Re: cant login after make installworld: pam_opie.so.6 not found

On 1/6/23, Xin Li wrote: > Security team has discussed this a decade ago. See > https://www.miknet.net/security/skey-dungeon-attack/ > for technical details. That would mean that FreeBSD knowingly left users exploitable without doing even the "easy fix" in that article to the opie code for over

Re: Putting OPIE to rest (was: Re: cant login after make installworld: pam_opie.so.6 not found)

On 1/5/23, Graham Perrin wrote: > I recall the original email Orthagonal as it, and some notes since neither consider any potential gap issue or/of any perhaps whimful removal process, nor moves forward on any of potential better alternatives to that which were hint (port) a bit in posts even

Re: cant login after make installworld: pam_opie.so.6 not found

>> looks like the "make delete-old-libs" has deleted that lib pam_opie.so.6 >> and now I cannot pass the login prompt >> says the error "pam_opie.so: not found >> how can I get it back? I tried everything and nothing brought it back > commit 0aa2700123e22c2b0a977375e087dc2759b8e980 >

Re: CA's TLS Certificate Bundle in base = BAD

Again, FreeBSD should not be including the bundle in base, if users choose to, they can get it from ports or packages or wherever else. Including such bundles exposes users worldwide to massive risks. You need to do more gpg attestation, pubkey pinning [1], tofu, and cert management starting from

Re: Status of Alder Lake support

> What is the current state of support for Alder Lake CPUs Some opensource support and tools for managing certain aspects of Alder Lake should be appearing before long... https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge

Re: Putting OPIE to rest

On 9/15/22, Dag-Erling Smørgrav wrote: > Neither HOTP nor TOTP require dedicated devices. > HOTP codes are sequential and can be pre-generated... Those aren't really their intended or advertised usage models, nor do common implementations support those modes. Is FreeBSD contributing and

Re: Putting OPIE to rest

On 9/15/22, Dag-Erling Smørgrav wrote: > I will be removing OPIE from the main branch within the next few days. > It has long outlived its usefulness. Anyone still using it should look > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). > https://reviews.freebsd.org/D36592

Re: Updating EFI boot loader results in boot hangup

On 8/nn/22, yet top-posted: > [snip] https://www.idallen.com/topposting.html

Re: Posting netiquette: HTML, attachments etc.

> https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/eresources/_index.adoc > > FreeBSD Handbook: Appendix C: updates and corrections > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264754 > > I'm glad that HTML is supported. No, people should not be

Re: Posting Netiquette [ref: Threads "look definitely like" unreadable mess. Handbook project.]

>> the “> ;†and leave empty lines between your text and the original > Seems there is a charset mismatch. > MUA displaying nonsense > Oh the joy of UTF-8... ;-) https://unicode-table.com/en/sets/quotation-marks/ The pages ...

Posting Netiquette [ref: Threads "look definitely like" unreadable mess. Handbook project.]

Around 6/2x/22, Many rammed their horribly formed msgs upon others to parse: > [Subject: MCE: Does this look possibly like a slot issue?] > [snip] Attention all list users... Stop top-posting and bulk-quoting. Just stop. Go search and learn about and use the email post formatting netiquette.

Re: USB Disk Stalls on -current

Yes, some USB hw is very flaky, but ZFS can work great on these... https://www.youtube.com/watch?v=7z526m1jvls https://www.youtube.com/watch?v=dougISKs2vQ https://vimeo.com/13758987 https://www.youtube.com/watch?v=1zIoK_9UzHk

Re: USB Disk Stalls on -current

> Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): READ(10). CDB: 28 > 00 36 69 02 6e 00 00 80 00 > Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): CAM status: CCB > request completed with an error > Feb 6 11:56:43 alice kernel: (da0:umass-sim1:1:0:0): Retrying command, > 2 more tries

Re: [HEADSUP] Deprecation of the ftp support in pkg

Replace FTP with IPFS. Adopt distributed cryptosystems today :)

Re: Extracting base.txz files missing flags

> Maybe you missed something - you cannot change flags when your system > has security level (kern.securelevel) raised above 0. Nobody missed that since anyone can easily install default freebsd and observe... $ sysctl kern.securelevel kern.securelevel: -1 SECURITY(7) - introduction to

Re: Extracting base.txz files missing flags

Flags are not security since root will bypass everything. While some may beg for anti-footshooting, but where might that cry end up... chflags -Rhx schg / . Nor should freebsd fill that role when local admins know best for and given their own individual environments. If local tendency is to run

Re: [HEADSUP] making /bin/sh the default shell for root

> No. The system shell is supposed to make the system usable > by the users. Actually, the real problem is that the easiest way > to shoot one's own foot is by changing the language (say, the > shell) spoken by default by FreeBSD. Well, the FreeBSD system speaks sh for its own use, this is

Re: [HEADSUP] making /bin/sh the default shell for root

The system shell really only need to support the language of the shipped scripts of the base tooling such as rc subsystem. If those were someday written in Greek, then the shell serves alone, the most common expectation of any "unix" to have there seems to be an "sh", from which users can further

Re: [HEADSUP] making /bin/sh the default shell for root

> propose to make it the default shell for root starting FreeBSD 14.0-RELEASE Make it so. The whole rest of rc, pkg, base scripts and subsystems use a lot of sh, not csh. So this is a good compatibility, consistancy, and gotcha-removing update, needed for decades. Even "bash" is a majority

OpenZFS Encryption: Docs, and re Metadata Leaks

On 4/17/20, Ryan Moeller wrote: > >> On Apr 17, 2020, at 4:56 PM, Pete Wright wrote: >> >> On 4/17/20 11:35 AM, Ryan Moeller wrote: >>> OpenZFS brings many exciting features to FreeBSD, including: >>> * native encryption >> Is there a good doc reference on available for using this? I believe

Re: OpenZFS port updated

On 4/17/20, Ryan Moeller wrote: > >> On Apr 17, 2020, at 4:56 PM, Pete Wright wrote: >> >> On 4/17/20 11:35 AM, Ryan Moeller wrote: >>> OpenZFS brings many exciting features to FreeBSD, including: >>> * native encryption >> Is there a good doc reference on available for using this? I believe

Re: What happen to mailing list archives?

There is also this useful and efficient form of archive/mirror to include in the update so that it does not remain broken for too long... https://lists.freebsd.org/pipermail/freebsd-questions/2021-June/294104.html https://lists.freebsd.org/archives/freebsd-hubs/2021-June/00.html

Re: Arm64 Tier 1 FreeBSD 13 Phones

[cc'd for fyi, trim replies to arm] >> https://www.pine64.org/pinephone >> https://en.wikipedia.org/wiki/Librem_5 >> NXP i.MX 8M Quad core Cortex-A53, 64bit ARM >> >> https://puri.sm/products/librem-5/ >> https://en.wikipedia.org/wiki/PinePhone >> Allwinner A64 ARM Quad core Cortex-A53 >> >>

Arm64 Tier 1 FreeBSD 13 Phones

FreeBSD Phones... https://en.wikipedia.org/wiki/Librem_5 NXP i.MX 8M Quad core Cortex-A53, 64bit ARM https://en.wikipedia.org/wiki/PinePhone Allwinner A64 ARM Quad core Cortex-A53 https://www.youtube.com/watch?v=c32-QOrI4cw https://www.youtube.com/watch?v=fCKMxzz9cjs

Standards: IEC Giga [re: FreeBSD image size confusion]

> is in true GBs "true" is not a modifier of any prefix or unit in any standard, though false GB are what's reported by USB firmware in cheapo USB drives from some sketchy vendors ;) > 4.5 GigaBytes means 4.5 GiB. 45 does not equal or "mean" 4831838208. International Standards IEC (re

Re: git non-time-sequential logs

>Why is it that the project can't continue to operate the SVN server in > addition to Git, gatewaying with -current as is being done with 12-stable? > As a developer, I definitely need monotonic revision numbers and reliable > dates when I'm trying to troubleshoot a regression. I understand

Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

>> Though it can help attribute that to a source, Meaning to source 'account', vs say weak old CVSROOT that any could text edit on 200 account box, claim bitrot, etc. Whether inspiration came from the pet dog's bug report is moot, more secure systems narrow into accounts that would then be

Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

> No amount of cryptography can or will protect against that. Though it can help attribute that to a source, else ignore rainbow books and go back to telnet, root password 'root', CVS, no backups, logs, etc. > As interesting as this thread has been (not!) Contrare. Equally as interesting as

Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

> There is already HTTPS to protect the "authenticity" of the magnet > link. No. FreeBSD fails to publish signed fingerprints of their TLS pubkeys, therefore users can't pin them down, therefore any MITM can bypass CA game and MITM attack users at will, feed them bogus infohash, isos, git repo

Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

>> SHA-256 arrives, if you look at the git history. > git's SHA-256 [...] requiring a super new git version to even test it out. It's "in" current release 2.30.0 and before, duly caveated as experimental and not fully featured yet... git-init(1) --object-format= Specify the

Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

> We do have most of the keys in docs/share/pgpkeys/ plus history. https://git.kernel.org/pub/scm/docs/kernel/ksmap https://git.kernel.org/pub/scm/docs/kernel/pgpkeys ___ freebsd-current@freebsd.org mailing list

Re: git and the loss of revision numbers

> loss of continuously increasing revision numbers git rev-list --count HEAD git describe --tags / parent Plus a bunch of similar ways to do it, from different points, in different formats, search internet for them all... git revision version numbering... Some deploy structured metadata in tag

Re: FreeBSD: GitLab

>> I mainly asked because GitLab seems to offer a richer toolset IMHO. > > The project is publishing many places, and will use features of the places > it publishes as it refines the future workflow. The different > mirroring/hosting services offer different features and it's not yet clear > how

Re: firewall choice

>> A full comparison would also want to note and point to > My ipf work is documented at https://wiki.freebsd.org/IPFilter. So links to works / pages like that from the bsd's could also be included in the comparison wiki. ___

Re: firewall choice

> in reaction to the license Yes, license matters, and woe the history. > It's hardly deprecated in NetBSD. Christos Zoulas and I have exchanged a > fair bit of code. > > Darren Reed released and maintained IPF through the Australian National > University. NetBSD imported it, like we do here at

Re: firewall choice

>>> What's the "best" [1] choice for firewalling these days >>> There's pf, ipf and ipfw. >> >>This question comes up over years. >> >>Consider starting and joining with people to create >>a comparison page on the FreeBSD Wiki, >>both a feature / capability comparison table, >>and contextual

Re: firewall choice

> What's the "best" [1] choice for firewalling these days, in the list's > opinion? > There's pf, ipf and ipfw. This question comes up over years. Consider starting and joining with people to create a comparison page on the FreeBSD Wiki, both a feature / capability comparison table, and

Re: Can't forward X11 apps over ssh since migrating to 13-CURRENT

Possibly check ForwardX11Timeout . ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Is pkg site forbidden by brower?

On 9/6/20, Kevin Oberman wrote: > On Sat, Sep 5, 2020 at 8:04 PM Yoshihiro Ota wrote: >> Is "403 Forbidden" an intended response for a brower access to >> http://pkg.freebsd.org/FreeBSD:12:i386/ nowdays? >> >> I used to see available packages with a brower and decided which one to >> use. Some

Re: Plans for git (was: Please check the current beta git conversions)

> The underlying initializing 'git init' commit hash must be > signed by security officer key having sufficient human PGP-WoT. > > Git also supports sha-256 soon now, adoption should > be researched from various online article series and > work product before committing plans... >

Where's the fingerprints and sigs? (was: Please check the current beta git conversions)

On 9/1/20, Shawn Webb wrote: > I'm curious if there's any plans for read-only access over ssh. > Trusting FreeBSD's ssh key material is likely easier than trusting > HTTPS in certain regions. A bit moot when such key materials of all services, and repos, and ticketing, and reviews, and builds,

Re: Plans for git (was: Please check the current beta git conversions)

The underlying initializing 'git init' commit hash must be signed by security officer key having sufficient human PGP-WoT. Git also supports sha-256 soon now, adoption should be researched from various online article series and work product before committing plans...

Re: DRM Project report (week of August 10)

Thanks go to all the ongoing teams working the things like gpgpu / compute, and graphics, whether on-cpu-die or on-pci-card. And even some things like BSD on Pinephone too. https://www.pine64.org/pinephone ___ freebsd-current@freebsd.org mailing list

Re: When will the FreeBSD (u)EFI work?

List users please adhere to email formatting netiquette and *stop* blockquoting massive amounts of reply text, it is not necessary, trim it out leaving only the few lines of what you are replying to directly above your reply. ___

TLS Fingerprint Pinning Needed [ex: for NFS-over-TLS client]

People appear to be talking about using and "authenticating / verifying" TLS certs now with at least perhaps this NFS, and certainly with other apps. If so, it's required critical thing for the admins and users to have the option to pin the certificate pubkey fingerprints in four ways... -

Re: AMD Secure Encrypted Virtualization - FreeBSD Status?

>> would be really nice also to get UEFI BOOT compatible with SECURE BOOT >> :-) > > Unless you are using your own BIOS, the above means getting Microsoft > to sign boot1.efi or similar. Shims that simply work around lack of > acceptible signature don't help. As before in this thread, some

Re: Git/Mtn for FreeBSD, PGP WoT Sigs, Merkel Hash Tree Based

On 10/4/19, Igor Mozolevsky wrote: > On Fri, 20 Sep 2019 at 22:01, grarpamp wrote: >> >> For consideration... >> https://lists.freebsd.org/pipermail/freebsd-security/2019-September/010099.html >> >> SVN really may not offer much in the way of native >

Re: AMD Secure Encrypted Virtualization - FreeBSD Status?

Although somewhat different from the virtualization part of the subject, both... - AMD (Secure Memory Encryption, and Memory Guard) on both EPYC and Ryzen Pro today and - Intel (Multi Key Total Memory Encryption) likely on Xeon in the near future ... also do seem to have some OS dependant

Re: AMD Secure Encrypted Virtualization - FreeBSD Status?

>> Just whose secure keys do you suggest? I go to a lot of trouble to disable >> secure boot so I can load any operating system I want. Some motherboards have BIOS that allows you to both - Upload your own keys - Delete all the spooky Microsoft keys Read the UEFI Secure Boot specification

AMD Secure Encrypted Virtualization - FreeBSD Status?

https://developer.amd.com/sev/ https://github.com/AMDESE/AMDSEV https://arstechnica.com/gadgets/2019/08/a-detailed-look-at-amds-new-epyc-rome-7nm-server-cpus/ http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf

Re: LOR panic on mount -uw

On Thu, Oct 12, 2017 at 11:15 AM, John Baldwin wrote: > In this case the panic is separate from the LOR, and > for a panic we really > need the panic message in addition to the stack trace. With release kernels stack trace appears with this message, then it sits in ddb, forget

Re: LOR panic on mount -uw

On Wed, Oct 11, 2017 at 5:18 PM, grarpamp <grarp...@gmail.com> wrote: > Let 12.0-current r324306 amd64 efi boot from usb to installer screen, Another way to trigger this one is boot snapshot install media single user verbose mdmfs -s 10m md /mnt umount -v /mnt [LOR stack backtrace, remai

LOR panic on mount -uw

Let 12.0-current r324306 amd64 efi boot from usb to installer screen, try to write zeroes to an unallocated part of ada0, mount -uw a separate part of ada0 ... 1st 0xc5ce5f0 ufs kern/vfs_mount.c:1274 2nd 0xc565b78 devfs ufs/ffs/ffs_vfsops.c:1414 db_trace_self_wrapper vpanic kassert_panic+0x126

LORs on ctrl-alt-del and halt

FYI two repeatable LOR's... Let 12.0-current r324306 amd64 efi boot from usb to installer screen, do nothing but hit ctrl-alt-del... 1st 0x7f028e0 filedesc structure kern/sys_generic.c:1490 2nd 0x7da8068 devfs kern/vfs_vnops.c:1524 Let 12.0-current r324306 amd64 efi boot from usb to installer

Resolver needs bind to src IP option

I looked through these pages and did not see an option to bind the resolver query from a specific IP address (as in the case where you have multiple interfaces and/or alias addresses and wish to pick one instead of the default route). resolver(3) gethostbyname(3) resolver(5) [resolv.conf] You

FreeBSD crypto and security meta

https://lists.freebsd.org/pipermail/freebsd-security/2013-October/007226.html http://www.freebsd.org/news/status/report-2013-07-2013-09.html#AES-NI-Improvements-for-GELI http://www.freebsd.org/news/status/report-2013-07-2013-09.html#Reworking-random(4)

Time to kill fdc ?

When was the last time anybody tried that with a FreeBSD release ? Routinely :) Often archiving piles of floppies as images too. Imagine the legacy gaming crowd does this as well to use, while preventing loss. Also, fdformat(1), fdcontrol(8), fdread(1), and fdwrite(1) are important complimentary

7+ days of dogfood

sgk So, I decided to test FreeBSD-10 under a user desktop condition. In so doing, I upgraded the circa August 2012 FreeBSD-current that ran on my Dell Latitude D530 (which ran rock-solid) to top-of-tree. This included re-installing all ports under the pkgng paradigm. phk First a hat-tip

Re: Using TMPFS for /tmp and /var/run?

I commonly use mfs for /var and /tmp. Sometimes even symlinking /var/tmp - /tmp to save ram. Mostly because I want nothing leftover in them on boot, and it's fast. rc/mtree/etc takes care of populating them. /, /boot, /usr and /usr/local are read-only. [nssswitch host.conf still needs fixed to

Burning CDs and DVDs on SATA drive in FreeBSD 9.0

In the past, I've used the ftp cdrtools pkg (made from the port of course) and it failed to work. It's a popular tool so my machine was probably out of sync. Same with burncd. However, compiling the current cdrtools source worked fine. So I'd try that first, compare, and send up a bug if need be.

Third party apps in base [was CVS removal...]

Hi. I have many dependencies on CVS that I 'need' 'out of the box'. Yet at the same time, I would not mind at all if it went to ports. In fact, and from a general position regarding all third party apps, I encourage it. Mostly because they are not authored or maintained by FreeBSD. Yet they are

Re: Jails: Setting different times in jails

Why on earth would you want this? Hi. Since your quote of my note was not to the original, I'll repost it here. Kurt Lidl also posted useful situations on these lists. Also, being able to have time tick backwards in jails could be interesting fuzzing too :-) Enjoy. Would be nice to be able to

Re: Jails: Setting different times in jails

possibly achievable in libc? I don't know. Where else would it be done? stat, utimes, gettimeofday, clock_gettime, adjtime, etc and their variations. I've not checked what currently happens, but I don't think root in a jail should be able to set any kernel time parameters, absent a syscall that

FreeBSD Installer Roadmap

Sysinstall is fine, as I'm sure any replacement will be. So I'll just note a few things I'd like to see in any such replacement... 1 - I used install.cfg's on floppies to clone systems, a lot. Hands on the box were needed with that. Operators skills were in question, so having them use the dialog

Re: [CFT] ZFS v15 patch (version 3)

Wanted to say thank you for those working on keeping ZFS up to date :-) Are all the non-FreeBSD specific fixes being made by the FreeBSD team being punted back up to the [Open]Solaris folks so that they may include them in their native ZFS... and thus trickle back down to FreeBSD, thereby