Re: Is there way to get filename for specific LBA?
On Wed, 31 Aug 2011 20:50:18 -0700, Carl Johnson wrote: It looks like the best bet would be fsdb, assuming that it is a UFS file system. That does have a 'findblk' command to find a file containing a block, but you would need to calculate the block offset in the filesystem first. It doesn't look like it would be easy, as was said earlier. I have a ruby script for this that wraps various commands. You pipe an error log to it and it finds files: blocks2file.rb /var/log/messages Currently, it looks only for geom errors (with byte offsets) but that can be easily adjusted. It helped me find the source of my problems in the past but I haven't worked on it since. Here it is: https://github.com/mwisnicki/freebsd-block2file ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. Thanks for all reponses. I've finally solved it by configuring PAM to deny root. Unfortunately all of pam modules in base system that can do it, deny login only in account phase which is too late for sshd. I've modified pam_securetty to also provide auth facility. For anyone interested, here is a patch: --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.0 +0100 +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.0 +0200 @@ -45,2 +45,3 @@ +#define PAM_SM_AUTH #define PAM_SM_ACCOUNT @@ -54,2 +55,24 @@ PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, +int argc, const char *argv[]) +{ + const char *user; + int r; + + if ((r = pam_get_user(pamh, user, NULL)) != PAM_SUCCESS) + return (r); + + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, +int argc __unused, const char *argv[] __unused) +{ + + return (PAM_SUCCESS); +} + + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: svn commit problems with sourceforge due to svn
On Mon, 05 Apr 2010 10:08:36 +0200, Dominic Fandrey wrote: Hello, I'd like to commit my new release of sysutils/automounter to the sourceforge svn repository, so that I can branch the release. Unfortunately there seems to be a problem with OpenSSL: svn: Commit failed (details follow): svn: OPTIONS of 'https://bsdadminscripts.svn.sourceforge.net/svnroot/bsdadminscripts/automounter': SSL negotiation failed: SSL disabled due to library version mismatch (https://bsdadminscripts.svn.sourceforge.net) It seems svn is linked to both the base system version of OpenSSL (0.9.8k) and the package (1.0.0): ldd /usr/local/bin/svn |grep ssl libssl.so.7 = /usr/local/lib/libssl.so.7 (0x801c8f000) libssl.so.6 = /usr/lib/libssl.so.6 (0x803242000) I have no idea which version of OpenSSL is used by SF. It does not matter. Does someone know a workaround/fix? Deinstall openssl package and rebuild svn. Alternatively you could try mapping one of them to another in libmap.conf(5), but it may not work or cause troubles. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: svn commit problems with sourceforge due to svn
On Mon, 05 Apr 2010 13:26:16 +, Marcin Wisnicki wrote: On Mon, 05 Apr 2010 10:08:36 +0200, Dominic Fandrey wrote: It seems svn is linked to both the base system version of OpenSSL (0.9.8k) and the package (1.0.0): ldd /usr/local/bin/svn |grep ssl libssl.so.7 = /usr/local/lib/libssl.so.7 (0x801c8f000) libssl.so.6 = /usr/lib/libssl.so.6 (0x803242000) Does someone know a workaround/fix? Deinstall openssl package and rebuild svn. Also if the problem is reproducible - that is, svn being linked to both versions of openssl if package is installed, you should definitely file a bug against devel/subversion port. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote: On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman vi...@unsane.co.uk wrote: However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of PermitRootLogin without-password.' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes Hmm.. indeeed it seems to work just fine I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. I've followed the code and it looks like when 'without-password' is enabled then whatever password you entered will be replaced with \b\n\r\177INCORRECT in auth-pam.c:1175 before calling pam with a hope that it is not really your password ;) But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems even that will be denied as there is an extra check in auth-pam.c:779 so it will fail anyway: fatal: Internal error: PAM auth succeeded when it should have failed So it seems it is in fact perfectly safe to use such combination of options. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SSH root login with keys only
Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote: On 04/04/10 23:04, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Yes, you can create a Match block with the criteria User, something like this I guess will work (haven't tested): PermitRootLogin yes Match User root PasswordAuthentication no check the man page. You might also want to restrict from where root can login with another match block. PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for UsePAM no (though I would like to keep pam for accounting and session management) I assume that you have decided root login is acceptable with the increased security of key authentication. Just beware that the key must be password protected. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Sun, 04 Apr 2010 23:49:59 +0200, Julian Fagir wrote: Hi, Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive perhaps the sshd-option PermitRootLogin does match your requirements. To be found in sshd_config (5). Unfortunately it doesn't. Assuming you mean 'without-password' option, I would have to disable ChallengeResponseAuthentication for everyone which I would like to avoid. It is not possible to disable ChallengeResponseAuthentication inside match block. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org