpenBSD. I have started with a fresh OpenBSD 7.4 install, and I opted to install the X Window System. My goal is to be able to export my display over VNC as I have no access to the mouse and keyboard of the machine. I have installed the VNC Server software by running as root - pkg_add tigervnc To be able to run the VNC Server, it needs access to the X Authority file. I want to ideally run the VNC Server under a non-root account. I have found an authority file under /etc/X11/xenodm/authdir/authfiles/ however its name seems to be randomly decided each time xenodm is started during System boot. For example at present it is /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM but that will change if the system is rebooted. To run the VNC Server, I think I need to execute something like the following command: XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver -display :0 -PasswordFile ~/.vnc/passwd It is not clear to me how I can set this up so that x0vncserver can access the correctly named auth file each time the machine restarts, and also under which account it would be considered best practice to run x0vncserver... Should I run it under my user account, the `_x11` account, or an account created just for that purpose? Ideally the VNC Server would start during system startup also. I also note that the auth files such as /etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM are owned by the `_x11` account and group, and are only readable by the owner (mode 0600). Please advise on the best way to set this up? Kind regards. Adam. -- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk
Re: NFS Server performance
On Tue, Dec 5, 2023 at 9:25 AM Zé Loff wrote: > > On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: > > Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is > primarily used to store VMWare VM backups from HOST01, so VMWare is the NFS > client. I'm seeing transfers of about 1.2 MB/s. > > > > SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s. > > Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps. > > OBSD is a stock install running -stable. > > NFS is using v3 (according to VMWare) and using TCP > > During the NFS transfer the RECV-Q on the OBSD interface runs either > 64000+ or 0. > > I tried both em and vmx interface types. > > > > /etc/rc.conf.local: > > mountd_flags="" # for normal use: "" > > nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver > > ntpd_flags="" # enabled during install > > portmap_flags=""# for normal use: "" > > > > Any clues on where to look to (greatly) improve NFS performance would be > appreciated. > > Increasing write size, read size and the read-ahead count on the client > has helped me. > > E.g., on the client's fstab: > > 10.17.18.10:/shared/stuff /nfs/stuff nfs > rw,nodev,nosuid,intr,tcp,bg,noatime,-a=4,-r=32768,-w=32768 0 0 > > With this i got around 2.5x improvement (9-10MBps to 25-30MBps) > Cheers > Zé > > > > > -Steve S. > > > > -- > > >
Re: NFS Server performance
> -Original Message- > From: j...@bitminer.ca > Sent: Thursday, December 7, 2023 7:55 PM > > On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: > > > > Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is > > primarily used to store VMWare VM backups from HOST01, so VMWare is > > the NFS client. I'm seeing transfers of about 1.2 MB/s. > > Sounds about right. On a single (magnetic) disk, assume 200 ops/sec > maximum, or about 5 kbyte per write op. > > Remember that NFS is synchronous. It is based on RPC, remote procedure > calls. The call has to return a result to the client before the next call > can happen. So your client (ESXi) is stuck at the synchronous write rate > of your disk, which is governed by seek time and rotation rate. > > To confirm, run systat and note the "sec" measurement for your disk. > It will likely be in the 0.5 to 1.0 range. This means your disk is 50% to > 100% busy. And the speed is about 1MB/s. > > For improvement, use "-o noatime" on your exported partition mount. This > reduces inode update IO. > > Or, try "-o async" if you want to live dangerously. > > Or, you could even try ext2 instead of ffs.rumour has it that > ext2 is faster. I don't know, never having tried it. > > Or use an SSD for your export partition. > > Or, crank up a copy of Linux and run NFS v4 server. That will definitely > be faster than any NFS v3 server. V4 streams writes, to be very > simplistic about it. > > (I think you already confirmed it's NFS v3 with TCP, not NFS v2. > You should turn UDP off for reliability reasons, not performance.) So I thought that disk I/O might be an issue as well, but SCP rips at 800+ Mbps (95+ MBps). I did end up trying async and noatime on the filesystem. 'async' offered the best improvement with about 75 Mbps (or 9.3 MBps). Still not what I was hoping for, or even close to SCP. I did confirm NFS V3 (via tcpdump), plus esxi only supports V3 and V4. I also experimented with netbsd-iscsi-target-20111006p6, but I could not get esxi to connect reliably. You are correct on the disk performance during the NFS write: Disks sd0 sd1 seeks xfers 992 speed 110K 5915K sec 0.0 1.0 For the sake of completeness, here is the disk performance for the scp: Disks sd0 sd1 seeks xfers11 1559 speed 131K 97M sec 0.0 1.0 This is with /home mounted with 'ffs rw,nodev,nosuid 1 2' Thanks!
Re: NFS Server performance
On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is primarily used to store VMWare VM backups from HOST01, so VMWare is the NFS client. I'm seeing transfers of about 1.2 MB/s. Sounds about right. On a single (magnetic) disk, assume 200 ops/sec maximum, or about 5 kbyte per write op. Remember that NFS is synchronous. It is based on RPC, remote procedure calls. The call has to return a result to the client before the next call can happen. So your client (ESXi) is stuck at the synchronous write rate of your disk, which is governed by seek time and rotation rate. To confirm, run systat and note the "sec" measurement for your disk. It will likely be in the 0.5 to 1.0 range. This means your disk is 50% to 100% busy. And the speed is about 1MB/s. For improvement, use "-o noatime" on your exported partition mount. This reduces inode update IO. Or, try "-o async" if you want to live dangerously. Or, you could even try ext2 instead of ffs.rumour has it that ext2 is faster. I don't know, never having tried it. Or use an SSD for your export partition. Or, crank up a copy of Linux and run NFS v4 server. That will definitely be faster than any NFS v3 server. V4 streams writes, to be very simplistic about it. (I think you already confirmed it's NFS v3 with TCP, not NFS v2. You should turn UDP off for reliability reasons, not performance.) J
Re: NFS Server performance
No confusion. The read and write buffer sizes would be above layer 3. VMware offers little ability to modify read and write sizes. It did inspire me to find this: https://kb.vmware.com/s/article/1007909 NFS.ReceiveBufferSize This is the size of the receive buffer for NFS sockets. This value is chosen based on internal performance testing. VMware does not recommend adjusting this value. NFS.SendBufferSize The size of the send buffer for NFS sockets. This value is chosen based on internal performance testing. VMware does not recommend adjusting this value. ... ESXi 6.0, 6.5, 6.7: Default Net.TcpipHeapMax is 512MB. Default send/receive socket buffer size of NFS is 256K each. So each socket consumes ~512K+.For 256 shares, it would be ~128M. The default TCPIPheapMax is sufficient even for 256 mounts. Its not required to increase. Also, the man page for mount_nfs implies -w is useful for UDP mounts. I have verified that this mount is using TCP. -w writesize Set the write data size to the specified value. Ditto the comments w.r.t. the -r option, but using the "fragments dropped after timeout" value on the server instead of the client. Note that both the -r and -w options should only be used as a last ditch effort at improving performance when mounting servers that do not support TCP mounts. -Steve S. -Original Message- From: owner-m...@openbsd.org On Behalf Of Carsten Reith Sent: Wednesday, December 6, 2023 11:41 AM To: misc@openbsd.org Subject: Re: NFS Server performance [You don't often get email from carsten.re...@t-online.de. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Steven Surdock writes: > The client is VMWare ESXi, so my options are limited. I tried > enabling jumbo frames (used 9000) and this made very little > difference. > Is it possible that you confuse the network layers here ? Jumbo frames are layer 2, the read and write sizes referred to apply are layer 3. You can try to set them as suggested, indepently of the frame size.
Re: NFS Server performance
Steven Surdock writes: > The client is VMWare ESXi, so my options are limited. I tried > enabling jumbo frames (used 9000) and this made very little > difference. > Is it possible that you confuse the network layers here ? Jumbo frames are layer 2, the read and write sizes referred to apply are layer 3. You can try to set them as suggested, indepently of the frame size.
Re: NFS Server performance
The client is VMWare ESXi, so my options are limited. I tried enabling jumbo frames (used 9000) and this made very little difference. -Original Message- From: Zé Loff Sent: Tuesday, December 5, 2023 10:12 AM To: Steven Surdock Cc: misc@openbsd.org Subject: Re: NFS Server performance On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: > Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is primarily > used to store VMWare VM backups from HOST01, so VMWare is the NFS client. > I'm seeing transfers of about 1.2 MB/s. > > SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s. > Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps. > OBSD is a stock install running -stable. > NFS is using v3 (according to VMWare) and using TCP During the NFS > transfer the RECV-Q on the OBSD interface runs either 64000+ or 0. > I tried both em and vmx interface types. > > /etc/rc.conf.local: > mountd_flags="" # for normal use: "" > nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver > ntpd_flags="" # enabled during install > portmap_flags=""# for normal use: "" > > Any clues on where to look to (greatly) improve NFS performance would be > appreciated. Increasing write size, read size and the read-ahead count on the client has helped me. E.g., on the client's fstab: 10.17.18.10:/shared/stuff /nfs/stuff nfs rw,nodev,nosuid,intr,tcp,bg,noatime,-a=4,-r=32768,-w=32768 0 0 Cheers Zé --
Re: NFS Server performance
On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: > Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is primarily > used to store VMWare VM backups from HOST01, so VMWare is the NFS client. > I'm seeing transfers of about 1.2 MB/s. > > SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s. > Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps. > OBSD is a stock install running -stable. > NFS is using v3 (according to VMWare) and using TCP > During the NFS transfer the RECV-Q on the OBSD interface runs either 64000+ > or 0. > I tried both em and vmx interface types. > > /etc/rc.conf.local: > mountd_flags="" # for normal use: "" > nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver > ntpd_flags="" # enabled during install > portmap_flags=""# for normal use: "" > > Any clues on where to look to (greatly) improve NFS performance would be > appreciated. Increasing write size, read size and the read-ahead count on the client has helped me. E.g., on the client's fstab: 10.17.18.10:/shared/stuff /nfs/stuff nfs rw,nodev,nosuid,intr,tcp,bg,noatime,-a=4,-r=32768,-w=32768 0 0 Cheers Zé > > -Steve S. > --
NFS Server performance
Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is primarily used to store VMWare VM backups from HOST01, so VMWare is the NFS client. I'm seeing transfers of about 1.2 MB/s. SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s. Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps. OBSD is a stock install running -stable. NFS is using v3 (according to VMWare) and using TCP During the NFS transfer the RECV-Q on the OBSD interface runs either 64000+ or 0. I tried both em and vmx interface types. /etc/rc.conf.local: mountd_flags="" # for normal use: "" nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver ntpd_flags="" # enabled during install portmap_flags=""# for normal use: "" Any clues on where to look to (greatly) improve NFS performance would be appreciated. -Steve S.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
On 2023-08-14, latin...@vcn.bc.ca wrote: >> On 2023-08-14, latin...@vcn.bc.ca wrote: >>> Something magic had happend after reboot! lkev2 is working >> >> iked/isakmpd keys are created at boot if they don't exist. >> >>> BTW at the >>> client i can not use Web Browser?, the ssh connection did not stop >>> working. >> >> > > Hello Stuart > > The situation is: that being connected with ikev2 to my server, ssh is not > disconnected as with Wireguard, but it is supposed that all traffic should > go by ikev2! > > I am looking on pf.conf, but i can not imagine how to send lo1/enc0 by ikev2. There's not enough information about what you're trying to do, or what is going wrong, for anyone to help
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
> On 2023-08-14, latin...@vcn.bc.ca wrote: >> Something magic had happend after reboot! lkev2 is working > > iked/isakmpd keys are created at boot if they don't exist. > >> BTW at the >> client i can not use Web Browser?, the ssh connection did not stop >> working. > > Hello Stuart The situation is: that being connected with ikev2 to my server, ssh is not disconnected as with Wireguard, but it is supposed that all traffic should go by ikev2! I am looking on pf.conf, but i can not imagine how to send lo1/enc0 by ikev2. > > If you're able to fetch small pages over http (*not* https), such as > http://www.openbsd.org/grp-tmpl.txt, then you probably have an > MTU (packet size) problem, if so then you could try something > like this near the top of pf.conf to cap the size of TCP packets > as a workaround (make sure you don't use "set skip on enc0" for > this to be used) > > match on enc0 scrub (max-mss 1300 no-df) > > -- > Please keep replies on the mailing list. > No everything goes by normal ip. Not by ikev2. thanks.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
On 2023-08-14, latin...@vcn.bc.ca wrote: > Something magic had happend after reboot! lkev2 is working iked/isakmpd keys are created at boot if they don't exist. > BTW at the > client i can not use Web Browser?, the ssh connection did not stop > working. If you're able to fetch small pages over http (*not* https), such as http://www.openbsd.org/grp-tmpl.txt, then you probably have an MTU (packet size) problem, if so then you could try something like this near the top of pf.conf to cap the size of TCP packets as a workaround (make sure you don't use "set skip on enc0" for this to be used) match on enc0 scrub (max-mss 1300 no-df) -- Please keep replies on the mailing list.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
> latin...@vcn.bc.ca wrote:
>> Hello
>>
>> i am testing IKEv2; and because i felt really confuse trying to
>> configure
>> them; i delete all certs; and i can not find how to re-create them, on
>> FAQ
>> and misc!
>>
>> May somebody help please?
>>
>> Thank you.
>
> It's in /etc/rc , function make_keys at line 135:
>
> # Generate keys for isakmpd, iked and sshd if they don't exist yet.
> make_keys() {
> # ...
> local _iked_key=/etc/iked/private/local.key
> local _iked_pub=/etc/iked/local.pub
>
> # ...
>
> if [[ ! -f $_iked_key ]]; then
> echo -n "openssl: generating iked ECDSA keys... "
> if openssl ecparam -genkey -name prime256v1 -out $_iked_key
> >/dev/null
> 2>&1 &&
> chmod 600 $_iked_key &&
> openssl ec -out $_iked_pub -in $_iked_key \
> -pubout >/dev/null 2>&1; then
> echo done.
> else
> echo failed.
> fi
> fi
>
> # ...
> }
>
> -Lucas
>
Hey Lucas thank you very much man!
Something magic had happend after reboot! lkev2 is working, BTW at the
client i can not use Web Browser?, the ssh connection did not stop
working.
Really thanks man.
Re: re-create certs server/laptop both OpenBSD 7.3
latin...@vcn.bc.ca wrote:
> Hello
>
> i am testing IKEv2; and because i felt really confuse trying to configure
> them; i delete all certs; and i can not find how to re-create them, on FAQ
> and misc!
>
> May somebody help please?
>
> Thank you.
It's in /etc/rc , function make_keys at line 135:
# Generate keys for isakmpd, iked and sshd if they don't exist yet.
make_keys() {
# ...
local _iked_key=/etc/iked/private/local.key
local _iked_pub=/etc/iked/local.pub
# ...
if [[ ! -f $_iked_key ]]; then
echo -n "openssl: generating iked ECDSA keys... "
if openssl ecparam -genkey -name prime256v1 -out $_iked_key
>/dev/null 2>&1 &&
chmod 600 $_iked_key &&
openssl ec -out $_iked_pub -in $_iked_key \
-pubout >/dev/null 2>&1; then
echo done.
else
echo failed.
fi
fi
# ...
}
-Lucas
re-create certs server/laptop both OpenBSD 7.3
Hello i am testing IKEv2; and because i felt really confuse trying to configure them; i delete all certs; and i can not find how to re-create them, on FAQ and misc! May somebody help please? Thank you.
httpd server "default" is not what I expected
I was surprised that `server "default"` didn't act like I expected. In this
example I expected `test1` to get 200 and everything else to get 404 but
this is not the case. In this example server "test1" actually catches all:
localhost, test1, and test2 will get code 200.
/etc/hosts:
127.0.0.1 localhost test1 test2
/tmp/httpd.conf:
server "test1" {
listen on localhost port 8080
block return 200
}
server "default" {
listen on localhost port 8080
block return 404
}
httpd -df /tmp/httpd.conf &
ftp -o - http://localhost:8080/ #200
ftp -o - http://test1:8080/ #200
ftp -o - http://test2:8080/ #200
man httpd.conf says:
"Match the server name using shell globbing rules. This can be an explicit
name, www.example.com, or a name including wildcards, *.example.com."
There is no mention as to what `server "default"` does even though it is
used several times in the man page. I find the behaviour to be odd
for it not to be documented. It isn't until I change the line to `server
"*"` when it starts doing what I expected:
ftp -o- http://localhost:8080/ #404
ftp -o- http://test1:8080/ #200
ftp -o- http://test2:8080/ #404
This is a gotcha in general. I would think the examples should use server
"*" instead and document what server "default" actually does.
and while we are here. Why does running httpd as a user say:
httpd: need root privileges
does it...?
-alfred
relayd not retrying relay's server-side connections
I'm running relayd with the following relayd.conf on OpenBSD 7.3.
relay forward_http {
listen on ::1 port 7200
forward to 127.0.0.1 port 7204 retry 30
}
I was hoping it would do this:
- Listen for connections on ::1 port 7200.
- Each time a connection comes in, try up to 31 times to connect
to 127.0.0.1, and if one of those tries succeeds, forward the
connection.
(My goal is to smooth over intervals where the 127.0.0.1:7204 service
is restarting: I want connections from outside to stall rather than
fail.)
The forwarding is working, but as far as I can tell relayd is only
trying once to connect to 127.0.0.1:7204. My evidence is that if
nothing is listening on 127.0.0.1:7204 when I try to connect to ::1
port 7200, I get a failure instantly, and "tcpdump -ilo0 tcp" only
shows a couple of messages exchanged rather than 31 attempts.
Am I doing something wrong, or misunderstanding what that "retry"
option is supposed to do?
Optional bonus question:
Even if get that working, I have a further problem: I actually want
to use "forward to " syntax, but there doesn't seem to be a
place for a "retry" option there. The reason I want to use "forward
to " syntax is that want to direct the connection based on
http parameters, and as far as I know that's not possible with
"forward to address" syntax.
Here's a more complete version of what I'm trying to do. It does
what I want, except for retrying when connecting to . (In
practice I add three more "relay" stanzas, for all combinations of
http/https and inet/inet6.)
Is there some way to add retries to this?
table { ::1 }
table { 127.0.0.1 }
http protocol reverse_proxy {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$SERVER_PORT"
pass forward to
pass request header "Host" value "fossil.falsifian.org" \
forward to
tls { keypair "falsifian.org" }
}
relay reverse_proxy_https_6 {
listen on ::1 port 7201 tls
protocol reverse_proxy
forward to port 7203
forward to port 7204
}
--
James
Re: tmux server recent snapshot amd64 100% CPU freeze
On Mon, Jul 17, 2023 at 12:54:05PM +, Jacqueline Jolicoeur wrote: > Hi, > > I thought I would mention I seem to be able to reproduce a tmux lock up > where the tmux server component runs at 100% CPU. I am unable to attach > to it at that point. > > The command I run in order to reproduce this is: > > Enter the tmux command prompt. > > C-b and : > > Run this command. > > movew -r > > It stays locked with the movew command still on screen. I end up having > to kill the server process. I have noticed tmux locking up with my original tmux.conf when closing windows, likely because of renumber-windows on: set-option -g default-terminal "tmux-256color" set-option -g history-limit 3000 set-option -g renumber-windows on set-option -ag window-status-current-style bold set-option -ag window-status-current-style fg=black set-option -ag window-status-current-style bg=blue set-option -ag status-style bg=cyan set-option -g escape-time 50 I have since switched to a more simplistic config that hasn't run into the lock up, but I can still trigger it with movew -r as described above: set-option -g escape-time 50 set-option -g base-index 1 set-option -g pane-base-index 1 > > This started to occur in OpenBSD amd64 snapshots around July 13. > > I am running my OpenBSD amd64 with sysctl vm.malloc_conf=S > > ~/.tmux.conf > > set -g status-keys vi > set -g status-right "%F %R" > set -g status-style "bg=black,fg=white" > setw -g mode-keys vi > > Thanks. >
Re: tmux server recent snapshot amd64 100% CPU freeze
On Monday, July 17, 2023, Jacqueline Jolicoeur wrote: > Hi, > > I thought I would mention I seem to be able to reproduce a tmux lock up > where the tmux server component runs at 100% CPU. I am unable to attach > to it at that point. > > The command I run in order to reproduce this is: > > Enter the tmux command prompt. > > C-b and : > > Run this command. > > movew -r > > It stays locked with the movew command still on screen. I end up having > to kill the server process. > > This started to occur in OpenBSD amd64 snapshots around July 13. > > I am running my OpenBSD amd64 with sysctl vm.malloc_conf=S > > ~/.tmux.conf > > set -g status-keys vi > set -g status-right "%F %R" > set -g status-style "bg=black,fg=white" > setw -g mode-keys vi > > Thanks. > > -- Kind regards, Mike
tmux server recent snapshot amd64 100% CPU freeze
Hi, I thought I would mention I seem to be able to reproduce a tmux lock up where the tmux server component runs at 100% CPU. I am unable to attach to it at that point. The command I run in order to reproduce this is: Enter the tmux command prompt. C-b and : Run this command. movew -r It stays locked with the movew command still on screen. I end up having to kill the server process. This started to occur in OpenBSD amd64 snapshots around July 13. I am running my OpenBSD amd64 with sysctl vm.malloc_conf=S ~/.tmux.conf set -g status-keys vi set -g status-right "%F %R" set -g status-style "bg=black,fg=white" setw -g mode-keys vi Thanks.
Re: iked server/client OBSD/OBSD
Am 09.07.23 11:38 schrieb Tobias Heider: > On Sat, Jul 08, 2023 at 11:08:31PM -0700, latin...@vcn.bc.ca wrote: > (...) > > ikev2 'roadwarrior' active esp \ > > from dynamic to any \ > > peer server_ip \ > > srcid roadwarrior \ > > dstid server_domain \ > > request address any \ > > iface lo1 > > > > Questions: > > should i add the \? > > Yes, because each policy is one line which isn't very convenient but it is > what ~~~ > it is for historical reasons. I just wanted to add one thing: To me this IS very convenient! If I want to disable/comment out this poloicy then I have to insert only one single '#' in front of 'ike'. If the policy were multiple lines then you would need multiple #'s - one on each row.
Re: [SPAM] Re: iked server/client OBSD/OBSD
>> Questions about cert for roadwarrior and more? Why 192.168.1.79? i was >> expecting 10.0.5.x please. > > Why did you expect that? Desperate idea! It is the problem i think: Jul 10 01:15:59 agroena iked[79159]: ca_sslerror: ca_validate_pubkey: error:09FFF06C:PEM routines:CRYPTO_internal:no start line Jul 10 01:15:59 agroena iked[79159]: ca_sslerror: ca_validate_pubkey: error:09FFF06C:PEM routines:CRYPTO_internal:no start line Jul 10 01:15:59 agroena iked[31968]: spi=0xeff602411ad464ff: ikev2_dispatch_cert: peer certificate is invalid > > >> spi=0xc166e8f236679cc9: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 >> local >> 192.168.1.79:500, 255 bytes, policy 'roadwarrior' > > 192.168.1.79 is your local IP, which is on the interface with a link to > the default gateway. > > $ route -n show -inet > > > If you have multiple IPs and you want to force iked to use a specific > one, you have to use "local": > > local 10.0.5.x peer 45.77.223.7 \ > > >> spi=0xaf891eb37dd8f4cc: ca_getreq: no valid local certificate found for >> FQDN/roadwarrior >> spi=0xaf891eb37dd8f4cc: ca_getreq: using local public key of type >> RSA_KEY >> spi=0xaf891eb37dd8f4cc: send IKE_AUTH req 1 peer 45.77.223.7:4500 local >> 192.168.1.79:4500, 947 bytes, NAT-T >> spi=0xaf891eb37dd8f4cc: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local >> 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' >> spi=0xaf891eb37dd8f4cc: sa_free: authentication failed notification from >> peer > > Just a guess, since I have never worked with trusted public keys, but > maybe you have to copy the clients local.pub it into > /etc/iked/pubkeys/fqdn/roadwarrior > (not /etc/iked/pubkeys/fqdn/roadwarrior/local.pub) > or > /etc/iked/pubkeys/ipv4/A.B.C.D > on the server. >
Re: iked server/client OBSD/OBSD
Questions about cert for roadwarrior and more? Why 192.168.1.79? i was expecting 10.0.5.x please. Why did you expect that? spi=0xc166e8f236679cc9: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' 192.168.1.79 is your local IP, which is on the interface with a link to the default gateway. $ route -n show -inet If you have multiple IPs and you want to force iked to use a specific one, you have to use "local": local 10.0.5.x peer 45.77.223.7 \ spi=0xaf891eb37dd8f4cc: ca_getreq: no valid local certificate found for FQDN/roadwarrior spi=0xaf891eb37dd8f4cc: ca_getreq: using local public key of type RSA_KEY spi=0xaf891eb37dd8f4cc: send IKE_AUTH req 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 947 bytes, NAT-T spi=0xaf891eb37dd8f4cc: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' spi=0xaf891eb37dd8f4cc: sa_free: authentication failed notification from peer Just a guess, since I have never worked with trusted public keys, but maybe you have to copy the clients local.pub it into /etc/iked/pubkeys/fqdn/roadwarrior (not /etc/iked/pubkeys/fqdn/roadwarrior/local.pub) or /etc/iked/pubkeys/ipv4/A.B.C.D on the server.
Re: [SPAM] Re: iked server/client OBSD/OBSD
> >> what is wrong? client side iked.conf: >> >> ikev2 'roadwarrior' active esp \ >> from dynamic to any \ >> peer 45.77.223.7 \ >> srcid roadwarrior \ >> dstid server1.domain \ >> request address any \ >> iface lo1 >> >> # iked -dv >> /etc/iked.conf: 43: invalid iface > > lo1 must exist: > # ifconfig lo1 create > > > To create it at a reboot: > # touch /etc/hostname.lo1 > OK Thomas thank you. Questions about cert for roadwarrior and more? Why 192.168.1.79? i was expecting 10.0.5.x please. >From Road Warrior after deletetion of certs, exept local.pub and local.key: # iked -dv ikev2 "roadwarrior" active tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from :: to ::/0 local any peer 45.77.223.7 ikesa enc aes-128-gcm enc aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid roadwarrior dstid agroena.org lifetime 10800 bytes 4294967296 signature config address any iface lo0 ikev2_init_ike_sa: initiating "roadwarrior" spi=0xc166e8f236679cc9: send IKE_SA_INIT req 0 peer 45.77.223.7:500 local 0.0.0.0:500, 518 bytes spi=0xc166e8f236679cc9: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0xc166e8f236679cc9: ca_getreq: no valid local certificate found for FQDN/roadwarrior spi=0xc166e8f236679cc9: ca_getreq: using local public key of type RSA_KEY spi=0xc166e8f236679cc9: send IKE_AUTH req 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 947 bytes, NAT-T spi=0xc166e8f236679cc9: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' spi=0xc166e8f236679cc9: sa_free: authentication failed notification from peer spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' ikev2_init_ike_sa: initiating "roadwarrior" spi=0xaf891eb37dd8f4cc: send IKE_SA_INIT req 0 peer 45.77.223.7:500 local 0.0.0.0:500, 518 bytes spi=0xaf891eb37dd8f4cc: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0xaf891eb37dd8f4cc: ca_getreq: no valid local certificate found for FQDN/roadwarrior spi=0xaf891eb37dd8f4cc: ca_getreq: using local public key of type RSA_KEY spi=0xaf891eb37dd8f4cc: send IKE_AUTH req 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 947 bytes, NAT-T spi=0xaf891eb37dd8f4cc: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' spi=0xaf891eb37dd8f4cc: sa_free: authentication failed notification from peer spi=0x128062d2440a20ca: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' ikev2_init_ike_sa: initiating "roadwarrior" spi=0x72a1368e235340b8: send IKE_SA_INIT req 0 peer 45.77.223.7:500 local 0.0.0.0:500, 518 bytes spi=0x72a1368e235340b8: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local 192.168.1.79:500, 255 bytes, policy 'roadwarrior' spi=0x72a1368e235340b8: ca_getreq: no valid local certificate found for FQDN/roadwarrior spi=0x72a1368e235340b8: ca_getreq: using local public key of type RSA_KEY spi=0x72a1368e235340b8: send IKE_AUTH req 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 947 bytes, NAT-T spi=0x72a1368e235340b8: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' spi=0x72a1368e235340b8: sa_free: authentication failed notification from peer
Re: iked server/client OBSD/OBSD
what is wrong? client side iked.conf: ikev2 'roadwarrior' active esp \ from dynamic to any \ peer 45.77.223.7 \ srcid roadwarrior \ dstid server1.domain \ request address any \ iface lo1 # iked -dv /etc/iked.conf: 43: invalid iface lo1 must exist: # ifconfig lo1 create To create it at a reboot: # touch /etc/hostname.lo1
Re: Self-hosting OpenBSD server, any documentation?
On 7/8/23 1:03 AM, Theo de Raadt wrote: Jonathan Drews wrote: On Sat, Jul 8, 2023, at 01:42, Jonas Borchelt wrote: The book "Absolute OpenBSD" is an excellent choice to expand your knowledge of the OpenBSD operating system. It was written by Michael W. Lucas and is regarded as a comprehensive resource for beginners and advanced users alike. It covers various aspects of OpenBSD, including installation, network security, system administration, and more. Enjoy reading it! There is another book by Michael Lucas that may be of benefit: "Httpd and Relayd Mastery". You can buy it as a *.pdf from Tilted Windmill Press. One day I really should try this self-hosting which seems to be all the rage. For those of us not very good at promoting, it turns out to be a very self-serving endeavor.
Re: Self-hosting OpenBSD server, any documentation?
https://www.openbsd.org/faq/index.html https://www.openbsdhandbook.com/ https://openbsdrouterguide.net/ These are easy to follow introductions. Also the man pages, all of the mentioned refer to them. On 7/8/23 09:32, lisper.drea...@tutanota.com wrote: Hi, misc! What documents would you recommend for setting up a self-hosted OpenBSD server? This way I might learn more about OpenBSD and what is under its hood. Cheers, Andy
Re: Self-hosting OpenBSD server, any documentation?
Jonathan Drews wrote: > > > > On Sat, Jul 8, 2023, at 01:42, Jonas Borchelt wrote: > > The book "Absolute OpenBSD" is an excellent choice to expand your knowledge > > of the OpenBSD operating system. It was written by Michael W. Lucas and is > > regarded as a comprehensive resource for beginners and advanced users > > alike. It covers various aspects of OpenBSD, including installation, > > network security, system administration, and more. Enjoy reading it! > > > There is another book by Michael Lucas that may be of benefit: "Httpd and > Relayd Mastery". > You can buy it as a *.pdf from Tilted Windmill Press. > One day I really should try this self-hosting which seems to be all the rage.
Re: Self-hosting OpenBSD server, any documentation?
On Sat, Jul 8, 2023, at 01:42, Jonas Borchelt wrote: > The book "Absolute OpenBSD" is an excellent choice to expand your knowledge > of the OpenBSD operating system. It was written by Michael W. Lucas and is > regarded as a comprehensive resource for beginners and advanced users alike. > It covers various aspects of OpenBSD, including installation, network > security, system administration, and more. Enjoy reading it! > There is another book by Michael Lucas that may be of benefit: "Httpd and Relayd Mastery". You can buy it as a *.pdf from Tilted Windmill Press.
Re: Self-hosting OpenBSD server, any documentation?
The book "Absolute OpenBSD" is an excellent choice to expand your knowledge of the OpenBSD operating system. It was written by Michael W. Lucas and is regarded as a comprehensive resource for beginners and advanced users alike. It covers various aspects of OpenBSD, including installation, network security, system administration, and more. Enjoy reading it! Best Jonas > Am 08.07.2023 um 09:35 schrieb lisper.drea...@tutanota.com: > > Hi, misc! > What documents would you recommend for setting up a self-hosted OpenBSD > server? > This way I might learn more about OpenBSD and what is under its hood. > > Cheers, > Andy > > -- > Sent with Tutanota, enjoy secure & ad-free emails.
Self-hosting OpenBSD server, any documentation?
Hi, misc! What documents would you recommend for setting up a self-hosted OpenBSD server? This way I might learn more about OpenBSD and what is under its hood. Cheers, Andy -- Sent with Tutanota, enjoy secure & ad-free emails.
Re: supermicro 5019D-FTN4 server with AMD EPYC 3251 SoC Processor
On 30.6.2021. 15:34, Denis Fondras wrote: > Le Tue, Jun 29, 2021 at 07:46:55PM +0200, EdaSky a écrit : >> Good day everyone >> >> Does anyone use supermicro 5019D-FTN4 server with AMD EPYC 3251 SoC >> Processor? >> >> https://www.supermicro.com/Aplus/system/Embedded/AS-5019D-FTN4.cfm >> >> Experience and dmesg would be perfect. >> > > Experience is perfect so far. I am really happy with it as BGP edge. > > Hi Denis, are you still happy with this box? Is amd64 OpenBSD stable on it? Are you happy with pf or forwarding performance ? As in your dmesg, I thought of putting 4 port ixl(4) card in it, 1G sfp uplink, 10G for internal vlans and em(4) for pfsync... > OpenBSD 6.9-current (GENERIC.MP) #20: Sun May 16 00:32:45 MDT 2021 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 34228760576 (32643MB) > avail mem = 33175949312 (31639MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xdab19000 (51 entries) > bios0: vendor American Megatrends Inc. version "1.0c" date 06/30/2020 > bios0: Supermicro AS -5019D-FTN4 > acpi0 at bios0: ACPI 6.1 > acpi0: sleep states S0 S5 > acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SPMI SSDT MCFG SSDT CRAT CDIT > BERT EINJ HEST HPET SSDT UEFI SSDT WSMT > acpi0: wakeup devices S0D0(S3) S0D1(S3) S0D2(S3) S0D3(S3) S1D0(S3) S1D1(S3) > S1D2(S3) S1D3(S3) > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD EPYC 3251 8-Core Processor, 2500.55 MHz, 17-01-02 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=1.1, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: AMD EPYC 3251 8-Core Processor, 2500.01 MHz, 17-01-02 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 4 (application processor) > cpu2: AMD EPYC 3251 8-Core Processor, 2500.01 MHz, 17-01-02 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 6 (application processor) > cpu3: AMD EPYC 3251 8-Core Processor, 2500.01 MHz, 17-01-02 > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu
Re: PF: Redirect SOCKS connections to another server on a different net
Below comes the solution to this problem. For the explanations on why it works, you may refer to the original answer [1]. # sysctl net.inet.ip.forwarding=1 # cat /etc/pf.conf ... pass in on re0 proto tcp from any to (re0) port 1080 rdr-to 10.64.0.1 tag nat pass out on wg0 proto tcp nat-to (wg0) tagged nat ... [1] https://marc.info/?l=openbsd-pf=168215778109013=2 Cheers, Charlie
PF: Redirect SOCKS connections to another server on a different net
On an OpenBSD 7.2 system, I have access to a SOCKS proxy server through VPN. After the VPN connection is established, any program that supports SOCKS proxy can reach it by setting the relevant local VPN address, 10.64.0.1, and the usual port number 1080. I want to share the access to this proxy server on my OpenBSD machine with other systems in my home network. So basically what I want is to open a 1080 port on the OpenBSD server and redirect it to the local VPN address 10.64.0.1. I have been successful in doing so with the help of the "socat" program: $ socat tcp-listen:1080,bind=192.168.1.10,reuseaddr,fork \ tcp:10.64.0.1:1080 I would very much like to replace the above command with pf rule(s). All the combinations I tried with "rdr-to", "nat-to", "divert-to", "synproxy state", etc. did not work. Could someone kindly point me in the right direction (pun intended)? Below is an illustration of my setup and the desired forwarding. ,--- OpenBSD system . VPN | | / \ ,--+-.,+. .---. | re0|| wg0:| | 10.64.0.1 | | 192.168.1.0/24 || 10.76.150.11/32 |-| | :1080<===>:1080 | `--+-'`+' `---' | | `---' Cheers, Charlie
Re: fragmented ipv4[udp] ignored by server.
Hello And good day. One small update. I set up the same freeradius configuration with official freeradius docker image and my radius eap configuration. Used vmd as hyper-visor and alpine linux to run docker. And pf to redirect/nat traffic to freeradius. And it worked! Also previously same configuration of pf and freeradius worked with Freebsd to get eap tls authentication work. May be it's some default openbsd configuration or pf rules. Thank you. On 3/6/23 14:20, Mikhael Lialin wrote: Hello Tom. It's a local setup. So radius server and eapol_client are located on the near ports of cisco sg350 switch. And there is no rules on this switch present regarding fragmented packets. Anyway it's capable of rspan, and it's possible to mirror traffic from one port to another for analyse. to be sure where those packet's loss. However this requires one more pc in this scheme. In freeradius documentation (in/usr/local/share/examples/freeradius/mods-available/eap) mentioned that server and client certificates should have 509 extensions for server and client authentication. And they have. Thank you. On 3/6/23 02:27, Tom Smyth wrote: Hi Mikhael, Moving this on to Misc List as it is more approiaate for support type requests, It may not be OpenbSD, that is ignoring the fragments, depending on your setup an intermediate device ( NAT router etc) could be proccessing the IP fragments incorrectly and or dropping them... IP fragments are a pain as they dont really match the protocol of the original packet and have all sorts of issues when traversing multipath (hashed) multipath routes between the source and destination.. cloudflare have a really good article on this https://blog.cloudflare.com/ip-fragmentation-is-broken/ Hope this is of help... On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin wrote: Hi. I'm successfully configured eap tls with freeradius. However with default value for fragment_size in wpa_supplicant.conf which equals 1398 - packets get fragmented and seems ignored by the server. Both systems are openbsd 7.2 here is output from thsark: --target radius-- 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b444) 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b576) 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=ef21) 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=00d0) eapol_test fails setting fragment_size = 1212 in wpa_supplicant.conf and getting success. output from tshark: --target radius-- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.161621 10.10.2.10 ? 10.10.2.1
Re: sftp-server listening port how-to
Stuart Henderson : > Do you have the correct directory? > > The user's home directory is appended to ChrootDirectory. e.g. in your example > something like /home/of/the/hackers/home/myftpuser. Super good, now I'm also chrooted.. Thanks a lot, Stuart! -- Daniele Bonini
Re: sftp-server listening port how-to
On 2023-03-09, Daniele Bonini wrote: > I configured sshd to chroot ftp requests in this way: > > Match User myftpuser > ChrootDirectory /home/of/the/hackers > ForceCommand internal-sftp > > giving the proper permissions to the destination dir, etc. > as from Peter doc too. Do you have the correct directory? The user's home directory is appended to ChrootDirectory. e.g. in your example something like /home/of/the/hackers/home/myftpuser. -- Please keep replies on the mailing list.
Re: sftp-server listening port how-to
> let's remain on sftp topic.. I finally managed to receive the proper answers from my hosting that permitted me change sshd port successfully. On the other hand I came across some Linoox doc about how-to produce a chroot ssh environment to make the sshd_config settings meaningful and running and from my understanding I consider all that effort a little overwhelming against my necessities, at time. However, I want thank all for your answers. -- Daniele Bonini
Re: sftp-server listening port how-to
On Thu, 9 Mar 2023 13:13:40 +0100 "Peter N. M. Hansteen" wrote: > Further to the "why would you want to?" issue, I offer this from the > Hail Mary Cloud cycle: > https://bsdly.blogspot.com/2013/02/theres-no-protection-in-high-ports.html About the only benefit is that having a non-standard port number for SSH/SFTP is that the noise generated by the script kiddies banging on port 22 and not trying other port numbers is reduced. It most definitely does not make anything more secure as a port scan will soon tell an attacker where to try next. It'll stop the most brain-dead of script kiddies, but have little effect with an attacker that has half a working braincell and a copy of `nmap` handy. The latter group is smaller than the former, but is still very large, so the amount of noise reduced will vary. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: sftp-server listening port how-to
Here I am with one more trouble.. (I'm still waiting proper reply from the hosting for the change of sshd port and the related consequences to the VPS console but let's remain on sftp topic..) I configured sshd to chroot ftp requests in this way: Match User myftpuser ChrootDirectory /home/of/the/hackers ForceCommand internal-sftp giving the proper permissions to the destination dir, etc. as from Peter doc too. Both by Filezilla and console sftp I get ugly errors: Filezilla: FATAL ERROR: Remote side unexpectedly closed network Could not connect to server sftp: client_loop: send disconnect: Broken pipe Connection closed NB: I do not want to exit from the match directive scope and find me in more troubles :-/ -- Daniele Bonini
Re: sftp-server listening port how-to
Peter N. M. Hansteen : > > That little guide I posted a link to has a section about setting up > a separate set of users for sftp Thank you for your answers and the doc too, Peter. While I'm reading you I'm trying to grasp from my hosting what are they enforcing under their gui layer to understand if it is good to proceed in this one more security distraction.. Again, appreciated. -- Daniele Bonini
Re: sftp-server listening port how-to
On Thu, Mar 09, 2023 at 01:31:47PM +0100, Daniele Bonini wrote: > > > change it to any number you want. > > VPS here come in a nice package with a default web console over ssh. > > An other one: if I try to nobody the user default shell > I'm out of any luck to be able to connect. That little guide I posted a link to has a section about setting up a separate set of users for sftp. For other use, you would likely be better off with a normal shell. something like keep your normal user (guessing 'daniele'), and in addition define 'sftp-daniele' along with other users who only need sftp, not a regular shell, in a handful of easy steps as outlined in the guide. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: sftp-server listening port how-to
cor...@free.fr wrote: > > Since sftp uses ssh port, you can just change the port for sshd. > in sshd_config: > > Port 22 > > change it to any number you want. VPS here come in a nice package with a default web console over ssh. An other one: if I try to nobody the user default shell I'm out of any luck to be able to connect. Unfortunately appear all a little too restrictive. However, thank you for the quick reply.
Re: sftp-server listening port how-to
On Thu, Mar 09, 2023 at 12:47:14PM +0100, Daniele Bonini wrote: > > I'm wondering if there is any chance to change the default > listening port for sftp-server. > > NB: I'm using it on my Linoox VPS but I see from the man > a given OpenBSD 2.8 port origin. it is indeed possible to change the listening port. It's all in the man page. My immediate question would be, why would you want to? For a truly unhelpful interlude, I offer [Thu Mar 09 13:07:40] peter@skapet:~$ grep sftp /etc/services sftp115/tcp or on a nearby mac, [Thu Mar 09 13:08:14] peter@Peters-MacBook-Pro:~$ grep sftp /etc/services sftp115/udp # Simple File Transfer Protocol sftp115/tcp # Simple File Transfer Protocol utsftp 2529/udp# UTS FTP utsftp 2529/tcp# UTS FTP which hints strongly at the historical "Simple File Transfer Protocol", described in RF913, dated September 1984 (and it is likely not what you want. At all). For the actual steps involved in setting up your sshd with sftp-server, this guide looks at first blush fairly sane: https://linuxhandbook.com/sftp-server-setup/ Further to the "why would you want to?" issue, I offer this from the Hail Mary Cloud cycle: https://bsdly.blogspot.com/2013/02/theres-no-protection-in-high-ports.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: sftp-server listening port how-to
On 09/03/2023 19:47, Daniele Bonini wrote: Hello, I'm wondering if there is any chance to change the default listening port for sftp-server. NB: I'm using it on my Linoox VPS but I see from the man a given OpenBSD 2.8 port origin. Thanks, appreciated! -- Daniele Bonini Since sftp uses ssh port, you can just change the port for sshd. in sshd_config: Port 22 change it to any number you want. Thanks.
sftp-server listening port how-to
Hello, I'm wondering if there is any chance to change the default listening port for sftp-server. NB: I'm using it on my Linoox VPS but I see from the man a given OpenBSD 2.8 port origin. Thanks, appreciated! -- Daniele Bonini
Re: fragmented ipv4[udp] ignored by server. OT: pf optimization setup
Tom Smyth : > IP fragments are a pain as they dont really match the protocol of the > original packet and have all sorts of issues when traversing multipath > (hashed) multipath routes between the source and destination.. > cloudflare have a really good article on this > https://blog.cloudflare.com/ip-fragmentation-is-broken/ Thank you for this one, Tom I'd like to ask if it could be possible to have a new option between aggressive and normal for 'set optimization' in pf? Or if you consider the aggressive setting enough good for little desktops with security in mind too? Thanks, -- Daniele Bonini
Re: fragmented ipv4[udp] ignored by server.
Hello Tom. It's a local setup. So radius server and eapol_client are located on the near ports of cisco sg350 switch. And there is no rules on this switch present regarding fragmented packets. Anyway it's capable of rspan, and it's possible to mirror traffic from one port to another for analyse. to be sure where those packet's loss. However this requires one more pc in this scheme. In freeradius documentation (in/usr/local/share/examples/freeradius/mods-available/eap) mentioned that server and client certificates should have 509 extensions for server and client authentication. And they have. Thank you. On 3/6/23 02:27, Tom Smyth wrote: Hi Mikhael, Moving this on to Misc List as it is more approiaate for support type requests, It may not be OpenbSD, that is ignoring the fragments, depending on your setup an intermediate device ( NAT router etc) could be proccessing the IP fragments incorrectly and or dropping them... IP fragments are a pain as they dont really match the protocol of the original packet and have all sorts of issues when traversing multipath (hashed) multipath routes between the source and destination.. cloudflare have a really good article on this https://blog.cloudflare.com/ip-fragmentation-is-broken/ Hope this is of help... On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin wrote: Hi. I'm successfully configured eap tls with freeradius. However with default value for fragment_size in wpa_supplicant.conf which equals 1398 - packets get fragmented and seems ignored by the server. Both systems are openbsd 7.2 here is output from thsark: --target radius-- 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b444) 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b576) 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=ef21) 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=00d0) eapol_test fails setting fragment_size = 1212 in wpa_supplicant.conf and getting success. output from tshark: --target radius-- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.161621 10.10.2.10 ? 10.10.2.1 RADIUS 1372 Access-Request id=5 12 0.262102 10.10.2.1 ? 10.10.2.10 RADIUS 161 Access-Challenge id=5 13 0.263753 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=6 14 0.281330 10.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.010060 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0
Re: fragmented ipv4[udp] ignored by server.
Hi Mikhael, Moving this on to Misc List as it is more approiaate for support type requests, It may not be OpenbSD, that is ignoring the fragments, depending on your setup an intermediate device ( NAT router etc) could be proccessing the IP fragments incorrectly and or dropping them... IP fragments are a pain as they dont really match the protocol of the original packet and have all sorts of issues when traversing multipath (hashed) multipath routes between the source and destination.. cloudflare have a really good article on this https://blog.cloudflare.com/ip-fragmentation-is-broken/ Hope this is of help... On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin wrote: > Hi. > > I'm successfully configured eap tls with freeradius. > > However with default value for fragment_size in wpa_supplicant.conf > which equals 1398 - packets get fragmented and seems ignored by the server. > > Both systems are openbsd 7.2 > > here is output from thsark: > > --target radius-- > 9 124.886123 10.10.2.10 ? 10.10.2.1RADIUS 188 Access-Request id=0 > 10 124.89496710.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 > 11 124.914163 10.10.2.10 ? 10.10.2.1RADIUS 373 Access-Request id=1 > 12 125.01044610.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 > 13 125.014979 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=2 > 14 125.03253710.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 > 15 125.034214 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=3 > 16 125.04565010.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 > > > --source eapol_test with wpa_supplicant.conf--- > > 1 0.00 10.10.2.10 ? 10.10.2.1RADIUS 188 Access-Request id=0 > 2 0.01102510.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 > 3 0.027023 10.10.2.10 ? 10.10.2.1RADIUS 373 Access-Request id=1 > 4 0.12665110.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 > 5 0.127440 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=2 > 6 0.14874210.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 > 7 0.149411 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=3 > 8 0.16184610.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 > 9 0.179447 10.10.2.10 ? 10.10.2.1IPv4 1514 Fragmented IP > protocol (proto=UDP 17, off=0, ID=b444) > 10 3.193244 10.10.2.10 ? 10.10.2.1IPv4 1514 Fragmented IP > protocol (proto=UDP 17, off=0, ID=b576) > 11 9.213196 10.10.2.10 ? 10.10.2.1IPv4 1514 Fragmented IP > protocol (proto=UDP 17, off=0, ID=ef21) > 12 21.233280 10.10.2.10 ? 10.10.2.1IPv4 1514 Fragmented IP > protocol (proto=UDP 17, off=0, ID=00d0) > > eapol_test fails > > setting fragment_size = 1212 in wpa_supplicant.conf and getting success. > > output from tshark: > > --target radius-- > 1 0.00 10.10.2.10 ? 10.10.2.1RADIUS 188 Access-Request id=0 > 2 0.00661310.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 > 3 0.024538 10.10.2.10 ? 10.10.2.1RADIUS 373 Access-Request id=1 > 4 0.10461710.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 > 5 0.106355 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=2 > 6 0.11487710.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 > 7 0.118679 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=3 > 8 0.12830910.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 > 9 0.145442 10.10.2.10 ? 10.10.2.1RADIUS 1415 Access-Request id=4 > 10 0.16023010.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 > 11 0.161621 10.10.2.10 ? 10.10.2.1RADIUS 1372 Access-Request id=5 > 12 0.26210210.10.2.1 ? 10.10.2.10 RADIUS 161 Access-Challenge id=5 > 13 0.263753 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request id=6 > 14 0.28133010.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 > > --source eapol_test with wpa_supplicant.conf--- > > 1 0.00 10.10.2.10 ? 10.10.2.1RADIUS 188 Access-Request > id=0 > 2 0.01006010.10.2.1 ? 10.10.2.10 RADIUS 106 > Access-Challenge id=0 > 3 0.023662 10.10.2.10 ? 10.10.2.1RADIUS 373 Access-Request > id=1 > 4 0.10807210.10.2.1 ? 10.10.2.10 RADIUS 1320 > Access-Challenge id=1 > 5 0.108734 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request > id=2 > 6 0.11863210.10.2.1 ? 10.10.2.10 RADIUS 1320 > Access-Challenge id=2 > 7 0.119341 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request > id=3 > 8 0.13202610.10.2.1 ? 10.10.2.10 RADIUS 300 > Access-Challenge id=3 > 9 0.147236 10.10.2.10 ? 10.10.2.1RADIUS 1415 Access-Request > id=4 > 10 0.16330010.10.2.1 ? 10.10.2.10 RADIUS 106 > Acces
Re: Gitweb with Httpd on openbsd server
> >> I am in trouble to set up gitweb with httpd. I am not aware with webersever. > > First thing to notice is that most web server (httpd(8) from base but > also a few of the ones you can get from ports) on OpenBSD runs by > default in the /var/www chroot. Problem arising, although it is about Gitweb, /var/www is chrooted by design. Two considerations to add in the thread: - as per suggestion of Omar not using chroot means indirectly trust Gitweb cgi - /var/www chrooted by design miss any chroot granular configuration at app level like it is with open_basedir for php (and phpfpm). However this design choise is a means to a secure environment..it is like that for pf, ubound and so forth.. I come also from many troubles caused by /var/www chrooted expecially configuring NextCloud because I was mounting on www, etc.. (by memory) I don't know..is there the option to make a port of Gitweb, eventually? -- Daniele Bonini
Re: Gitweb with Httpd on openbsd server
On 2023/02/19 18:17:25 +0100, airwan+...@mailo.com wrote:
> Hello,
>
> I am in trouble to set up gitweb with httpd. I am not aware with webersever.
First thing to notice is that most web server (httpd(8) from base but
also a few of the ones you can get from ports) on OpenBSD runs by
default in the /var/www chroot.
> My /etc.gitweb.conf contains:
>
> $projectroot = "/home/git";
so this is not going to work. A process inside the /var/www chroot
will try to open /var/www/home/git which I don't expect to exists.
Actually, the config file won't be parsed at all since it's in /etc...
> $projects_list = $projectroot;
>
> My /etc/httpd.conf contains
>
> server "default" {
> listen on * port 80
> fastcgi
> root "/gitweb"
> }
>
> because I copy /usr/local/share/gitweb to /var/www/gitweb
>
> The later contain gitweb.cgi.
>
> I also copy perl, and libraries to a subtree in /var/www/usr/...
Hold still for a moment and think what you're doing. You're almost
re-creating a standard OpenBSD installation inside /var/www. Why?
Some software just isn't designed to run in a chroot (gitweb in this
case) and forcing it to run inside one will always require hacks.
Lots of ugly hacks usually.
If you really really really _must_ use gitweb, then you'll probably
find it easier to run httpd(8) and slowcgi(8) without chroot.
Personally I won't do it. And neither suggest others to do so.
You're loosing many of the advantages the design and defaults of
httpd(8) and slowcgi(8) brings to you.
There are other solutions that can work nicely in a /var/www chroot
however.
For starters, there are various programs that exports a git repository
to a set of static HTML files (stagit comes to mind, but it's far from
being the only.)
cgit (as packaged on OpenBSD) should also work by default inside the
/var/www chroot and has an handy README with hints for the httpd(8)
configuration needed.
Then there's gotwebd, which I personally prefer among these options,
but note that I'm biased being one of the contributors ;-)
(and there's probably more I'm just forgetting about.)
Gitweb with Httpd on openbsd server
Hello,
I am in trouble to set up gitweb with httpd. I am not aware with webersever.
My /etc.gitweb.conf contains:
$projectroot = "/home/git";
$projects_list = $projectroot;
My /etc/httpd.conf contains
server "default" {
listen on * port 80
fastcgi
root "/gitweb"
}
because I copy /usr/local/share/gitweb to /var/www/gitweb
The later contain gitweb.cgi.
I also copy perl, and libraries to a subtree in /var/www/usr/...
I am stuck, trying different stuffs, but I have not the logics..
Http is enable and works fine with simple html by the way
Can someone help me?
Thanks.
Re: Universal Media Server on OpenBSD
On 2/10/23 05:58, kasak wrote: > Hello misc! > > If somebody interested, i've successfully launched UMS on OpenBSD 7.2. > Wooo, Great work! > Here it is: > > > pkg_add mediainfo mplayer ffmpeg jdk%17 > > useradd -L daemon -s /sbin/nologin -d /var/ums -m -s /var/empty _ums > > ftp > https://github.com/UniversalMediaServer/UniversalMediaServer/releases/download/13.2.0/UMS-13.2.0-x86_64.tgz > > doas tar -xzvf UMS-13.2.0-x86_64.tgz -C /usr/local -s /-13.2.0// > > after that, create rc file for headless mode: > > /etc/rc.d/ums: > > - > > #!/bin/ksh > > JAVA_HOME="/usr/local/jdk-17" > JAVA="$JAVA_HOME/bin/java" > UMS_MAX_MEMORY=1280M > PMS_JARS="update.jar:ums.jar" > PMS_HOME=/usr/local/ums > > daemon="$JAVA -Xmx$UMS_MAX_MEMORY -Xss2048k -Dfile.encoding=UTF-8 > -Djava.net.preferIPv4Stack=true -Djna.nosys=true -classpath $PMS_JARS > net.pms.PMS console" > daemon_user="_ums" > daemon_execdir="$PMS_HOME" > > . /etc/rc.d/rc.subr > > rc_bg="YES" > rc_reload="NO" > rc_cmd $1 > > - > > > It seems working just fine. > > Do we need a port for it? I wanted to create a port, but it is pretty > difficult to me. Maybe if it is needed, I should dig into it? > Ports are nice to have, then it is accessible to lot more people. Here are two similar Java ports which you can use to create a port for UMS - https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/jitsi/videobridge/ and https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/jitsi/jicofo/ Looking forward to the port, Aisha
