reposync:host key verification failed
Hello misc@, I have used a shell script containing the following statements since the 20th January 2021. It has executed without error until recently. The last error free execution was on the 30th May. #!/bin/ksh logfile="$HOME/var/log/updcvs" printf "\n$(date)\n" >> $logfile printf "Call reposync to update local /cvs repository\nOutput is logged to $logfile\n" doas -u cvs /usr/local/bin/reposync rsync://anoncvs.au.openbsd.org/cvs /cvs 2>&1 | /usr/bin/tee -a $logfile exit $? Using a previous snapshot, reposync began to report failures as shown in my log, on: Mon May 31 20:07:02 NZST 2021 reposync: host key verification failed - see /var/db/reposync/known_hosts The same error was then recorded in my log on the 3rd, 4th, 5th, and 6th of June. The above known_hosts file does not exist on this machine. The FILES section of reposync(1) I have interpreted as meaning that the above known_hosts file, is not needed when the official keys exist in file /usr/local/share/reposync/ssh_known_hosts which they do on this machine. Hints as to where the problem is would be very appreciated. I have included a dmesg output on the off chance it will contain useful information. Regards Avon. OpenBSD 6.9-current (GENERIC.MP) #54: Sat Jun 5 09:41:12 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 68647477248 (65467MB) avail mem = 66551521280 (63468MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe8980 (59 entries) bios0: vendor American Megatrends Inc. version "F2" date 03/14/2018 bios0: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT CRAT CDIT SSDT MCFG HPET SSDT UEFI BGRT IVRS SSDT SSDT WSMT acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) GPPE(S4) GPPF(S4) GP17(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 7 2700X Eight-Core Processor, 3700.63 MHz, 17-08-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Ryzen 7 2700X Eight-Core Processor, 3700.01 MHz, 17-08-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Ryzen 7 2700X Eight-Core Processor, 3700.02 MHz, 17-08-02 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Ryzen 7 2700X Eight-Core Processor, 3700.02 MHz, 17-08-02 cpu3:
Re: pflow on PE router
Perhaps it has something to do with Citrix being a dinosaur. God forbid the powers that be choose on premise unix. Regards Patrick > On Jun 4, 2021, at 6:43 AM, Stuart Henderson wrote: > > On 2021/06/03 15:04, Chris Cappuccio wrote: >> Stuart Henderson [s...@spacehopper.org] wrote: >>> >>> Oh watch out with sloppy. Keep an eye on your state table size. >> >> Really? Wouldn't sloppy keep the state table smaller if anything since it's >> tracking less specifically? >> >> Anyways I use sloppy across four boxes that run in parallel with pfsync. >> There could easily be 10,000 devices behind it at any given time. I keep my >> state table limit at 1,000,000. It's around 300,000 during this lighter >> traffic period today. I had to do sloppy after moving to several boxes in >> parallel, I didn't notice sloppy making any significant difference? >> >> Chris > > The problem I had was in conjunction with synfloods. I didn't get > captures for everything to figure it out (it was in 2018 and my > network was in flames, with the full state table bgp sessions were > getting dropped / not reestablishing) but I think what happened was > this, > > spoofed SYN to real server behind PF > SYN+ACK from server > > and the state entry ended up as ESTABLISHED:ESTABLISHED where it > remained until the tcp.established timer expired (24h default > or 5h with "set optimization aggressive"). > > My "fix" was to move as much as possible to "pass XX flags any no state" > but that's clearly not going to help with what Denis would like to do. > (fwiw - I'm not doing flow monitoring regularly, but when I do it's > usually via sflow on switches instead, which solves some problems, > though it's only possible in some situations). >
Re: reposync:host key verification failed
On 2021-06-06, Avon Robertson wrote: > reposync: host key verification failed - see > /var/db/reposync/known_hosts > > The same error was then recorded in my log on the 3rd, 4th, 5th, and > 6th of June. The above known_hosts file does not exist on this machine. > The FILES section of reposync(1) I have interpreted as meaning that the > above known_hosts file, is not needed when the official keys exist in > file /usr/local/share/reposync/ssh_known_hosts which they do on this > machine. So what are the fingerprints of the SSH keys in your ssh_known_hosts? $ ssh-keygen -lf /usr/local/share/reposync/ssh_known_hosts How do they compare against those given for anoncvs.au.openbsd.org on https://www.openbsd.org/anoncvs.html ? > Hints as to where the problem is would be very appreciated. anoncvs.au.openbsd.org could have changed SSH keys, but that is not the case. The entries on anoncvs.html have not been updated recently and they match the keys that I see from this host right now. 256 SHA256:kg2Zaqpd8ZuluPzlpFS9rEw0KR1UmxD9jSG6+2tr28A anoncvs.au.openbsd.org (ECDSA) 2048 SHA256:pPcBY4E33vwreETbz5KJUIzZpWWzaZPhrpnLaFa7WuQ anoncvs.au.openbsd.org (RSA) 256 SHA256:4CbDtzH/6mqQ/f6KDLz0rdqK2Thk4dQQtHXOxTONEvk anoncvs.au.openbsd.org (ED25519) Your /usr/local/share/reposync/ssh_known_hosts could have become corrupted. Somebody could be hijacking your TCP connections and trying to redirect them to a different machine. That is what the SSH host keys protect against. THIS IS APPROXIMATELY NEVER THE CASE. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: reposync:host key verification failed
Yes a diff we need tested. Snapshots often contain future diffs, being tested, and once in a while those diffs contain errors. Newer snapshots contain a fix to this diff, another approach is to try a newer snapshot. Stuart Henderson wrote: > There are some diffs in ssh in snapshots, please try building ssh from > source rather than snapshot and see if it fixes things, > > $ cd /usr/src/usr.bin/ssh > $ cvs up > $ make obj > $ make > $ doas make install > > > On 2021-06-06, Avon Robertson wrote: > > Hello misc@, > > I have used a shell script containing the following statements since the > > 20th January 2021. It has executed without error until recently. The > > last error free execution was on the 30th May. > > > > #!/bin/ksh > > logfile="$HOME/var/log/updcvs" > > printf "\n$(date)\n" >> $logfile > > printf "Call reposync to update local /cvs repository\nOutput is logged to > > $logfile\n" > > doas -u cvs /usr/local/bin/reposync rsync://anoncvs.au.openbsd.org/cvs /cvs > > 2>&1 | /usr/bin/tee -a $logfile > > exit $? > > > > Using a previous snapshot, reposync began to report failures as shown in > > my log, on: > > Mon May 31 20:07:02 NZST 2021 > > reposync: host key verification failed - see > > /var/db/reposync/known_hosts > > > > The same error was then recorded in my log on the 3rd, 4th, 5th, and > > 6th of June. The above known_hosts file does not exist on this machine. > > The FILES section of reposync(1) I have interpreted as meaning that the > > above known_hosts file, is not needed when the official keys exist in > > file /usr/local/share/reposync/ssh_known_hosts which they do on this > > machine. > > > > Hints as to where the problem is would be very appreciated. I have > > included a dmesg output on the off chance it will contain useful > > information. > > > > Regards Avon. > > > > OpenBSD 6.9-current (GENERIC.MP) #54: Sat Jun 5 09:41:12 MDT 2021 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > real mem = 68647477248 (65467MB) > > avail mem = 66551521280 (63468MB) > > random: good seed from bootblocks > > mpath0 at root > > scsibus0 at mpath0: 256 targets > > mainbus0 at root > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe8980 (59 entries) > > bios0: vendor American Megatrends Inc. version "F2" date 03/14/2018 > > bios0: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING > > acpi0 at bios0: ACPI 6.0 > > acpi0: sleep states S0 S3 S4 S5 > > acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT CRAT CDIT SSDT MCFG HPET > > SSDT UEFI BGRT IVRS SSDT SSDT WSMT > > acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) > > GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) GPPE(S4) > > GPPF(S4) GP17(S4) [...] > > acpitimer0 at acpi0: 3579545 Hz, 32 bits > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > cpu0 at mainbus0: apid 0 (boot processor) > > cpu0: AMD Ryzen 7 2700X Eight-Core Processor, 3700.63 MHz, 17-08-02 > > cpu0: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > > 64b/line 8-way L2 cache > > cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully > > associative > > cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully > > associative > > cpu0: smt 0, core 0, package 0 > > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > > cpu0: apic clock running at 100MHz > > cpu0: mwait min=64, max=64, IBE > > cpu1 at mainbus0: apid 1 (application processor) > > cpu1: AMD Ryzen 7 2700X Eight-Core Processor, 3700.01 MHz, 17-08-02 > > cpu1: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > > 64b/line 8-way L2 cache > > cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully > > associative > > cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully > > associative > > cpu1: smt 0, core 1, package 0 > > cpu2 at mainbus0: apid 2 (application processor) > > cpu2: AMD Ryzen 7 2700X Eight-Core Processor, 3700.02 MHz, 17-08-02 > > cpu2: > >
Re: reposync:host key verification failed
Hello Theo, Stuart, and naddy, Thank you for your responses. I will do as you have suggested and post my findings to misc@ upon completion. Regard Avon. On Sun, Jun 06, 2021 at 04:38:55PM -0600, Theo de Raadt wrote: > Yes a diff we need tested. Snapshots often contain future diffs, being > tested, and once in a while those diffs contain errors. > > Newer snapshots contain a fix to this diff, another approach is to try a > newer snapshot. > > > Stuart Henderson wrote: > > > There are some diffs in ssh in snapshots, please try building ssh from > > source rather than snapshot and see if it fixes things, > > > > $ cd /usr/src/usr.bin/ssh > > $ cvs up > > $ make obj > > $ make > > $ doas make install > > > > > > On 2021-06-06, Avon Robertson wrote: > > > Hello misc@, > > > I have used a shell script containing the following statements since the > > > 20th January 2021. It has executed without error until recently. The > > > last error free execution was on the 30th May. > > > > > > #!/bin/ksh > > > logfile="$HOME/var/log/updcvs" > > > printf "\n$(date)\n" >> $logfile > > > printf "Call reposync to update local /cvs repository\nOutput is logged > > > to $logfile\n" > > > doas -u cvs /usr/local/bin/reposync rsync://anoncvs.au.openbsd.org/cvs > > > /cvs 2>&1 | /usr/bin/tee -a $logfile > > > exit $? > > > > > > Using a previous snapshot, reposync began to report failures as shown in > > > my log, on: > > > Mon May 31 20:07:02 NZST 2021 > > > reposync: host key verification failed - see > > > /var/db/reposync/known_hosts > > > > > > The same error was then recorded in my log on the 3rd, 4th, 5th, and > > > 6th of June. The above known_hosts file does not exist on this machine. > > > The FILES section of reposync(1) I have interpreted as meaning that the > > > above known_hosts file, is not needed when the official keys exist in > > > file /usr/local/share/reposync/ssh_known_hosts which they do on this > > > machine. > > > > > > Hints as to where the problem is would be very appreciated. I have > > > included a dmesg output on the off chance it will contain useful > > > information. > > > > > > Regards Avon. > > > > > > OpenBSD 6.9-current (GENERIC.MP) #54: Sat Jun 5 09:41:12 MDT 2021 > > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > real mem = 68647477248 (65467MB) > > > avail mem = 66551521280 (63468MB) > > > random: good seed from bootblocks > > > mpath0 at root > > > scsibus0 at mpath0: 256 targets > > > mainbus0 at root > > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe8980 (59 entries) > > > bios0: vendor American Megatrends Inc. version "F2" date 03/14/2018 > > > bios0: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING > > > acpi0 at bios0: ACPI 6.0 > > > acpi0: sleep states S0 S3 S4 S5 > > > acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT CRAT CDIT SSDT MCFG HPET > > > SSDT UEFI BGRT IVRS SSDT SSDT WSMT > > > acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) > > > GPP6(S4) GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) > > > GPPE(S4) GPPF(S4) GP17(S4) [...] > > > acpitimer0 at acpi0: 3579545 Hz, 32 bits > > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > > cpu0 at mainbus0: apid 0 (boot processor) > > > cpu0: AMD Ryzen 7 2700X Eight-Core Processor, 3700.63 MHz, 17-08-02 > > > cpu0: > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > > > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > > > 64b/line 8-way L2 cache > > > cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully > > > associative > > > cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully > > > associative > > > cpu0: smt 0, core 0, package 0 > > > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > > > cpu0: apic clock running at 100MHz > > > cpu0: mwait min=64, max=64, IBE > > > cpu1 at mainbus0: apid 1 (application processor) > > > cpu1: AMD Ryzen 7 2700X Eight-Core Processor, 3700.01 MHz, 17-08-02 > > > cpu1: > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > > > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > > > 64b/line 8-way L2 cache > > > cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully > > >
Re: pflow on PE router
On 2021-06-06, Patrick Dohman wrote: > Perhaps it has something to do with Citrix being a dinosaur. > God forbid the powers that be choose on premise unix. > Regards > Patrick Your message doesn't appear to relate in any way to the message to which you're replying. >> On Jun 4, 2021, at 6:43 AM, Stuart Henderson wrote: >> >> On 2021/06/03 15:04, Chris Cappuccio wrote: >>> Stuart Henderson [s...@spacehopper.org] wrote: Oh watch out with sloppy. Keep an eye on your state table size. >>> >>> Really? Wouldn't sloppy keep the state table smaller if anything since it's >>> tracking less specifically? >>> >>> Anyways I use sloppy across four boxes that run in parallel with pfsync. >>> There could easily be 10,000 devices behind it at any given time. I keep my >>> state table limit at 1,000,000. It's around 300,000 during this lighter >>> traffic period today. I had to do sloppy after moving to several boxes in >>> parallel, I didn't notice sloppy making any significant difference? >>> >>> Chris >> >> The problem I had was in conjunction with synfloods. I didn't get >> captures for everything to figure it out (it was in 2018 and my >> network was in flames, with the full state table bgp sessions were >> getting dropped / not reestablishing) but I think what happened was >> this, >> >> spoofed SYN to real server behind PF >> SYN+ACK from server >> >> and the state entry ended up as ESTABLISHED:ESTABLISHED where it >> remained until the tcp.established timer expired (24h default >> or 5h with "set optimization aggressive"). >> >> My "fix" was to move as much as possible to "pass XX flags any no state" >> but that's clearly not going to help with what Denis would like to do. >> (fwiw - I'm not doing flow monitoring regularly, but when I do it's >> usually via sflow on switches instead, which solves some problems, >> though it's only possible in some situations). >> > >
Re: reposync:host key verification failed
There are some diffs in ssh in snapshots, please try building ssh from source rather than snapshot and see if it fixes things, $ cd /usr/src/usr.bin/ssh $ cvs up $ make obj $ make $ doas make install On 2021-06-06, Avon Robertson wrote: > Hello misc@, > I have used a shell script containing the following statements since the > 20th January 2021. It has executed without error until recently. The > last error free execution was on the 30th May. > > #!/bin/ksh > logfile="$HOME/var/log/updcvs" > printf "\n$(date)\n" >> $logfile > printf "Call reposync to update local /cvs repository\nOutput is logged to > $logfile\n" > doas -u cvs /usr/local/bin/reposync rsync://anoncvs.au.openbsd.org/cvs /cvs > 2>&1 | /usr/bin/tee -a $logfile > exit $? > > Using a previous snapshot, reposync began to report failures as shown in > my log, on: > Mon May 31 20:07:02 NZST 2021 > reposync: host key verification failed - see > /var/db/reposync/known_hosts > > The same error was then recorded in my log on the 3rd, 4th, 5th, and > 6th of June. The above known_hosts file does not exist on this machine. > The FILES section of reposync(1) I have interpreted as meaning that the > above known_hosts file, is not needed when the official keys exist in > file /usr/local/share/reposync/ssh_known_hosts which they do on this > machine. > > Hints as to where the problem is would be very appreciated. I have > included a dmesg output on the off chance it will contain useful > information. > > Regards Avon. > > OpenBSD 6.9-current (GENERIC.MP) #54: Sat Jun 5 09:41:12 MDT 2021 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 68647477248 (65467MB) > avail mem = 66551521280 (63468MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe8980 (59 entries) > bios0: vendor American Megatrends Inc. version "F2" date 03/14/2018 > bios0: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING > acpi0 at bios0: ACPI 6.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT CRAT CDIT SSDT MCFG HPET > SSDT UEFI BGRT IVRS SSDT SSDT WSMT > acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) > GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) GPPE(S4) > GPPF(S4) GP17(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD Ryzen 7 2700X Eight-Core Processor, 3700.63 MHz, 17-08-02 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 100MHz > cpu0: mwait min=64, max=64, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: AMD Ryzen 7 2700X Eight-Core Processor, 3700.01 MHz, 17-08-02 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: AMD Ryzen 7 2700X Eight-Core Processor, 3700.02 MHz, 17-08-02 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES > cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu2: ITLB 64 4KB entries fully associative, 64 4MB