CRYPT rounds vs. performance
I tested OpenBSD 5.6 in VirtualBox on a RHEL 6.5 Workstation, T410: A few installs, with full disc encryption, only the rounds differ the guests had: 2 GB RAM, fixed 10 GB HDD, same 10 char pwd, i5 CPU M 560: (I placed dots only for better reading, not in the real command) A = bioctl -r 1.000 -c C -l /dev/sd0a softraid0 B = bioctl -r 100.000 -c C -l /dev/sd0a softraid0 C = bioctl -r 1.000.000 -c C -l /dev/sd0a softraid0 D = bioctl -r 10.000.000 -c C -l /dev/sd0a softraid0 E = without encryption I did a: dd if=/dev/zero of=test.foo on them: A = ~107 sec B = ~105 sec C = ~109 sec D = ~106 sec E = ~110 sec - ~22 MB/s From the man pages: -r rounds When creating an encrypted volume, specifies the number of iterations of the PBKDF2 algorithm used to convert a passphrase into a key. Higher iteration counts take more time, but offer more resistance to key guessing attacks. The minimum is 1000 rounds and the default is 8192. --- Questions for the community/devs: - Are there any statistics for comparing the rounds vs. the time for one password to crack? What is the best* round number? *- Does the rounds affect the disk performance, ex.: 1000 vs. 10 000 000**? OR it just ONLY affects the time until the password unlocks the CRYPT device? **When I used 10 000 000 rounds, after giving the pwd at boot, it took ~30 seconds to start the real boot It looks like using dd didn't do any difference between encrypted vs. not-encrypted disks.. so was my tests bad? Thank you,
Re: httpd and ~user directories
On Sat, Jan 03, 2015 at 10:33:52PM +0100, Tor Houghton wrote:
Hello,
I'm wondering if there is a plan to add support for ~user style URL
expansion to the new httpd.
I've tried fudging it for 'someuser' by adding the following to the default
server within /etc/httpd.conf, but to no avail:
location /~someuser/* {
root /htdocs/users/someuser
}
(I also tried creating a directory '/htdocs/~someuser', but that didn't work
either, thankfully.)
I'm running 5.6 (not -current; so I should probably do that), but looking at
the current commits, I can't see that this is supported right now?
Or am I doing it wrong?
- User directories are not explicitly supported and have to be
within the chroot - somewhere in /var/www.
- For example, you can currently create user directories the following way:
# mkdir /var/www/users/~reyk
# ln -s /var/www/users/reyk ~reyk/public_html
# echo Hallo /var/www/users/~reyk/index.html
location /~* {
root /users
}
- For your snippet, you would need an upcoming feature from chrisz@ to
strip elements from the request path (so it can be done without
rewrite/regex).
Currently, a client requesting http://somehost/~someuser/ would end up
in /var/www/htdocs/users/someuser/~someuser/ - which does not exist.
location /~someuser/* {
root /htdocs/users/someuser
}
You can fix the path by stripping the last path element so that it
turns into /var/www/htdocs/users/someuser.
location /~someuser/* {
root { /htdocs/users/someuser, strip 1 }
}
Reyk
Re: httpd and ~user directories
On Sat, Jan 03, 2015 at 11:29:32PM +0100, Reyk Floeter wrote:
- User directories are not explicitly supported and have to be
within the chroot - somewhere in /var/www.
- For example, you can currently create user directories the following way:
# mkdir /var/www/users/~reyk
# ln -s /var/www/users/reyk ~reyk/public_html
# echo Hallo /var/www/users/~reyk/index.html
location /~* {
root /users
}
- For your snippet, you would need an upcoming feature from chrisz@ to
strip elements from the request path (so it can be done without
rewrite/regex).
[ snip ]
Thank you for your kind way of telling me I was doing it wrong! :-)
Until chrisz@' commit (and when I'm running -current), I'll fudge the
directory structure by creating symbolic links:
location /~* {
root /htdocs/users
}
Then in /htdocs/users, for each user's directory:
drwxr-xr-x 2 1017 www 512 Mar 4 2013 user1
drwxr-x--x 5 1009 www 1024 Jul 20 2013 user2
..
drwxr-x--x 6 1004 www 512 May 30 2014 userN
I do:
$ ln -s user1 ./~user1
$ ln -s user2 ./~user2
..
$ ln -s userN ./~userN
This seems indeed to do the (ugly) trick.
Many thanks for the super quick reply!
Tor
Re: Failed cron jobs are silent
It has for me. I misspelled something in a script and cron sent me an email complaining about it. On 01/03/15 09:50, Craig Skinner wrote: Back in the memory of somewhere??? I worked, failed cronjobs would mail their return code if not zero. Something like: Cron Job false exited with return code 1 I cannae mind if it was Solaris or Linux, or whatever they were using... Can OpenBSD's cron do that too? Here's some silent noisey sample shite jobs: - Forwarded message from Cron Daemon r...@britvault.co.uk - Date: Sat, 3 Jan 2015 15:30:02 + (GMT) From: Cron Daemon r...@britvault.co.uk To: skin...@britvault.co.uk Subject: Cron luser@sir-puffy crontab -l # Silent: * * * * * true * * * * * false * * * * * exit * * * * * exit 111 # http://en.wikipedia.org/wiki/111_(emergency_telephone_number) # Mail: * * * * * false || print -u2 exited with return code $? * * * * * false || print -u2 'http://en.wikipedia.org/wiki/One_Tree_Hill_(song)' * * * * * crontab -l * * * * * logname; umask; pwd; printenv | sort - End forwarded message -
Re: Failed cron jobs are silent
+-- | On 2015-01-03 14:02:15, Matthew Weigel wrote: | No, the behavior he described is accurate: cron(8) sends email if a job produced output, irrespective of its exit status. Google is littered with people trying to figure out how to get cron(8) to send email based on exit code... so it's certainly a common problem. Maybe some Unix decided to send email based on exit status, but OpenBSD's does not. I have been wrapping cron jobs in App::Cronjob for ~5 years on Linux, Solaris/illumos, and OpenBSD: http://search.cpan.org/~rjbs/App-Cronjob-1.24/lib/App/Cronjob.pm http://search.cpan.org/~rjbs/App-Cronjob-1.24/bin/cronjob http://advent.rjbs.manxome.org/2009/2009-12-07.html https://github.com/rjbs/App-Cronjob Works quite well. Has other useful features in addition to emitting or supressing noise on exit code. Cheers. -- bdha
Re: Variable Length Arrays
The 2015-01-02, Theo de Raadt wrote: So what do you guys think? VLA's, are they good, bad, evil, stupid, all of the above? alloca() re-invented. alloca(3) was considered slightly unsafe, because use if it was rare. Your mail strikes so widely, feel free to modify a whole system to use this instead of malloc. Then argue your point, and lose... Thanks, more or less sums it up. I'll stick to using malloc and friends; it's got a reliable idiom for checking errors, and I have a lot of appreciation for the rigor that's gone into the implementation. -- Ted Bullock
httpd and ~user directories
Hello,
I'm wondering if there is a plan to add support for ~user style URL
expansion to the new httpd.
I've tried fudging it for 'someuser' by adding the following to the default
server within /etc/httpd.conf, but to no avail:
location /~someuser/* {
root /htdocs/users/someuser
}
(I also tried creating a directory '/htdocs/~someuser', but that didn't work
either, thankfully.)
I'm running 5.6 (not -current; so I should probably do that), but looking at
the current commits, I can't see that this is supported right now?
Or am I doing it wrong?
Kind regards,
Tor
Re: Variable Length Arrays
So I've been wondering about variable length arrays from c99 for a while now. They seem to me like a good way to avoid lots of trivial calls to malloc/free at least for smaller arrays that aren't going to blow up the stack. That said I don't see them being used. The promise of them seems to be 'easy', dynamic, stack allocated memory and ^ Most uses of variable length array in the kernel (and a significant part in userland) needs allocated data to outlive the routine they are allocated by. This rules out stack allocation.
Re: Amv7 support sunxi SoC router board Lamobo R1 (BPi-R1)?
On Fri, Jan 02, 2015 at 11:11:18AM +0800, f5b wrote: Does Amv7 support sunxi SoC router board Lamobo R1 (BPi-R1)? It's armv7, not amv7. I have a Banana Pi which can load OpenBSD but won't complete the boot. Allwinner A20 still has some issues. There is a topic which discuss some of these issues on tech@: http://marc.info/?l=openbsd-techm=141227625722523w=2 Also check the a...@openbsd.org mailing list. Cheers, -- db
Re: Upgrading issues (i386 on PPro class) 5.4-5.5 leaving system horked (now 5.4-5.6)
On 2015-01-01, Damon Getsman damo.g...@gmail.com wrote:
Running update
/usr/local/bin/xmlcatalog:/usr/lib/libiconv.so.6.0: undefined symbol
'__guard' /usr/local/bin/xmlcatalog:/usr/lib/libiconv.so.6.0: undefined
symbol '__guard' New package glib2-2.40.0p7 will run the following
commands
libiconv should be in /usr/local/lib, not /usr/lib. I'm not sure how the
system got in this state but it's not from a standard package installation
which would put files in /usr/local/lib. (perhaps at some point you compiled
something outside of ports and ran into a problem with it not finding the
library, so copied it? however it happened it seems to be causing a conflict).
You might get somewhere by saving a package list (pkg_info ~/pkg.txt),
uninstalling all packages (pkg_delete -X), removing /usr/lib/libiconv.so.6.0
and other alien libraries from /usr/lib (check file dates), then
reinstalling packages (pkg_add -zl ~/pkgs.txt), but I can't guarantee it.
@exec /usr/local/bin/glib-compile-schemas /usr/local/share/glib-2.0/schemas
/dev/null
+ @exec /usr/local/bin/gio-querymodules /usr/local/lib/gio/modules
Running update
/usr/local/bin/glib-compile-schemas:/usr/lib/libiconv.so.6.0: undefined
symbol
'__guard' /usr/local/bin/gio-querymodules:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package shared-mime-info-1.3 will run
the following commands
+ @exec /usr/local/bin/update-mime-database /usr/local/share/mime
Running update
/usr/local/bin/update-mime-database:/usr/lib/libiconv.so.6.0: undefined
symbol '__guard' New package gdk-pixbuf-2.30.8 will run the following
commands
+ @exec /usr/local/bin/gdk-pixbuf-query-loaders --update-cache
Running update
/usr/local/bin/gdk-pixbuf-query-loaders:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package gtk-update-icon-cache-2.24.24
will run the following commands
+ @exec /usr/bin/find /usr/local/share/icons -type d -mindepth 1
-maxdepth 1 -exec /usr/local/bin/gtk-update-icon-cache -q -t -f {} \;
2/dev/null || true Running update New package djvulibre-3.5.25.3p0
2will run the following commands
+ @exec /usr/local/bin/gtk-update-icon-cache -q
-t /usr/local/share/icons/hicolor Running update
/usr/local/bin/gtk-update-icon-cache:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package dbus-1.8.6v0 will run the
following commands
+ @exec /usr/local/bin/dbus-uuidgen --ensure=/etc/machine-id
Running update
install-info: warning: no entries found for
`/usr/local/info/gdbm.info'; nothing deleted install-info: menu item
`gdbm_load' already exists, for file `(none)' New package pango-1.36.5
will run the following commands
+ @exec-update rm -f /etc/pango/pango.modules
+ @exec /usr/local/bin/pango-querymodules --update-cache
Running update
/usr/local/bin/pango-querymodules:/usr/lib/libiconv.so.6.0: undefined
symbol '__guard' Segmentation fault (core dumped)
New package librsvg-2.40.2 will run the following commands
+ @exec /usr/local/bin/gdk-pixbuf-query-loaders --update-cache
Running update
/usr/local/bin/gdk-pixbuf-query-loaders:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package gnome-icon-theme-3.12.0 will run
the following commands
+ @exec /usr/local/bin/gtk-update-icon-cache -q
-t /usr/local/share/icons/gnome Running update
/usr/local/bin/gtk-update-icon-cache:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package
gnome-icon-theme-symbolic-3.12.0p1 will run the following commands
+ @exec /usr/local/bin/gtk-update-icon-cache -q
-t /usr/local/share/icons/gnome Running update
/usr/local/bin/gtk-update-icon-cache:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' New package gtk+2-2.24.24 will run the
following commands
+ @exec /usr/local/bin/gtk-query-immodules-2.0 --update-cache
Running update
/usr/local/bin/gtk-query-immodules-2.0:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' Segmentation fault (core dumped)
New package desktop-file-utils-0.22 will run the following commands
+ @exec /usr/local/bin/update-desktop-database
Running update
/usr/local/bin/update-desktop-database:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' Segmentation fault (core dumped)
New package claws-mail-3.9.3p1 will run the following commands
+ @exec /usr/local/bin/update-desktop-database
+ @exec /usr/local/bin/gtk-update-icon-cache -q
-t /usr/local/share/icons/hicolor Running update
/usr/local/bin/update-desktop-database:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard' Segmentation fault (core dumped)
/usr/local/bin/gtk-update-icon-cache:/usr/lib/libiconv.so.6.0:
undefined symbol '__guard'
New package dconf-0.20.0p0 will run the following commands+
@exec /usr/local/bin/gio-querymodules /usr/local/lib/gio/modules
Running
update /usr/local/bin/gio-querymodules:/usr/lib/libiconv.so.6.0:
undefined symbol '__gu ard' New package fedora_base-10.0p4 will run the
following commands
+ @exec ln -fhs /usr/local/emul/fedora /emul/linuxRunning update
New package
Re: WLAN roaming?
On Thu, Jan 01, 2015 at 06:30:50PM -0500, Brad Smith wrote: On 01/01/15 17:14, Christian Weisgerber wrote: My OpenBSD laptop, iwn(4), doesn't roam between my two access points. It's a sorry sight when it struggles to push a signal through the rebar floor instead of switching over to the other access point a meter away. Is this a limitation of OpenBSD's WLAN support or should I blame the access points? (Two stupid consumer APs with the same SSID and on the same network segment.) Searching for WLAN roaming leads to vague references to IEEE 802.11f, but it's unclear to me whether this is required for roaming or just intended to improve it. Roaming is done by the client. This is an OpenBSD issue. It needs the relevant support in the drivers and 802.11 layer. That's correct. Clients are supposed to handle roaming by choosing a different AP and sending a re-association request frame. The standard doesn't specify details so the underlying mechanics are up to the implementation (apparently some vendor-specific extensions exist). I don't believe OpenBSD wireless clients support this transparently. A manual re-assocation is necessary, perhaps with an explicit AP bssid given to ifconfig. 802.11f implements AP-AP communication about re-associations and is supported via hostapd(8).
Re: [Tor-BSD] Recognizing Randomness Exhaustion
On 2015-01-01, Miod Vallat m...@online.fr wrote: I should have also specified that I didn't just go ahead and enable them because I wasn't sure if they're considered safe. I like abiding by OpenBSD's crypto best practices when possible. Is there any reason why they're disabled by default? Compiler bugs generate incorrect code for 128 bit integers. In slightly more words, we have tried enabling this code, and found out the hard way that, when compiled by the system compiler under OpenBSD, it would generate slightly wrong code, and cause computations to be subtly wrong. Until someone spends enough time checking the various compiler versions around to check which are safe to use, and which are not, this code will remain disabled in LibreSSL. The specific failure we saw was in openssh; key_parse_private_pem: bad ECDSA key when reading a saved id_ecdsa.
Re: usmb/FUSE on 5.6
On 2014-12-30, Steven Surdock ssurd...@engineered-net.com wrote: Using the package usmb to mount a share from a Windows 2008R2 server does not seem reliable. FUSE/usmb dismounts the share after a while (less than 24 hours) with the following error: Dec 30 01:30:07 fileshare /bsd: fuse: device close without umount Usmb is not typically running afterwards. Anyone tried using usmb or have any suggested next steps for troubleshooting? -Steve S. Looks like usmb is crashing, causing the fuse device to close. usmb is definitely not perfect, smbclient or gvfs-smb are more reliable and better if you can use them (but obviously more limited in scope). Otherwise, debug information and/or reproduction steps would be needed.
Re: setting WiFi txpower with ifconfig
On 2015-01-03, Alan Corey alan01...@gmail.com wrote: I'm trying to do some antenna work so I want a weak signal from the other side of the basement. So I try stuff like ifconfig athn0 txpower 1 and get ifconfig: SIOCS80211TXPOWER: Invalid argument. Any number I've tried gives the same thing. If I leave out the number it tells me I need one. Worse, the same thing happens with athn, ath, urtwn, in OpenBSD 5.6, 5.2, 5.0. Grepping over /sys/dev source, it appears that the only OpenBSD driver implementing this ioctl is wi(4).
Re: Recognizing Randomness Exhaustion
On 2014-12-31, Libertas liber...@mykolab.com wrote: One possible explanation is that its randomness store gets exhausted. OpenBSD's RNG subsystem doesn't get exhausted like this.
Re: httpd: multiple addresses for one server
On Thu, Jan 01, 2015 at 11:54:46PM -0500, Geoff Steckel wrote:
Is there any way todo the equivalent of:
server an.example.com
listen on 192.168.2.99
listen on 2001.fefe.1.1::99
??
It appears that the code in parse.y explicitly forbids this
and the data structures for a server don't *seem*
to have more than one slot for an address.
Is there another way to achieve this effect?
From one comment in the checkins, it looks like
server an.example.com
listen on 192.168.2.99
.
server an.example.com
listen on 2001.fefe.1.1::99
would work.
Duplicating the entire server description is
difficult to maintain.
Is someone planning to work in this area soon?
thanks
Geoff Steckel
I used include directives to avoid duplications (see previous reply)
but the following diff allows to add aliases and multiple listen
statements.
Reyk
Index: config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.26
diff -u -p -u -p -r1.26 config.c
--- config.c21 Dec 2014 00:54:49 - 1.26
+++ config.c3 Jan 2015 13:33:25 -
@@ -174,7 +174,9 @@ config_setserver(struct httpd *env, stru
if ((what CONFIG_SERVERS) == 0 || id == privsep_process)
continue;
- DPRINTF(%s: sending server \%s[%u]\ to %s fd %d, __func__,
+ DPRINTF(%s: sending %s \%s[%u]\ to %s fd %d, __func__,
+ (srv-srv_conf.flags SRVFLAG_LOCATION) ?
+ location : server,
srv-srv_conf.name, srv-srv_conf.id,
ps-ps_title[id], srv-srv_s);
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.40
diff -u -p -u -p -r1.40 httpd.conf.5
--- httpd.conf.528 Dec 2014 13:53:23 - 1.40
+++ httpd.conf.53 Jan 2015 13:33:25 -
@@ -135,6 +135,10 @@ must have a
.Ar name
and include one or more lines of the following syntax:
.Bl -tag -width Ds
+.It Ic alias Ar name
+Specify an additional alias
+.Ar name
+for this server.
.It Ic connection Ar option
Set the specified options and limits for HTTP connections.
Valid options are:
@@ -180,6 +184,7 @@ and defaults to
.Pa /run/slowcgi.sock .
.It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number
Set the listen address and port.
+This statement can be specified multiple times.
.It Ic location Ar path Brq ...
Specify server configuration rules for a specific location.
The
@@ -391,6 +396,13 @@ If the same address is repeated multiple
statement,
the server will be matched based on the requested host name.
.Bd -literal -offset indent
+server www.example.com {
+ alias example.com
+ listen on * port 80
+ listen on * tls port 443
+ root /htdocs/www.example.com
+}
+
server www.a.example.com {
listen on 203.0.113.1 port 80
root /htdocs/www.a.example.com
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.46
diff -u -p -u -p -r1.46 parse.y
--- parse.y 21 Dec 2014 00:54:49 - 1.46
+++ parse.y 3 Jan 2015 13:33:26 -
@@ -106,6 +106,8 @@ int host_if(const char *, struct addre
int host(const char *, struct addresslist *,
int, struct portrange *, const char *, int);
voidhost_free(struct addresslist *);
+struct server *server_inherit(struct server *, const char *,
+ struct server_config *);
int getservice(char *);
int is_if_in_group(const char *, const char *);
@@ -125,10 +127,10 @@ typedef struct {
%}
-%token ACCESS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
+%token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
%token COMBINED CONNECTION DIRECTORY ERR FCGI INDEX IP KEY LISTEN LOCATION
%token LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS ROOT
-%token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES
+%token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES
%token ERROR INCLUDE
%token v.string STRING
%token v.number NUMBER
@@ -247,8 +249,14 @@ server : SERVER STRING {
srv_conf = srv-srv_conf;
SPLAY_INIT(srv-srv_clients);
+ TAILQ_INIT(srv-srv_hosts);
+
+ TAILQ_INSERT_TAIL(srv-srv_hosts, srv_conf, entry);
} '{' optnl serveropts_l '}'{
- struct server *s = NULL;
+ struct server *s = NULL, *sn;
+ struct server_config*a, *b;
+
+ srv_conf = srv-srv_conf;
TAILQ_FOREACH(s, conf-sc_servers, srv_entry) {
if
Re: Failed cron jobs are silent
On Jan 03 15:50:36, skin...@britvault.co.uk wrote: Back in the memory of somewhere??? I worked, failed cronjobs would mail their return code if not zero. Something like: Cron Job false exited with return code 1 I cannae mind if it was Solaris or Linux, or whatever they were using... Can OpenBSD's cron do that too? Any output produced by a command is sent to the user specified in the MAILTO environment variable as set in the crontab(5) file or, if no MAILTO variable is set (or if this is an at(1) or batch(1) job), to the job's owner. If a command produces no output or if the MAILTO environment variable is set to the empty string, no mail will be sent. The exception to this is at(1) or batch(1) jobs submitted with the -m flag. In this case, mail will be sent even if the job produces no output. Here's some silent noisey sample shite jobs: - Forwarded message from Cron Daemon r...@britvault.co.uk - Date: Sat, 3 Jan 2015 15:30:02 + (GMT) From: Cron Daemon r...@britvault.co.uk To: skin...@britvault.co.uk Subject: Cron luser@sir-puffy crontab -l # Silent: * * * * * true * * * * * false * * * * * exit * * * * * exit 111 None of these produce any output, so no mail will be sent. # Mail: Yes, because these produce output. * * * * * false || print -u2 exited with return code $? * * * * * false || print -u2 'http://en.wikipedia.org/wiki/One_Tree_Hill_(song)' * * * * * crontab -l * * * * * logname; umask; pwd; printenv | sort - End forwarded message - On Jan 03 19:05:11, open...@crowsons.com wrote: set the MAILTO variable in crontab. man 5 crontab not man 1 crontab MAILTO If MAILTO is defined and non-empty, mail is sent to the user so named. If MAILTO is defined but empty (MAILTO = ), no mail will be sent. Otherwise mail is sent to the owner of the crontab. This is useful for pseudo-users that lack an alias that would otherwise redirect the mail to a real person. There seems to be a slight discrepancy between what cron.1 says and what crontab.5 says. I just put * * * * * true * * * * * false * * * * * echo -n * * * * * echo into my crontab (current/amd64). Echo sends an email, because it has an output (even if just the newline). The mail goes either to me, or whatever I set MAILTO to be. None of the others send any mail, regardless of MAILTO, because there is no output from the command. So it seems crontab.5 is slightly inacurate. Jan Index: crontab.5 === RCS file: /cvs/src/usr.sbin/cron/crontab.5,v retrieving revision 1.33 diff -u -p -r1.33 crontab.5 --- crontab.5 30 Jan 2014 20:02:42 - 1.33 +++ crontab.5 3 Jan 2015 20:12:08 - @@ -255,14 +255,16 @@ May not be overridden by settings in the If .Ev MAILTO is defined and non-empty, -mail is sent to the user so named. +mail is sent to the user so named +if the command produces any output. If .Ev MAILTO is defined but empty .Pq Ev MAILTO = Qq , no mail will be sent. Otherwise mail is sent to the owner of the -.Nm . +.Nm +if the command produces any output. This is useful for pseudo-users that lack an alias that would otherwise redirect the mail to a real person. .It Ev SHELL
Re: OpenBSD + OptiPlex 320 = frozen clock?
On 1/2/2015 2:00 PM, Nathan Wheeler wrote: Try changing the value for the sysctl variable kern.timecounter.hardware? Its just a guess, but its helped me when I had problems with the clock before. On Fri, Jan 2, 2015 at 7:47 AM, John Merriam j...@johnmerriam.net wrote: Hello. I have a strange issue with OpenBSD on my Dell OptiPlex 320. The clock doesn't move: # date; sleep 55; date Thu Jan 1 02:25:47 EST 2015 Thu Jan 1 02:25:47 EST 2015 I see the same behavior with 5.6-release amd64 and -current amd64. The clock works fine in Windows and Linux on this machine. I installed the December 27th snapshot on it so I can mess around with it and try to get it fixed. Has anyone seen this before? If not, any tips on what to try or where I should start looking in the code to try to figure out what's going on? Below is the dmesg: *snip* Thanks. I probably should have thought to look for a knob like that. The clock works fine with kern.timecounter.hardware set to either i8254 or acpitimer0 but not when it is set to acpihpet0 The OptiPlex 320 was designed and produced not long after HPET started showing up in PCs. I would guess the OptiPlex 320 has a buggy HPET. Since it isn't supported by Dell anymore, I doubt they would be interested in trying to fix it via a BIOS update if it would even be possible for them to fix it in the BIOS. Is it worth messing around with to try to get HPET working on the OptiPlex 320 in OpenBSD or would it be written off as buggy hardware? I guess that assumes it could work at all... Here's another question that I have after reading up on this stuff. Is it worth using the HPET or ACPI timers in OpenBSD for non desktop machines? Obviously it depends on one's particular situation but from my reading it sounds like the most common reason to want better timers is multimedia which is usually not something to worry about on most servers. -- John Merriam
Re: setting WiFi txpower with ifconfig
On Sat, Jan 03, 2015 at 11:16:01AM +, Stuart Henderson wrote: On 2015-01-03, Alan Corey alan01...@gmail.com wrote: I'm trying to do some antenna work so I want a weak signal from the other side of the basement. So I try stuff like ifconfig athn0 txpower 1 and get ifconfig: SIOCS80211TXPOWER: Invalid argument. Any number I've tried gives the same thing. If I leave out the number it tells me I need one. Worse, the same thing happens with athn, ath, urtwn, in OpenBSD 5.6, 5.2, 5.0. Grepping over /sys/dev source, it appears that the only OpenBSD driver implementing this ioctl is wi(4). You're missing all the net80211 drivers that handle it in ieee80211_ioctl(). $ fgrep -r IEEE80211_C_TXPMGT * ic/pgt.c: ic-ic_caps = IEEE80211_C_WEP | IEEE80211_C_PMGT | IEEE80211_C_TXPMGT | ic/rt2560.c:IEEE80211_C_TXPMGT |/* tx power management */ ic/rt2661.c:IEEE80211_C_TXPMGT |/* tx power management */ pci/if_ipw.c: IEEE80211_C_TXPMGT |/* tx power management */ pci/if_iwi.c: IEEE80211_C_TXPMGT |/* tx power management */ usb/if_ral.c: IEEE80211_C_TXPMGT |/* tx power management */ usb/if_rum.c: IEEE80211_C_TXPMGT |/* tx power management */ usb/if_uath.c: IEEE80211_C_TXPMGT |/* tx power management */ usb/if_urtw.c: IEEE80211_C_TXPMGT |/* tx power management */ usb/if_zyd.c: IEEE80211_C_TXPMGT |/* tx power management */
Re: httpd: multiple addresses for one server
On 01/03/2015 08:42 AM, Reyk Floeter wrote: On Thu, Jan 01, 2015 at 11:54:46PM -0500, Geoff Steckel wrote: Is there any way todo the equivalent of: server an.example.com listen on 192.168.2.99 listen on 2001.fefe.1.1::99 ?? It appears that the code in parse.y explicitly forbids this and the data structures for a server don't *seem* to have more than one slot for an address. Is there another way to achieve this effect? From one comment in the checkins, it looks like server an.example.com listen on 192.168.2.99 . server an.example.com listen on 2001.fefe.1.1::99 would work. Duplicating the entire server description is difficult to maintain. Is someone planning to work in this area soon? thanks Geoff Steckel I used include directives to avoid duplications (see previous reply) but the following diff allows to add aliases and multiple listen statements. Reyk [...diff omitted...] 1000 thanks for an almost instantaneous and complete extension!! This makes httpd a complete replacement for apache in my host. Geoff Steckel
Re: Failed cron jobs are silent
On 01/03/15 15:50, Craig Skinner wrote: Back in the memory of somewhere??? I worked, failed cronjobs would mail their return code if not zero. Something like: Cron Job false exited with return code 1 I cannae mind if it was Solaris or Linux, or whatever they were using... Can OpenBSD's cron do that too? Here's some silent noisey sample shite jobs: - Forwarded message from Cron Daemon r...@britvault.co.uk - Date: Sat, 3 Jan 2015 15:30:02 + (GMT) From: Cron Daemon r...@britvault.co.uk To: skin...@britvault.co.uk Subject: Cron luser@sir-puffy crontab -l # Silent: * * * * * true * * * * * false * * * * * exit * * * * * exit 111 # http://en.wikipedia.org/wiki/111_(emergency_telephone_number) # Mail: * * * * * false || print -u2 exited with return code $? * * * * * false || print -u2 'http://en.wikipedia.org/wiki/One_Tree_Hill_(song)' * * * * * crontab -l * * * * * logname; umask; pwd; printenv | sort - End forwarded message - set the MAILTO variable in crontab. hth Fred man 5 crontab not man 1 crontab :~)
Failed cron jobs are silent
Back in the memory of somewhere??? I worked, failed cronjobs would mail their return code if not zero. Something like: Cron Job false exited with return code 1 I cannae mind if it was Solaris or Linux, or whatever they were using... Can OpenBSD's cron do that too? Here's some silent noisey sample shite jobs: - Forwarded message from Cron Daemon r...@britvault.co.uk - Date: Sat, 3 Jan 2015 15:30:02 + (GMT) From: Cron Daemon r...@britvault.co.uk To: skin...@britvault.co.uk Subject: Cron luser@sir-puffy crontab -l # Silent: * * * * * true * * * * * false * * * * * exit * * * * * exit 111 # http://en.wikipedia.org/wiki/111_(emergency_telephone_number) # Mail: * * * * * false || print -u2 exited with return code $? * * * * * false || print -u2 'http://en.wikipedia.org/wiki/One_Tree_Hill_(song)' * * * * * crontab -l * * * * * logname; umask; pwd; printenv | sort - End forwarded message -
Re: Failed cron jobs are silent
On 1/3/15 1:05 PM, Fred wrote: man 5 crontab not man 1 crontab :~) No, the behavior he described is accurate: cron(8) sends email if a job produced output, irrespective of its exit status. Google is littered with people trying to figure out how to get cron(8) to send email based on exit code... so it's certainly a common problem. Maybe some Unix decided to send email based on exit status, but OpenBSD's does not. -- Matthew Weigel hacker unique idempot . ent
FOSDEM 2015
Hi guys, Anyone attending FOSDEM at the end of the month / planning on doing a presentation? Sevan / Venture37
Re: CRYPT rounds vs. performance
Thus said whoami toask on Sat, 03 Jan 2015 17:18:04 -0500: *- Does the rounds affect the disk performance, ex.: 1000 vs. 10 000 000**? OR it just ONLY affects the time until the password unlocks the CRYPT device? Yes, unless I'm mistaken, it really only affects how long it takes to generate the key from the passphrase. Once the key is in memory, the number of rounds is no longer really relevant. Also, one of the primary reasons for having salts/rounds is to protect against offline attacks against the password database (e.g. someone obtains /etc/master.passwd and begins to hash passwords until a match is found) using rainbow tables. With random salts and large rounds it will be extremely prohibitive to crack all the passwords in the database. In the case of an encrypted volume, however, we aren't talking about a password database with all kinds of usernames/passwords. We're talking about a single key derived from a passphrase which means salts/rounds don't have the same implications as they do for an offline attack against a database. In this case, it would seem that the best protection is a larger number of rounds (bioctl defaults to 8192 according to the man page). Andy -- TAI64 timestamp: 400054a881c2
Re: Tor BSD underperformance (was [Tor-BSD] Recognizing Randomness Exhaustion)
teor teor2...@gmail.com writes: Tor 0.2.6.2-alpha (just in the process of being released) has some changes to queuing behaviour using the KIST algorithm. The KIST algorithm keeps the queues inside tor, and makes prioritisation decisions from there, rather than writing as much as possible to the OS TCP queues. I'm not sure how functional it is on *BSDs, but Nick Mathewson should be able to comment on that. (I've cc'd tor-dev and Nick.) From skimming the KIST paper (I will read in detail when I find time), it seems they are claiming increase in throughput of around 10%, with the main benefit being lower latency. So while that sounds great, it doesn't seem like lack of KIST is the reason for the apparent 3x slowdown observed in OpenBSD. Does anyone have experience to report on any platform other than Linux or OSX? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Variable Length Arrays
On Thu, Jan 01, 2015 at 20:12, Ted Bullock wrote: Hey Folks, So I've been wondering about variable length arrays from c99 for a while now. They seem to me like a good way to avoid lots of trivial calls to malloc/free at least for smaller arrays that aren't going to blow up the stack. That said I don't see them being used. If you know you only need a small array, may as well use the largest such size, whatever that is.
Re: Spanish discussion list
When I started learning OpenBSD half a year ago I checked communities and mailing lists and there is a list in Mexico, with something like three emails per month in average. I saw a site of BSD in general as well, with translated articles. Rather than having a Spanish mailing list I would like to join a group to chat about the joy of running OpenBSD, while drinking some beers, but since there is so few people in my area that is impossible. In my opinion having translated documentation would be a big effort with little impact, I think it's not too much to ask people to learn basic English in order to be able to run OpenBSD. Best regards, Jorge. agrquinonez agrquino...@agronomos.ca wrote: Hello Is there someone interested having a discussion list in Spanish? I have a OBSD server running current (httpd, smtpd, ftp), and i would like having a discussion list in Spanish, it could have blogs, foro, or any other related things. For now i have it at home, but i might pay for a dedicated site on a OBSD housing. The main idea is to make it easier for Spanish speakers, keeping the friendly environment of OpenBSD list. Thanks for your attention.
is what this guy is saying even anywhere close to reasonable, about ssh everywhere?
https://medium.com/@shazow/ssh-how-does-it-even-9e43586e4ffc -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: Spanish discussion list
agrquinonez agrquino...@agronomos.ca wrote: Hello Is there someone interested having a discussion list in Spanish? I have a OBSD server running current (httpd, smtpd, ftp), and i would like having a discussion list in Spanish, it could have blogs, foro, or any other related things. For now i have it at home, but i might pay for a dedicated site on a OBSD housing. The main idea is to make it easier for Spanish speakers, keeping the friendly environment of OpenBSD list. Thanks for your attention. I don't speak Spanish, but the mailing lists page on the website http://www.openbsd.org/mail.html says there is already a Spanish list. -- Martin Brandenburg
Re: YP Alternative
On 2 Jan 2015, at 9:52 pm, Brian Empson br...@teamhandbanana.com wrote: I'm looking into a way to sync up group and user information across a network of OpenBSD machines. I like YP, except that I don't need the password hashes transferred across the network. I like that it's built right into the base install, are there better ways to handle synchronizing login details across multiple machines that is built into the base install? Preferably written by the OpenBSD team, too? while not directly answering your question, i can say openbsd can do this kind of stuff without yp on the wire. at work i use ypldap to get user/group information from active directory. we populate the rfc2307 attributes on our users and groups to make them useful on unix systems. we use the single directory as a name service backend for openbsd, solaris, linux, and windows (of course). we're still using krb5 for password authentication. i really have to fix that. we've also augmented the AD schema to store users ssh keys in the directory too. sshd gets access to them via AuthorizedKeysCommand and a perl script. this allows ssh key based single sign on across all our unixish systems, even if their home directories are not available on the system. this is useful for providing services over ssh. an example of such a service we provide is svn and git on a dedicated server. all our users are on the system via ypldap, and they can auth using their own username and either a password or ssh key. dlg
Re: YP Alternative
This sounds interesting. What would you replace krb5 with, if you don't mind me asking? I was contemplating krb5, but the setup and such is a pain for me (because I am not familiar with it). I'll probably wind up rolling something custom with LDAP and YP mappings thrown in. On 1/4/2015 2:26 AM, David Gwynne wrote: On 2 Jan 2015, at 9:52 pm, Brian Empson br...@teamhandbanana.com wrote: I'm looking into a way to sync up group and user information across a network of OpenBSD machines. I like YP, except that I don't need the password hashes transferred across the network. I like that it's built right into the base install, are there better ways to handle synchronizing login details across multiple machines that is built into the base install? Preferably written by the OpenBSD team, too? while not directly answering your question, i can say openbsd can do this kind of stuff without yp on the wire. at work i use ypldap to get user/group information from active directory. we populate the rfc2307 attributes on our users and groups to make them useful on unix systems. we use the single directory as a name service backend for openbsd, solaris, linux, and windows (of course). we're still using krb5 for password authentication. i really have to fix that. we've also augmented the AD schema to store users ssh keys in the directory too. sshd gets access to them via AuthorizedKeysCommand and a perl script. this allows ssh key based single sign on across all our unixish systems, even if their home directories are not available on the system. this is useful for providing services over ssh. an example of such a service we provide is svn and git on a dedicated server. all our users are on the system via ypldap, and they can auth using their own username and either a password or ssh key. dlg
