Re: CVE-2018-15473 ssh user enumeration vulnerability in OpenBSD 6.3

On Tue, 4 Sep 2018 13:16:26 -0400 Daniel Jakots wrote: > On Tue, 4 Sep 2018 12:05:01 -0500, "Karl O. Pinc" > wrote: > > > Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable > > to username existance checking by remote systems. > > It was a

CVE-2018-15473 ssh user enumeration vulnerability in OpenBSD 6.3

Hi, Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable to username existance checking by remote systems. OpenBSD current has a patch. https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Demonstration code is found here:

Re: Exposing the rc(8) constructed pf ruleset, some patches

On Tue, 20 Oct 2015 01:08:42 -0600 Devin Reade <g...@gno.org> wrote: > > > > On Oct 19, 2015, at 18:26, Karl O. Pinc <k...@meme.com> wrote: > > > But if you write DNS names into your pf.conf > > file then step 2 can be eliminated. All >

Exposing the rc(8) constructed pf ruleset, some patches

Hello, Attached are 3 patches to -current for your consideration. Apply with: cd /usr/src patch -p1 ... The first, expose-default-pf-rules.patch, lets the sysadm use the rc(8) constructed default pf ruleset. This ability was, in a sense, compromised when 5.8 eliminated the pf_rules

Re: Exposing the rc(8) constructed pf ruleset, some patches

On Mon, 19 Oct 2015 12:47:46 -0600 Theo de Raadt wrote: > > > The supplied patch allows the rc.conf(8) pf > > > variable to be set to MINIMAL (in addition to > > > the current YES and NO). A setting of MINIMAL > > > loads the rc(8) default pf ruleset and enables > > >

Re: Exposing the rc(8) constructed pf ruleset, some patches

Well, since there's no attachments, I am including the patches inline. On Mon, 19 Oct 2015 10:27:16 -0500 "Karl O. Pinc" <k...@meme.com> wrote: > Attached are 3 patches to -current for your > consideration. Apply with: > > cd /usr/src > patch -p1 ... &g

4.8-stable bsd.rd hangs on boot

Hi, I've an old HP Vectra, with 64MB RAM. When I try to upgrade from 4.7 to 4.8 the bsd.rd hangs -- the boot sequence gets as far as softraid0 at root and then stops. There is no response to ctrl-alt-del and the system must be power cycled. Appended is the output from a serial console booting

Re: 4.8-stable bsd.rd hangs on boot

On 11/15/2010 06:35:38 PM, Nick Holland wrote: On 11/15/10 15:54, Karl O. Pinc wrote: I've an old HP Vectra, with 64MB RAM. When I try to upgrade from 4.7 to 4.8 the bsd.rd hangs -- Where should I go from here? try a snapshot, or do a remote upgrade (which doesn't use bsd.rd). As I

Re: 4.8-stable GENERIC i386 compliliation failure

On 11/12/2010 12:41:41 AM, Vivien MOREAU wrote: Thursday 11 Nov 2010 23:51 (-0600), Karl O. Pinc wrote : I just upgraded from 4.7-stable to 4.8-stable How did you upgrade? Did you follow instructions at http://www.openbsd.org/faq/upgrade48.html? Humm. I thought that I used upgrade48.html

4.8-stable GENERIC i386 compliliation failure

Hi, I just upgraded from 4.7-stable to 4.8-stable and tried to rebuild the GENERIC i386 kernel and 'make depend' failed. Figuring that maybe I'd done something wrong updating the source with cvs I tried removing /usr/src and replacing it with the 4.8 tarballs and I had the same problem. Here's

Re: OpenBSD 4.8 released Nov 1, 2010

On 11/01/2010 10:02:28 AM, Theo de Raadt wrote: We are pleased to announce the official release of OpenBSD 4.8. I notice that the Errata link on the OpenBSD home page gets a 404. Are there no errata? Thanks for all the great work. Karl k...@meme.com Free Software: You don't pay back, you

Re: What's the progress of in-kernel proxy for pf NAT?

On 07/23/2009 05:52:38 AM, Henning Brauer wrote: * hu st hust...@yahoo.com [2009-07-23 12:35]: AFAIK pf has only a ftp-proxy anchor. it has userland helpers for the most relevant protocols. Is there a list of these anywhere? ftp-proxy is the only one that comes to mind, of those where

BGP and NATting to multiple ISPs

Hello, In order to minimize Internet connectivity downtime I am looking at obtaining connections from 2 ISPs and running BGP. However I won't have a publicly routeable IP block from ARIN. Each ISP will allocate some of their addresses and the LAN's rfc1918 addresses will be NATted. This

Re: BGP and NATting to multiple ISPs

On 06/18/2009 01:50:17 PM, Pete Vickers wrote: On 18. juni. 2009, at 19.45, Karl O. Pinc wrote: What's the best way to solve this problem? stop trying to bodge it, and get some PI space. I'd love but, how can I justify to ARIN a large enough address block that it won't be dropped

Re: BGP and NATting to multiple ISPs

On 06/18/2009 03:49:08 PM, tico wrote: Karl O. Pinc wrote: On 06/18/2009 01:50:17 PM, Pete Vickers wrote: stop trying to bodge it, and get some PI space. I'd love but, how can I justify to ARIN a large enough address block that it won't be dropped by BGP administrators? The only reason

Re: BGP and NATting to multiple ISPs

On 06/18/2009 06:01:36 PM, tico wrote: The number of networks that filter prefixes smaller than /22 don't appear to be that numerous IMHO, but if they do, your /24 will still be reachable as they'll see the larger /19 or whatever from your provider that it's carved out of. But not from the

Re: BGP and NATting to multiple ISPs

On 06/18/2009 05:52:44 PM, Daniel Ouellet wrote: Hi, here is a few ideas for you. A few things to think about here depending on what issue you really try to solved. First a good ISP after you actually reach them have built redundancy on their network, so unless you try a cheap one, then you

Re: Multipath routing and ftp-proxy

On 06/15/2009 06:58:33 AM, Claudio Jeker wrote: On Sun, Jun 14, 2009 at 11:28:31PM -0500, Karl O. Pinc wrote: Hi, It occurs to me that multipath routing (http://www.openbsd.org/faq/faq6.html#Multipath) might not play nicely with ftp-proxy on a firewall because passive ftp sessions could

Multipath routing and ftp-proxy

Hi, It occurs to me that multipath routing (http://www.openbsd.org/faq/faq6.html#Multipath) might not play nicely with ftp-proxy on a firewall because passive ftp sessions could multiplex the data and control connections via different ISPs. My assumption here is that if you're using multipath

Re: Hardware or 4.4 vm problem?

On 02/11/2009 04:55:34 PM, Karl O. Pinc wrote: On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote: On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote: I seem to have a problem where 4.4 hangs writing to swap. Chances are its fixed in -current. I just upgraded to a snapshot

Re: Hardware or 4.4 vm problem?

On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote: On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote: I seem to have a problem where 4.4 hangs writing to swap. Chances are its fixed in -current. I just upgraded to a snapshot and the problem seems to have gone away. Thanks

Hardware or 4.4 vm problem?

Hello, I seem to have a problem where 4.4 hangs writing to swap. I can run: stress --vm 5 --vm-bytes 5M --vmhang 5 --timeout 1m under 4.3 but under 4.4 the machine hangs. Here's the background. I'm ran nothing but bind (+ cron etc.) on a 586 with 48M of RAM (machine A, the problem machine).

Re: Postfix race condition at boot

On 07/14/2008 12:47:40 PM, Karl O. Pinc wrote: I've an OpenBSD box that's been running postfix for a few years, strictly as a send-only mta, and every night the box gets rebooted. Every couple of months postfix does not come up on reboot. For the record, it seems the problem has something

Postfix race condition at boot

Hi, I've an OpenBSD box that's been running postfix for a few years, strictly as a send-only mta, and every night the box gets rebooted. Every couple of months postfix does not come up on reboot. All that shows up in the logs is: snip postfix/postfix-script[3005]: fatal: Postfix integrity

Re: how to create cdrom42.fs?

On 11/08/2007 10:54:20 AM, Soner Tari wrote: On Wed, 2007-11-07 at 13:45 -0500, Steve Shockley wrote: Try using cdbr as the boot record in no emulation, and put cdboot in the root directory of the CD. I've tried as you suggested, and it works ... For the archives here's a mkisofs command

Running out of RAM -- for the archives

FYI, Running OpenBSD 4.0 stable, 32MB RAM, 3 identical nics. One symptom of running out of RAM is getting a panic on boot. The system boots fine with bsd.rd, but try to boot with the bsd image and you get (from handwritten notes): bmtphy1 at dcl phy1; BCM5201 10/100, rev. 2 dc2 at pci0 dev 12

Re: Running out of RAM -- for the archives

On 07/06/2007 06:46:26 PM, Chris Smith wrote: I assume the problem is not enough RAM because when I add more RAM everything works fine. Repeatable? Sure you've ruled out a seating problem? Yes, repeatable. I didn't try to reseat the nic (or the ram), but it worked fine booting from the

Re: ftp-proxy binat design -- Was: Re: binat questions

On 07/01/2007 12:53:59 PM, Camiel Dobbelaar wrote: On Sun, 1 Jul 2007, Karl O. Pinc wrote: The basic idea is to modify ftp-proxy so it adds binat rules to it's anchors. You cannot use port in binat rules, so that would not work. I think this problem can only be fixed in pf itself

ftp-proxy binat design -- Was: Re: binat questions

On 03/22/2007 03:17:00 PM, Stuart Henderson wrote: One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately. I just figured this

Re: Important OpenBSD errata

On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. I did not intend to be condesending and apologise if it was taken that way. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay

Re: Important OpenBSD errata

Thanks very much for taking the time to respond. On 03/16/2007 02:33:28 PM, Kian Mohageri wrote: I'm not saying that you're unappreciative, just that it seemed that way. That is why when I write suggestions, I usually find something to thank the person for too, just so they don't feel

Re: Important OpenBSD errata

On 03/16/2007 02:51:35 PM, Karel Kulhavy wrote: On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote: It's actually really easy. Follow the first 2 steps in man release. Unfortunately these instructions fail with not being clear if I should use OPENBSD_4_0_BASE or OPENBSD_4_0

Re: Important OpenBSD errata

On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: 2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Just a reminder: security-announce exists for messages like this. Use it or delete it. While the bug is bad, the handling of it is even

Re: Important OpenBSD errata

On 03/15/2007 10:24:31 PM, Tony Abernethy wrote: Karl O. Pinc wrote: On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: 2007/3/13, Theo de Raadt [EMAIL PROTECTED]: This means everyone should have our latest patches installed. Just a reminder: security-announce exists for messages like

Re: Important OpenBSD errata

On 03/15/2007 10:48:49 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: I rely on having a clear channel for security related problems. The only communication problem here is that you don't look at the information that the project puts out there for you

Re: Important OpenBSD errata

On 03/15/2007 11:04:49 PM, Jeremy Huiskamp wrote: That's what I was going to say. If you did things properly, you would have had this patch applied before you knew that it was a remote hole. You have a valid point: any bug is a security problem. However, the topic is not my management

Re: Important OpenBSD errata

On 03/15/2007 11:29:22 PM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. How much do I need to donate to keep from having to waste my time in

Re: Important OpenBSD errata

On 03/16/2007 12:09:46 AM, Theo de Raadt wrote: I looked for your name on the donations list. I don't see it. I only buy CDs and stuff occasionally, and generally invest time in what I hope are productive ways. I think you bought one CD. I think I've bought 4 over the last 5 years. I

Re: Important OpenBSD errata

On 03/15/2007 11:55:44 PM, Kian Mohageri wrote: Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems.

Re: Important OpenBSD errata

On 03/16/2007 12:40:57 AM, Daniel Ouellet wrote: And what are the developers doing with their time? They give it to you and you have the got to complain on top of it! So next time I shouldn't post when I see a problem? That'll help, not. Karl [EMAIL PROTECTED] Free Software: You don't pay

Re: Important OpenBSD errata

I apologise to the list for responding to the flames. I made my point and went beyond into unproductiveness. I'm sorry and I'll stop now. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein

Daylight savings time paranoia

Hi, I've applied patch 009_timezone.patch to update the tzfiles for the US DST change. (OpenBSD 4.0) Are the libraries clever enough to know that the files changed or do processes need to be restarted. It's simple enough to reboot the entire box but I'm curious, and it's aesthetically

Why isn't /usr/local/sbin in $PATH?

Hi, I was wondering why /usr/local/sbin was not in the $PATH of the default section of /etc/login.conf. Since /usr/local/bin is in there I can think of no reason not to also have /usr/local/sbin. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward.

Stock fstab

Is the stock fstab documented anywhere? That is, the fstab that you get if you use the recommended partitions that the install program sets up for you. I've been shuffling partitions around and would like something to compare against with regards to mounting noexec nosuid etc. Thanks. Karl

Re: Stock fstab

On 01/01/2007 04:08:49 PM, Ingo Schwarze wrote: The default is: - everything except / is nodev - everything except /sbin /usr /usr/bin /usr/sbin /usr/libexec /usr/libexec/* /usr/local /usr/local/* /usr/X11R6 /usr/X11R6/bin is nosuid - noexec is not used by default Thanks to

Re: Bridge lockup

On 12/25/2006 06:25:44 AM, Reyk Floeter wrote: hi, On Sun, Dec 24, 2006 at 09:44:46PM +, Karl O. Pinc wrote: I was just messing about upgrading some boxes from 3.8 and I shut a router down for a while and the bridge it was plugged into hung. No response to pings and no response

Bridge lockup

Hi, I was just messing about upgrading some boxes from 3.8 and I shut a router down for a while and the bridge it was plugged into hung. No response to pings and no response to the keyboard. The only thing I noticed was that the 3 keyboard lights were all blinking off and on together at about

Re: CGD

On 02/04/2006 01:05:17 AM, veins wrote: I think you are missing the point, cgd and salting are two different and unrelated things. It's not because cgd isn't making it into OpenBSD, that salting won't make it into svnd. I'd explain, but frankly after a night at work i'd rather go and sleep

Re: CGD

On 01/03/2006 09:45:02 PM, Ted Unangst wrote: On 1/3/06, kami petersen [EMAIL PROTECTED] wrote: on a related subject: what's keeping that diff you did to add salting to vnconfig from hitting the tree? (or something like it) i don't believe that the people asking for cgd really even intend

Re: Dead switch, a quick carp failover question

On 01/02/2006 03:31:10 AM, Marco Pfatschbacher wrote: Although it's rather hypothetical to have two broken switches at the same time, your assumptions are correct. The backup will not take over. It is rather hypothetical, but perhaps not as much as you might think. I have already, during

Re: ifstated.conf documentation problem?

On 01/01/2006 11:35:19 AM, Jon Hart wrote: The BNF seems to indicate that what you are trying to do is legal syntax-wise. At one point I had an ifstated.conf that did something similiar with a master switch state that was the target of init-state -- it would help determine what the correct

Re: Dead switch, a quick carp failover question

On 01/01/2006 03:09:03 PM, Marco Pfatschbacher wrote: On Sun, Jan 01, 2006 at 12:28:42AM +, Karl O. Pinc wrote: [...] Suppose I have 2 firewalls, one failing over to the other with carp. (net.inet.carp.preempt=1 on both firewalls.) Each has 3 interfaces, internet, lan, and dmz. The dmz

Dead switch, a quick carp failover question

Hi, Sorry, but I just can't seem to get (all of) net.inet.carp.preempt from the man pages. I could set this up and test it, but I know that somebody's done it already and a quick search of the list archives fails me. Suppose I have 2 firewalls, one failing over to the other with carp.

ifstated.conf documentation problem?

man 5 ifstated.conf says: The init block is used to initialise the state and is executed each time the state is entered. But this does not seem to be true if you use 'init-state' to enter the state. Or maybe there's something else wrong with my config below, or with ifstated when there's no

Re: pf rules and binat

On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote: I have a question regarding pf and binat. I need to protect mail server and web server behind firewall. I am planning to run pf with binat rules. I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web

/etc/isakmpd/ missing from etc38.tgz?

Hi, I just did a 3.6 - 3.7 - 3.8 upgrade and looking through the /etc/security mailing I see that I don't have /etc/disklabls/ or /etc/isakmpd/. These directories do not seem to be in etc38.tgz, although they do show up on a system I did a clean 3.8 install on. (3.8 patched to stable as of Dec

Re: /etc/isakmpd/ missing from etc38.tgz?

On 12/23/2005 09:24:09 AM, Jason Crawford wrote: On 12/23/05, Karl O. Pinc [EMAIL PROTECTED] wrote: Hi, I just did a 3.6 - 3.7 - 3.8 upgrade and looking through the /etc/security mailing I see that I don't have /etc/disklabls/ or /etc/isakmpd/. These directories do not seem