Re: Is there way to get filename for specific LBA?

2011-09-02 Thread Marcin Wisnicki 
On Wed, 31 Aug 2011 20:50:18 -0700, Carl Johnson wrote:

 
 It looks like the best bet would be fsdb, assuming that it is a UFS file
 system.  That does have a 'findblk' command to find a file containing a
 block, but you would need to calculate the block offset in the
 filesystem first.  It doesn't look like it would be easy, as was said
 earlier.

I have a ruby script for this that wraps various commands.

You pipe an error log to it and it finds files:

  blocks2file.rb  /var/log/messages

Currently, it looks only for geom errors (with byte offsets) but that can 
be easily adjusted.
It helped me find the source of my problems in the past but I haven't 
worked on it since.

Here it is: https://github.com/mwisnicki/freebsd-block2file

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SSH root login with keys only

2010-04-05 Thread Marcin Wisnicki 
On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 04/04/2010 22:04:35, Marcin Wisnicki wrote:
 Is it possible to configure sshd such that both conditions are met:
 
 1. Root will be able to login only by using keys 2. Normal users will
 still be able to use pam/keyboard-interactive
 
 Only by running two instances of sshd on different ports / IP numbers.
 

Thanks for all reponses.
I've finally solved it by configuring PAM to deny root.
Unfortunately all of pam modules in base system that can do it,
deny login only in account phase which is too late for sshd.
I've modified pam_securetty to also provide auth facility.

For anyone interested, here is a patch:

--- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c   2010-02-18 
00:12:28.0 +0100
+++ pam_securetty/pam_securetty.c   2010-04-05 04:47:21.0 +0200
@@ -45,2 +45,3 @@
 
+#define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
@@ -54,2 +55,24 @@
 PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+int argc, const char *argv[])
+{
+   const char *user;
+   int r;
+
+   if ((r = pam_get_user(pamh, user, NULL)) != PAM_SUCCESS)
+   return (r);
+
+   return (pam_sm_acct_mgmt(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
+int argc __unused, const char *argv[] __unused)
+{
+
+   return (PAM_SUCCESS);
+}
+
+
+PAM_EXTERN int
 pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: svn commit problems with sourceforge due to svn

2010-04-05 Thread Marcin Wisnicki 
On Mon, 05 Apr 2010 10:08:36 +0200, Dominic Fandrey wrote:

 Hello,
 
 I'd like to commit my new release of sysutils/automounter to the
 sourceforge svn repository, so that I can branch the release.
 
 Unfortunately there seems to be a problem with OpenSSL: svn: Commit
 failed (details follow):
 svn: OPTIONS of
 'https://bsdadminscripts.svn.sourceforge.net/svnroot/bsdadminscripts/automounter':
 SSL negotiation failed: SSL disabled due to library version mismatch
 (https://bsdadminscripts.svn.sourceforge.net)
 
 It seems svn is linked to both the base system version of OpenSSL
 (0.9.8k) and the package (1.0.0):
 ldd /usr/local/bin/svn |grep ssl
   libssl.so.7 = /usr/local/lib/libssl.so.7 (0x801c8f000) libssl.so.6 =
   /usr/lib/libssl.so.6 (0x803242000)
 
 I have no idea which version of OpenSSL is used by SF.

It does not matter.

 
 Does someone know a workaround/fix?

Deinstall openssl package and rebuild svn.

Alternatively you could try mapping one of them to another in libmap.conf(5),
but it may not work or cause troubles.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: svn commit problems with sourceforge due to svn

2010-04-05 Thread Marcin Wisnicki 
On Mon, 05 Apr 2010 13:26:16 +, Marcin Wisnicki wrote:

 On Mon, 05 Apr 2010 10:08:36 +0200, Dominic Fandrey wrote:
 
 
 It seems svn is linked to both the base system version of OpenSSL
 (0.9.8k) and the package (1.0.0):
 ldd /usr/local/bin/svn |grep ssl
  libssl.so.7 = /usr/local/lib/libssl.so.7 (0x801c8f000) libssl.so.6 =
  /usr/lib/libssl.so.6 (0x803242000)
 
 
 Does someone know a workaround/fix?
 
 Deinstall openssl package and rebuild svn.
 

Also if the problem is reproducible - that is, svn being linked to both
versions of openssl if package is installed, you should definitely file
a bug against devel/subversion port.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SSH root login with keys only

2010-04-05 Thread Marcin Wisnicki 
On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote:

 On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman vi...@unsane.co.uk
 wrote:

 However a note later in the default sshd_config file regarding the
 UsePAM setting says
 'Depending on your PAM configuration,
  PAM authentication via ChallengeResponseAuthentication may bypass
 the setting of PermitRootLogin without-password.'
 
 That PAM comment in sshd_config got my attention a number of years ago,
 so I did a lot of testing of various sshd/pam settings to try and
 understand what could happen and to try and make some sense out of it.
 
 My configurations:
 
 in /etc/ssh/sshd_config:
 PermitRootLogin without-password
 UsePAM yes

Hmm.. indeeed it seems to work just fine

 
 I haven't gone so far as to check source code to see why this works as
 it does.  I'm guessing that PAM may allow passwords for root via
 something that isn't pam_unix since by design PAM can allow anything.
 But when using pam_unix, at least, it does observe the without-password
 setting for root.
 

I've followed the code and it looks like when 'without-password' is enabled
then whatever password you entered will be replaced with \b\n\r\177INCORRECT
in auth-pam.c:1175 before calling pam with a hope that it is not really your
password ;)

But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems
even that will be denied as there is an extra check in auth-pam.c:779 so it will
fail anyway:

fatal: Internal error: PAM auth succeeded when it should have failed

So it seems it is in fact perfectly safe to use such combination of options.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

SSH root login with keys only

2010-04-04 Thread Marcin Wisnicki 
Is it possible to configure sshd such that both conditions are met:

1. Root will be able to login only by using keys
2. Normal users will still be able to use pam/keyboard-interactive

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SSH root login with keys only

2010-04-04 Thread Marcin Wisnicki 
On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote:

 On 04/04/10 23:04, Marcin Wisnicki wrote:
 Is it possible to configure sshd such that both conditions are met:

 1. Root will be able to login only by using keys 2. Normal users will
 still be able to use pam/keyboard-interactive
 
 Yes, you can create a Match block with the criteria User, something like
 this I guess will work (haven't tested):
 
 PermitRootLogin yes
 Match User root
  PasswordAuthentication no
 
 check the man page. You might also want to restrict from where root can
 login with another match block.
 

PasswordAuthentication is already disabled (by default).
I need to disable ChallengeResponseAuthentication however:

 /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' 
   is not allowed within a Match block

Same thing for UsePAM no (though I would like to keep pam for accounting
and session management)

 I assume that you have decided root login is acceptable with the
 increased security of key authentication. Just beware that the key must
 be password protected.
 
 BR, Erik


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SSH root login with keys only

2010-04-04 Thread Marcin Wisnicki 
On Sun, 04 Apr 2010 23:49:59 +0200, Julian Fagir wrote:

 Hi,
 
 Is it possible to configure sshd such that both conditions are met:
 
 1. Root will be able to login only by using keys 2. Normal users will
 still be able to use pam/keyboard-interactive
 
 perhaps the sshd-option PermitRootLogin does match your requirements.
 To be found in sshd_config (5).
 

Unfortunately it doesn't. Assuming you mean 'without-password' option,
I would have to disable ChallengeResponseAuthentication for everyone
which I would like to avoid.
It is not possible to disable ChallengeResponseAuthentication inside
match block.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org