Fresh New Site
Hello! My friend's site, gigabitwireless.com, is finally up and running. I think a link exchange with monkey.org would help make it even better. If you are interested in a link exchange send me the url of the page with a link to my page. Check us out at: Learn all about a href='http://www.gigabitwireless.com/Wireless/Wireless-Network-Providers'Wireless Network/a at gigabitwireless.com. Thanks a ton! Brigitta Hansen I apologize if this message was sent, in error, to the wrong person.
sk0 on 4.0 : routing problems ?
Hi ! thanks to everyone who helped me with getting the sk0 interface working. It only works on 4.0, on 3.9 the interface does appear but attempting to move traffic through it fails, with kernel saying sk0 timeout or something. After upgrading to 4.0, I decided to switch the internal interface from rl0 to sk0, so I did this: # ifconfig rl0 down # ifconfig sk0 192.168.28 checked the route table, the old interface route is still there: 192.168.28/24 link#1 UC rl0 ok, then: # route delete 192.168.28 deleted add a new route then: # route add 192.168.28/24 -link -iface sk0 ok, route is there, clones start to appear, but hosts won't ping. 192.168.28/24 link#3 UCS sk0 ok, tcpdump says: 01:07:58.756090 192.168.28.1 192.168.28.3: icmp: echo request 01:07:58.756360 192.168.28.3 192.168.28.1: icmp: echo reply 01:07:58.756401 192.168.28.1 192.168.28.3: icmp: redirect 192.168.28.1 to host 192.168.28.1 ok, then, do # ifconfig rl0 0.0.0.0 and then redirects stop and ping starts working. How did a down interface steal my route ? arp was apparently also complaining: arp: attempt to add entry for 192.168.28.15 on rl0 by 00:03:5c:00:0a:10 on sk0 though I don't know whether this was at the same time, since the arp table does populate properly even though pings don't work. I then tried to reproduce this, apparently, taking sk0 down does take the routes down, and bringing rl0 up does automatically insert the route. I repeated switching back to sk0 with exactly the same results, nothing would work until I void the inet address on rl0, and the routes will not delete when rl0 is down and not insert when sk0 is up... Thanks ! Pawel.
VPN configuration for roadwarrior
Hello,
I'm using a OpenBSD 3.9 Box as VPN server for roadwarriors.
Everithing works fine, everyone can connect from everiwhere to the VPN
server and it's working very stable.
The whole configuration is extract from Johan Allard's howto's, on the PC
side I'm using safenet remote windows client.
But I have just one trouble, I give each client that connect a single IP
identified by his e-mail address and if they are two clients on the same
source network, only one can connect to the VPN, the other one has his VPN
connection dropped down.
if sombody has a great idea for me ..
Regard's
Claude
Here is my isakmpd.conf :
#
# Soft-PK - OpenBSD isakmpd configuration file.
#
# The only thing that needs editing is the pre shared secret
# 'mekmitasdigoat'. The setting allows everyone who knows the correct
# pre shared secret to connect.
#
# Please mail me if you have any comments or bug-reports.
#
# Johan Allard [EMAIL PROTECTED]
#
[Phase 1]
Default=ISAKMP-clients
[Phase 2]
Passive-Connections=IPsec-clients
# Phase 1 peer sections
###
[ISAKMP-clients]
Phase= 1
Transport= udp
Configuration= SoftPK-main-mode
Authentication= x
# Phase 2 sections
##
[IPsec-clients]
Phase= 2
Configuration= SoftPK-quick-mode
#Local-ID= default-route
Local-ID= LAN54
Remote-ID= dummy-remote
# Client ID sections
[ufqdn/[EMAIL PROTECTED]
Address=192.168.54.15
Netmask=255.255.255.0
[ufqdn/[EMAIL PROTECTED]
Address=192.168.54.16
Netmask=255.255.255.0
[ufqdn/[EMAIL PROTECTED]
Address=192.168.54.17
Netmask=255.255.255.0
[ufqdn/[EMAIL PROTECTED]
Address=192.168.54.18
Netmask=255.255.255.0
[default-route]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0
[LAN54]
ID-Type=IPV4_ADDR_SUBNET
Network=192.168.54.0
Netmask=255.255.255.0
[dummy-remote]
ID-type=IPV4_ADDR
Address=0.0.0.0
# Transform descriptions
# Some predefined section names are recognized by the daemon, voiding the
# need to fully specify the Main Mode transforms and Quick Mode suites,
# protocols and transforms.
#
# For Main Mode:
# {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
#
# For Quick Mode:
# QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE
[SoftPK-main-mode]
DOI=IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[SoftPK-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
# Main mode transforms
##
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_1_DAY
# Lifetimes
###
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
--
View this message in context:
http://www.nabble.com/VPN-configuration-for-roadwarrior-tf2691887.html#a7506394
Sent from the openbsd user - misc mailing list archive at Nabble.com.
on the remote root login in OpenSSH
Hi again! I have a question on the default behaviour of OpenSSH. Please, do not understand that I am complaining on it or trying to change its behaviour in relation with remote root logins allowed by default on OpenSSH (but I certainly believe it would be nice, that is the reason I write this message to the misc@ mailing list). Just want to share my opinion with the members of this mailing list. First of all, I understand that remote root logins can be easily avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config. I guess that remote root logins are allowed by default to simplify management of small network appliances that do not have user accounts on them. But these appliances are only a small number of all OpenBSD installations and, even if this number is not so small, a restricted (non-root) account in the group wheel and probably in the group operator too, on these devices is advisable to avoid damaging these appliances by mistake. In my humble opinion, there are three reasons to deny remote root logins by default: 1. Remote root login enabled by default makes the wheel group superfluous (i.e., why are used added to the wheel group when a user not in this group can log in as root, once the root password is known to him, by just typing ssh [EMAIL PROTECTED]?) 2. There are a lot of threats against the root account based in brute force attacks. Most of us see logs on this matter in our workstations and servers. Sometimes these threats, done by humans, network scanners or even worms, are successful. It is just a matter of (bad) luck. 3. OpenBSD is secure by default; all services should be configured to the most secure defaults. I think that this reason is as good as the previous ones. And not allowing remote root logins by default makes sense to me in relation with this goal. Someone that really wants to allow remote root logins should be able to enable this feature just changing /etc/ssh/sshd_config. But, in my humble opinion, most users do not really want this dangerous feature enabled by default. And, even on small network appliances, an unprivileged account in the wheel group (and even in the operator group) is a good management practice. [please, send copies of replies to this post to me if possible. I will do my best to answer any post, even if not sent to me, but it will be more difficult tracking who sent the message I am replying to.] Cheers, Igor.
Roadwarriors vpn clients with x509 certs on OpenBSD 4.0
Hi all,
We have several problems with ipsec connections for roadwarriors
clients using x509 certificates. We use ipsec.conf to accomplish this
configuration:
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
Well, this configuration doesn't works. If user [EMAIL PROTECTED]
connects to our lans, [EMAIL PROTECTED] (if he is connected) lost
all connections.
If we change third and sixth lines with:
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des
srcid firewall.ourdomain.com
only one user can be authenticated. Somebody how can I resolve this
problem?? ipsec.conf man pages doesn't helps .
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: on the remote root login in OpenSSH
2006/11/23, Igor Sobrado [EMAIL PROTECTED]: Hi again! I have a question on the default behaviour of OpenSSH. Someone that really wants to allow remote root logins should be able to enable this feature just changing /etc/ssh/sshd_config. But, in my humble opinion, most users do not really want this dangerous feature enabled by default. And, even on small network appliances, an unprivileged account in the wheel group (and even in the operator group) is a good management practice. I'm neither OpenBSD nor an OpenSSH developer, but I think, the main idea of enabling root by default in OpenBSD is... protection from weak passwords! Just look at this. When you're installing OpenBSD, systems asks for a root password. You're setting a reasonably strong password, and proceed with a rest of install process. After installation and (remote) configuration, if you would like to make you system a bit more secure, you just have to change PermitRootLogin from yes to no. And that's all. Now imagine root login is disabled by default. In this situation, during installation procedure, you should: * set root password; * add unprivileged user and set his password; Most of the people doesn't really much care, and then it comes to please create new password second time (for unpriv user), they think That's the sh*t, f*ck%ng password again! and types really weak or similar to previous pasword. Typically, next their step is to configure sudo to run any command with NOPASSWD. And here comes the real hole: ssh login with weak password sudo ksh. People often think: I'll mess with security later, after configuring all this server stuff. Resume. If you set weak password, you system is vulnerable anyway. If you set strong password, don't bother about all those kiddie stuff like ssh scanners and about PermitRootLogin. With second unprivileged user added along with root during installation, your chances to lose is higher.
Can't build VPN with ipsecctl
Hello, I am trying for the past 4 days to set up a simple tunnel, already done that in the past, not so complicated with isakmpd.conf. I am struggling through ipsecctl and ipsec.conf repeating the steps from man and other pages without success. I am doing something wrong I can't find the mistake. So a fresh pair of eyes would be appreciated. Network: OpenBSD1 CISCO OPENBSD2 172.16.15.6 - 172.16.15.5 -PTP- 172.16.16.5 - 172.16.16.6 | | 193.189.180.192/28 tunnel 193.189.180.208/28 I have to build a tunnel between OpenBSD routers. What I have done till now: Sysctl variables on both routers: net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ah.enable=1 On OpenBSD1: route add 172.16.16.6 172.16.15.5 255.255.255.252 On OpenBSD2: route add 172.16.15.6 172.16.16.5 255.255.255.252 Test: OpenBSD2 # ping -c 4 172.16.15.6 PING 172.16.15.6 (172.16.15.6): 56 data bytes 64 bytes from 172.16.15.6: icmp_seq=0 ttl=254 time=2.688 ms 64 bytes from 172.16.15.6: icmp_seq=1 ttl=254 time=2.483 ms 64 bytes from 172.16.15.6: icmp_seq=2 ttl=254 time=2.432 ms 64 bytes from 172.16.15.6: icmp_seq=3 ttl=254 time=2.378 ms --- 172.16.15.6 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.378/2.495/2.688/0.122 ms OpenBSD1 # tcpdump -i bge1 icmp tcpdump: listening on bge1, link-type EN10MB 11:31:53.269998 172.16.16.6 172.16.15.6: icmp: echo request 11:31:53.270004 172.16.15.6 172.16.16.6: icmp: echo reply 11:31:54.272298 172.16.16.6 172.16.15.6: icmp: echo request 11:31:54.272303 172.16.15.6 172.16.16.6: icmp: echo reply 11:31:55.282202 172.16.16.6 172.16.15.6: icmp: echo request 11:31:55.282208 172.16.15.6 172.16.16.6: icmp: echo reply 11:31:56.292106 172.16.16.6 172.16.15.6: icmp: echo request 11:31:56.292111 172.16.15.6 172.16.16.6: icmp: echo reply OK, routing is working from router1 through CISCO to router2. Now I will try to start building a tunnel. First using static keying as described in ipsec.conf(5) manual flows: OpenBSD1 # ipsecctl -s all FLOWS: flow esp in from 193.189.180.208/28 to 193.189.180.192/28 peer 172.16.16.6 type require flow esp out from 193.189.180.192/28 to 193.189.180.208/28 peer 172.16.16.6 type require SAD: esp tunnel from 172.16.16.6 to 172.16.15.6 spi 0xabd9da39 auth hmac-sha2-256 enc aes \ authkey 0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \ enckey 0xf7795f6bdd697a43a4d28dcf1b79062d esp tunnel from 172.16.15.6 to 172.16.16.6 spi 0xc9dbb83d auth hmac-sha2-256 enc aes \ authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8 \ enckey 0xb341aa065c3850edd6a61e150d6a5fd3 OpenBSD2 # ipsecctl -s all FLOWS: flow esp in from 193.189.180.192/28 to 193.189.180.208/28 peer 172.16.15.6 type require flow esp out from 193.189.180.208/28 to 193.189.180.192/28 peer 172.16.15.6 type require SAD: esp tunnel from 172.16.15.6 to 172.16.16.6 spi 0xc9dbb83d auth hmac-sha2-256 enc aes \ authkey 0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \ enckey 0xf7795f6bdd697a43a4d28dcf1b79062d esp tunnel from 172.16.16.6 to 172.16.15.6 spi 0xabd9da39 auth hmac-sha2-256 enc aes \ authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8 \ enckey 0xb341aa065c3850edd6a61e150d6a5fd3 Let's make a test: OpenBSD2: # ping 193.189.180.193 PING 193.189.180.193 (193.189.180.193): 56 data bytes OpenBSD1: tcpdump -i bge1 At this point I should see some kind of traffic? Let's debug this on OpenBSD2: # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 12:52:34.600017 172.16.16.6 193.189.180.193: icmp: echo request 12:52:34.600443 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable 12:52:35.610009 172.16.16.6 193.189.180.193: icmp: echo request 12:52:35.610386 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable 12:52:36.620010 172.16.16.6 193.189.180.193: icmp: echo request 12:52:36.620332 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable It looks like host 172.16.16.5 on that CISCO stuff (I am not in charge of) is correctly replying net unreachable. But this traffic should go through the tunnel. Any hints? OpenBSD2 # netstat -rnf encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 193.189.180.192/28 0 193.189.180.208/28 0 0 172.16.15.6/esp/require/in 193.189.180.208/28 0 193.189.180.192/28 0 0 172.16.15.6/esp/require/out Mitja
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Anton Karpov writes: I'm neither OpenBSD nor an OpenSSH developer, but I think, the main idea of enabling root by default in OpenBSD is... protection from weak passwords! Just look at this. When you're installing OpenBSD, systems asks for a root password. You're setting a reasonably strong password, and proceed with a rest of install process. After installation and (remote) configuration, if you would like to make you system a bit more secure, you just have to change PermitRootLogin from yes to no. And that's all. Now imagine root login is disabled by default. In this situation, during installation procedure, you should: * set root password; * add unprivileged user and set his password; Most of the people doesn't really much care, and then it comes to please create new password second time (for unpriv user), they think That's the sh*t, f*ck%ng password again! and types really weak or similar to previous pasword. Typically, next their step is to configure sudo to run any command with NOPASSWD. And here comes the real hole: ssh login with weak password sudo ksh. People often think: I'll mess with security later, after configuring all this server stuff. If the password assigned to the root account when remote root logins are enabled is weak, the system will be easily rooted by intruders. If there is an intermediate, non-privileged, user that *is* required for log in as root there are two secrets to guess: the username of the unprivileged user and its password (shared with the root account). Most users do not use the same passwords for our unprivileged and root accounts either. On the other hand, nothing will stop a bad system manager to set up weak passwords if remote root login is allowed. Resume. If you set weak password, you system is vulnerable anyway. If you set strong password, don't bother about all those kiddie stuff like ssh scanners and about PermitRootLogin. With second unprivileged user added along with root during installation, your chances to lose is higher. Don't see the point. Why an unprivileged user will increase the chances for the system being compromised? There are two secrets to guess: the username (fingerd is disabled by default) and the password. There are two secrets in the case there is a password shared between the unprivileged user and the root account, three secrets (an unprivileged account in the wheel group with its password, and the root password) on most systems. I can hardly understand the notion of strong password. On my passwords I use a combination of uppercase letters, lowercase letters, numbers, and characters that are easy typed on any keyboard (+,./:;-_= ...). Some of the passwords tried by certain tools are nearly as strong as these ones (at least, these password do not look obvious to me either). Logs show that combinations like john/john and root/root are too easy for some tools that certainly try true brute force attacks starting at seven or more characters. Just trying to make the access as root to unauthorized users a bit more difficult without an known exploit. Best regards, Igor.
Re: Problem with roadwarriors vpn clients with x509 certs on OpenBSD 4.0
Sorry I forgot to mention that user1 and user2 has the same public ip.
many thanks ..
carlopmart wrote:
Hi all,
We have several problems with ipsec connections for roadwarriors clients
using x509 certificates. We use ipsec.conf to accomplish this
configuration:
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
Well, this configuration doesn't works. If user [EMAIL PROTECTED]
connects to our lans, [EMAIL PROTECTED] (if he is connected) lost
all connections.
If we change third and sixth lines with:
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des
srcid firewall.ourdomain.com
only one user can be authenticated. Somebody how can I resolve this
problem?? ipsec.conf man pages doesn't helps .
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Can't build VPN with ipsecctl
your tunnel is between 193.189.180.192/28 and 193.189.180.208/28 On Thu, Nov 23, 2006 at 01:10:13PM +0100, Mitja wrote: ... OpenBSD1 # ipsecctl -s all FLOWS: flow esp in from 193.189.180.208/28 to 193.189.180.192/28 peer 172.16.16.6 type require flow esp out from 193.189.180.192/28 to 193.189.180.208/28 peer 172.16.16.6 type require ... Let's debug this on OpenBSD2: # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 12:52:34.600017 172.16.16.6 193.189.180.193: icmp: echo request 12:52:34.600443 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable 12:52:35.610009 172.16.16.6 193.189.180.193: icmp: echo request 12:52:35.610386 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable 12:52:36.620010 172.16.16.6 193.189.180.193: icmp: echo request 12:52:36.620332 172.16.16.5 172.16.16.6: icmp: net 193.189.180.193 unreachable however, you're icmps source address is 172.16.16.6, thus it does _not_ go through the tunnel. Use ping -I to set the source address to the interface into the 193.189.180.xxx network.
Re: on the remote root login in OpenSSH
On Thu, 23 Nov 2006 12:24:38 +0100, Igor Sobrado wrote: I guess that remote root logins are allowed by default to simplify management of small network appliances that do not have user accounts on them. I have no clue on why root logins are actually disabled, but I can tell you one thing: if they were not, I'd be screwed ! Why ? Because I do some remote installs / administration. Since the install routine does not offer user account creation, I'd be effectively locked out. So what you'd do instead, you reboot after your install, yes, ssh into the system as root, create an account (wheel !), vi /etc/sshd_config, kill -HUP `cat /var/run/sshd.pid` and you are exactly where you propose to be. Uwe
ox remove
Have a rice with soup as breakfast, and cycle my way to school. Its more popular name is D-bol. so I got to go to give him a helping hand. and nothing special up till now. The series follows four unique individuals, two male-to-females and two female-to-males as they struggle to transition from one gender to the other in the midst of a grueling school year. Only several weeks to go before I have a big presentation. Nothing special then. The series follows four unique individuals, two male-to-females and two female-to-males as they struggle to transition from one gender to the other in the midst of a grueling school year. Well, we will have to wait for several more weeks before we got to know of that. But it also opened schisms that challenged the very identity of the Log Cabin itself. Basically an updated version of Abbot and Costello, only now with bong smoke and heavy metal pumping through their veins, The D undercut their goofy leanings with their genuine musical skill. My junior is having a problem with his NetBSD. I think the rise was related with a rumor regarding Mohd. Anyway, if you still wanna read them, just search it for yourself, remember, you've been warned. It has been so long since our last karaoke, and I was like. Went to school, and was greeted by a teacher asking for help in Microdude Excel. The dialogue is all sung, peppered with mystical allusions and self-serious progressive-rock goofiness. What I need now is another linux computer, to the program. I stayed as long as I could in the futon before going to take a hot shower. However he was desparate, and I felt bad if I dont help him. From both of the stories, the tapping was done by stalkers. and might change due time. but I'm not totally sold on either of those points, either. that's how I finish off my weekend, by watching Smallville. Enough telling about my wish list on my blog. Carlin is the sort of detective who notices things like tiny bits of plastic washed up on the shore and explosive residue on the underside of a nearby bridge. It has been so long since our last karaoke, and I was like. At first reluctant to join forces, Kyle and Jack find the only way to blow minds is to form the greatest band in the world: Tenacious D. Still, they're breaching into others privacy. Race to the room again and quickly putting on thick clothes. never have thought that thisday would came. He doesn't seem to be the same Thomas as the Inquisition Thomas, nor is it the same Isabel . but that just not that. My cough is almost gone, but still have some sore throats once in a while. It has been so long since our last karaoke, and I was like. [demime 1.01d removed an attachment of type image/gif which had a name of afflict.gif]
Why Sendmail?
First of all hi! My name is Conrad and I am new to the world of OpenBSD, but not unix in general. I have just done my first install of a server using OpenBSD and am extremely impressed. I do have one question though and I apologize if people always ask this: At the end of the install I asked whether I want to run sshd and ntpd by default - very nice BUT why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to not run sendmail would also be there right from the start. Comments please Conrad Winchester
Re: Why Sendmail?
Search the archives, you troll
Re: on the remote root login in OpenSSH
On Thu, Nov 23, 2006 at 08:52:22PM +0800, Uwe Dippel wrote: | On Thu, 23 Nov 2006 12:24:38 +0100, Igor Sobrado wrote: | | I guess that remote root logins are allowed by default to simplify | management of small network appliances that do not have user accounts | on them. | | I have no clue on why root logins are actually disabled, but I can tell | you one thing: if they were not, I'd be screwed ! | Why ? Because I do some remote installs / administration. Since the | install routine does not offer user account creation, I'd be effectively | locked out. Although I prefer the default install to allow root to login, please note that the install routine *does* offer user account creation. After you're done installing, and the installscript asks you to reboot into your new system, simply `/mnt/usr/sbin/chroot /mnt` and you are in your freshly installed system, with access to adduser, vipw and many more useful tools. You can do just about anything after the install, just remember that your kernel is not a complete GENERIC kernel but rather the stripped down install kernel. So you probably don't want to start running your production services just yet (but you can configure everything you need to run them after reboot). Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Why Sendmail?
2006/11/23, Conrad Winchester [EMAIL PROTECTED]: I do have one question though and I apologize if people always ask this: At the end of the install I asked whether I want to run sshd and ntpd by default - very nice BUT why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to not run sendmail would also be there right from the start. Any system needs a MTA running, at least to manage email from nightly/weekly/monthly check. So, default MUST be mta running (you can choose to stop it). Why sendmail? Why not? p.s. i usually use another MTA -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: Why Sendmail?
On Thu, Nov 23, 2006 at 01:32:29PM +, Conrad Winchester wrote: | First of all hi! My name is Conrad and I am new to the world of OpenBSD, but | not unix in general. | | I have just done my first install of a server using OpenBSD and am extremely | impressed. | | I do have one question though and I apologize if people always ask this: At | the end of the install I asked whether I want to run sshd and ntpd by | default - very nice BUT why am I not given the option to turn off Sendmail | at this point? I NEVER use sendmail and for an OS that prides itself on | being as minimal as possible I would have thought giving you the option to | not run sendmail would also be there right from the start. You do use sendmail (or at least an MTA). Let your system run for a day and check your mail. You'll notice daily scripts sending you nice informative stuff about your system. These can not be sent without a running MTA. Also note that the default sendmail has been configured to only accept e-mail from localhost (it listens on 127.0.0.1:25 by default). If you prefer any other MTA, install that from packages and use it, but you'll break your system by disabling all MTA functionality. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Why Sendmail?
Selon Conrad Winchester [EMAIL PROTECTED]: at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to Where is it stated that OpenBSD prides itself on being as minimal as possible? -- Antoine
demystify enc interface
I'm trying to figure out how the enc interface works, and especially how to filter it using pf. This is what enc(4) says: The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traf- fic can be filtered based on ``enc0'', and all IPsec traffic could be seen by invoking tcpdump(8) on the ``enc0'' interface. I think this tells me that I can see unencrypted/unencapsulated traffic on enc0. However, with tcpdump I see this: 14:09:27.894326 (authentic,confidential): SPI 0x728aafc9: 86.90.xx.xx 62.58.xx.xx: 192.168.2.3.1264 192.168.1.7.8194: . [tcp sum ok] ack 139 win 64431 (DF) (ttl 128, id 45685, len 40) (ttl 118, id 45685, len 60) 14:09:27.915205 (authentic,confidential): SPI 0x021e1fcd: 62.58.xx.xx 86.90.xx.xx: 192.168.1.131.3389 192.168.2.3.1182: . [tcp sum ok] ack 177 win 65075 (ttl 127, id 59080, len 40) (ttl 64, id 46361, len 60, bad cksum 0!) The encapsulation is included... that's pretty cool and handy, but I'm not sure if that's what the manpage says. And it looks like pf has its tentacles elsewhere in the stack, here's what I see if I log what gets passed on enc0: 09:00:21.390463 rule 514/(match) [uid 0, pid 15450] pass in on enc0: 84.104.xx.xx 62.58.xx.xx: 192.168.28.28.46259 192.168.42.10.993: [|tcp] (DF) (ttl 63, id 9133, len 64) (ttl 55, id 6610, len 84, bad cksum a754!) 09:00:21.390541 rule 514/(match) [uid 0, pid 15450] pass in on enc0: 192.168.28.28.46259 192.168.42.10.993: S 1525235396:1525235396(0) win 16384 mss 1360,nop,nop,sackOK,nop,wscale 0,[|tcp] (ttl 63, id 9133, len 64, bad cksum 5094!) 14:15:32.553135 rule 515/(match) [uid 0, pid 23431] pass out on enc0: 192.168.42.10.24605 192.168.28.28.22: [|tcp] [tos 0x10] (ttl 63, id 33734, len 64) So inbound traffic passes twice: first with encapsulation, and the second time without. However, outbound traffic only passes _once_, without the encapsulation. So I think the pf rules for filtering on enc0 should look like this: # pass encapsulated traffic pass in quick log on enc0 proto ipencap from $ext_peer_ip to $ext_if keep state (other.single 3600) # rules on decrypted traffic pass in quick on enc0 from 192.168.28.28 to 192.168.42.10 port 993 keep state block in quick on enc0 All in all: - the bpf view is different from the pf view - the inbound pf view is different from outbound Should pf even see the inbound ipencap traffic? Nothing much that can be done with it, that cannot also be done on the physical interfaces... Shouldn't enc just carry the unencrypted/unencapsulated traffic like the manpage says? That would make it behave far more like a normal interface. -- Cam
Re: Why Sendmail?
I think it is because of cron jobs, that use to send mails to root . Conrad Winchester wrote: I do have one question though and I apologize if people always ask this: At the end of the install I asked whether I want to run sshd and ntpd by default - very nice BUT why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to not run sendmail would also be there right from the start.
Re: Why Sendmail?
On Thu, Nov 23, 2006 at 01:32:29PM +, Conrad Winchester wrote:
I do have one question though and I apologize if people always ask
this: At the end of the install I asked whether I want to run sshd
and ntpd by default - very nice BUT why am I not given the option
to turn off Sendmail at this point?
So that mail delivery works? OpenBSD has a number of useful
automated reports enabled by default which provide you with
important information, among other reasons.
I NEVER use sendmail
Do you use a different MTA? That's fine -- sendmail is the default
MTA, but you can easily install others (eg Postfix) using
precompiled packages. In most cases, you simply run
'newMTA-enable' and clean up a few loose ends. See the
installation message for your MTA of choice for more information.
and for an OS that prides itself on being as minimal as possible I
would have thought giving you the option to not run sendmail would
also be there right from the start.
IANAD, but...the goals[0] of the OpenBSD project are pretty clear,
and minimalism isn't explicitly one of them. Providing an audited
and specific featureset in the base distribution makes the task of
securing the whole system easier, but 'shipping the least stuff'
isn't in itself a goal (AFAICT).
Sendmail is there as a convenience, as is a heavily modified Apache.
If you don't need them, or want different MTAs or web servers, the
package system gives you plenty of easy options.
As you're new, I'll also plug the FAQ:
http://www.openbsd.org/faq/
In fact, this _very question_ is answered in the FAQ[1]. It helps to
check the FAQ and the mailing list archives first if you have a
question. You'll also find the man pages handy.
[0] http://www.openbsd.org/goals.html
[1] http://www.openbsd.org/faq/faq1.html#HowAbout
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: ktrace interpretation
Hi,
$ cat foo.c
int main() { return 0; }
$ cc -static -o foo foo.c
$ ktrace ./foo
$ kdump
2153 ktrace RET ktrace 0
2153 ktrace CALL execve(0x7f7f910f,0x7f7f8c78,0x7f7f8c88)
2153 ktrace NAMI ./foo
2153 foo EMUL native
2153 foo RET execve 0
Userland execution starts here.
2153 foo CALL __sysctl(0.0,0x801360,0x7f7e62b0,0,0)
2153 foo RET __sysctl 0
Here the program fetches a random number to set up the canary for
the stack protector.
2153 foo CALL mmap(0,0x1000,0x3,0x1002,0x,0,0)
2153 foo RET mmap 1192062976/0x470d7000
Here a page is allocated for atexit function pointers...
2153 foo CALL mprotect(0x470d7000,0x1000,0x1)
2153 foo RET mprotect 0
...and then this page is protected to be read-only to avoid attacks that
change atexit function pointers.
Here, where you don't get syscalls logged in ktrace, main is called. Then
it returns, so exit() is called. exit() processes all the atexit hooks
and then unmaps the atexit page and exits the program.
2153 foo CALL munmap(0x470d7000,0x1000)
2153 foo RET munmap 0
2153 foo CALL exit(0)
$
thanks! This exactly is the minimal example I wanted to understand.
Would you please recommend a piece of literature where I can learn
this from the begining?
ps. Yes, it's a slow day at work, so I have time to talk too much.
Thank you very much for that :-)
Jan
webmail
Anyone using webmail on OpenBSD? What's good, what's not? Jasper
Connecting to OpenBSD 4.0 isakmpd with racoon on FC5
I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
4.0 VPN server running isakmpd. I already have things working with
Openswan but would like to get it working with racoon for our Mac OS
clients.
The OpenBSD /etc/ipsec.conf config:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
My racoon.conf file:
path include /etc/racoon;
path pre_shared_key /etc/racoon/psk.txt;
path certificate /etc/racoon/certs;
remote [vpn server IP] {
exchange_mode main;
my_identifier fqdn [FC5 laptop FQDN];
peers_identifier fqdn [vpn server FQDN];
certificate_type x509 [FC5 laptop FQDN].crt
/etc/ipsec.d/private/local.key;
ca_type x509 /etc/ipsec.d/cacerts/ca.crt;
verify_identifier on;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
dh_group modp1024;
authentication_method rsasig;
}
}
sainfo address 192.168.6.0/24 any address 192.168.1.0/24 any {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1;
compression_algorithm deflate;
}
Then I start racoon with:
# racoon -4 -F
and initiate the VPN connection on the laptop with:
# racoonctl vpn-connect [vpn server IP]
The phase 1 exchange goes ok but phase 2 does not:
...
2006-11-22 23:24:02: INFO: ISAKMP-SA established 192.168.6.244[4500]-vpn
server ip[4500] spi:daec8263785958bf:95fea98fde24c61b
Am I getting the sainfo section wrong in racoon.conf? With the sainfo
section, do I still need setkey?
--
albert chin ([EMAIL PROTECTED])
Re: Why Sendmail?
On 23/11/06, Conrad Winchester [EMAIL PROTECTED] wrote: First of all hi! My name is Conrad and I am new to the world of OpenBSD, but not unix in general. I have just done my first install of a server using OpenBSD and am extremely impressed. I do have one question though and I apologize if people always ask this: At the end of the install I asked whether I want to run sshd and ntpd by default - very nice BUT why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to not run sendmail would also be there right from the start. Comments please Conrad Winchester Not sure why you are not given the option to disable it on install, but you turn it off by simply setting sendmail_flags=NO in /etc/rc.conf.local. Also the afterboot manpage is very useful for new installs. Specifically the section on sendmail: Sendmail OpenBSD ships with a default /etc/mail/localhost.cf file that will work for simple installations; it was generated from openbsd-localhost.mc in /usr/share/sendmail/cf. Please see /usr/share/sendmail/README and /usr/share/doc/smm/08.sendmailop/op.me for information on generating your own sendmail configuration files. For the default installation, sendmail is configured to only accept connections from the local host and to not accept connections on any external interfaces. This makes it possible to send mail locally, but not receive mail from remote servers, which is ideal if you have one central incoming mail machine and several clients. To cause sendmail to accept external network connections, modify the sendmail_flags variable in /etc/rc.conf.local to use the /etc/mail/sendmail.cf file in accordance with the comments therein. This file was generated from openbsd-proto.mc. Note that sendmail now also listens on port 587 by default. This is to implement the RFC 2476 message submission protocol. You may disable this via the no_default_msa option in your sendmail .mc file. See /usr/share/sendmail/README for more information. The /etc/mail/localhost.cf file already has this disabled. Cheers z0mbix
Re: on the remote root login in OpenSSH
Hi again. Out of this thread, Mr. Tongson pointed me to an interesting post from march 2005: http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html From this post, it is difficult understanding why disabling remote root logins is not a good idea; but after reading the entire thread I see the point, though: disabling remote root logins make things a bit harder for an intruder, but not impossible at all. I agree with the idea on the thread but we must consider that: 1. Allowing remote root logins by default effectively destroys the security layer created by the wheel group. Even if an attacker is able to get a copy of the root password (something that cannot be underestimated for an internal employee) he must be in the right group or get a second password, this time one of a user in the wheel group. 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). 3. An Unix and Unix-like system has a root account. The names of other accounts are difficult to guess (my account at string1 is guessable right now, but I can be using a mail alias or receiving email on a system that has no real user accounts). Trying brute force attacks against the root account is probably the best guess for an intruder. I must admit I did not know about that thread before Mr. Tongson sent me an email, and I would probably have not sent my first email in the case I were aware of the existence of the thread of march, 2005. But I think that I am right about remote root login enabled by default weaknessing other security schemes (like the wheel group) provided by the BSD systems. I agree with Mr. Dippel about the problems related with remote installs of OpenBSD. Certainly the problem described in his post is not an usual one, only a few managers make remote installs. I have a net4801 and it is upgraded locally, using my laptop as an DEC VT compatible terminal connected to it. I can imagine how difficult it must be installing an OpenBSD release remembering that remote root logins must be enabled before halting the system. In any case, there are some good approaches to this problem. For example: - setting up a terminal/port server to manage these devices as if it were local. In any case, how can be the installer be used without a sort of terminal (either local or remote) connected to the device? - add a siteXX.tgz tarball to the installation sets with required changes for that specific -and challenging- environment. I admit that not allowing remote root logins is an imperfect security measure, but at least do not breaks the security introduced by the wheel group in the BSD systems. On the other hand, the number of threats based on brute force attacks against root (the only account that exists on nearly all the Unix and Unix-like operating systems) are increasing in the last years. Some of these tools try passwords that I would not call low-quality ones. Best regards, Igor.
Re: webmail
I've got SquirrelMail running for mine. If you're looking for something full of features it's not for you, but if you're looking for something simple that Just Works with Courier-IMAP and Maildir it may be worth taking a look at. Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper -- Joel Goguen http://iapetus.dyndns.org/
Re: webmail
Hi On 11/23/06, Jasper Bal [EMAIL PROTECTED] wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper roundcube webmail is quite nice. but I use not the latest beta. Latest beta has some problems, I haven't got enough time for debugging :( -- Hi, I'm a .signature virus! Copy me to your .signature file and help me propagate, thanks!
Re: on the remote root login in OpenSSH
On 2006/11/23 15:14, Igor Sobrado wrote: 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). On a typical system, these are better blocked at the firewall. If you need offsite SSH access from unknown IP addresses, you can use authpf to open the ports instead, which gives you a single point of control. Some of these tools try passwords that I would not call low- quality ones. PasswordAuthentication no is quite effective against this.
Re: webmail
Horde (www.horde.org) run nice under OpenBSD. My webmail (webmail.openbsd-pa.org). On 11/23/06, Tautvydas [EMAIL PROTECTED] wrote: Hi On 11/23/06, Jasper Bal [EMAIL PROTECTED] wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper roundcube webmail is quite nice. but I use not the latest beta. Latest beta has some problems, I haven't got enough time for debugging :( -- Hi, I'm a .signature virus! Copy me to your .signature file and help me propagate, thanks! -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: on the remote root login in OpenSSH
On Thu, Nov 23, 2006 at 12:24:38PM +0100, Igor Sobrado wrote: First of all, I understand that remote root logins can be easily avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config. Yes. This is a very simple thing to do. I guess that remote root logins are allowed by default to simplify management of small network appliances that do not have user accounts on them. But these appliances are only a small number of all OpenBSD installations and, even if this number is not so small, a restricted (non-root) account in the group wheel and probably in the group operator too, on these devices is advisable to avoid damaging these appliances by mistake. These assumptions, I think, are the problem. I have no small network appliances, yet I find SSH root login to be very useful in the initial stages of configuring a new computer installation. In my humble opinion, there are three reasons to deny remote root logins by default: 1. Remote root login enabled by default makes the wheel group superfluous (i.e., why are used added to the wheel group when a user not in this group can log in as root, once the root password is known to him, by just typing ssh [EMAIL PROTECTED]?) 2. There are a lot of threats against the root account based in brute force attacks. Most of us see logs on this matter in our workstations and servers. Sometimes these threats, done by humans, network scanners or even worms, are successful. It is just a matter of (bad) luck. For a compromised password, there's no essential difference between root and someone with full sudo access. If you have 5 people in wheel/sudoers then an attacker can break *any* of those and get root. 3. OpenBSD is secure by default; all services should be configured to the most secure defaults. I think that this reason is as good as the previous ones. And not allowing remote root logins by default makes sense to me in relation with this goal. No. It would be simple enough to disable everything, but that wouldn't be functional. OpenBSD has an excellent track record for security, yet many useful things are enabled by default. Do you *really* believe that nobody has thought about turning off root ssh in the default configs? Of course they have. Yet it remains enabled. Selecting a secure password for root is YOUR responsibility. Someone that really wants to allow remote root logins should be able to enable this feature just changing /etc/ssh/sshd_config. But, in my humble opinion, most users do not really want this dangerous feature enabled by default. And, even on small network appliances, an unprivileged account in the wheel group (and even in the operator group) is a good management practice. Most users just don't care. More security conscious users *do* care, and often turn it off. They also block all icmp packets and a lot of other things that they read somewhere on the web, without understanding why, or assessing how much of a threat it poses to them, or how effective it is in countering the threat. *Really* security conscious people take the time to understand the issues, and to configure their systems. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: webmail
Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? I use http://blog.ilohamail.org/ (imap/pop) , fast (it's running fine on a 330 Mhz sparc64), easy to install and to use ... no problem :) -- jean-marc
Re: webmail
On Nov 23, 2006, at 8:19 AM, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Roundcube has been the new hotness for a while now. http://www.roundcube.net/ It's trivial to configure, nice UI (shiny, has drag and drop), persistent IMAP connections... That said, I've only just now started stressing it, so, YMMV. -- Bryan Allen [EMAIL PROTECTED] http://bda.mirrorshades.net Cyberpunk is dead. Long live cyberpunk.
Re: webmail
Jasper Bal schrieb: Anyone using webmail on OpenBSD? What's good, what's not? I like http://roundcube.net/, using beta2
Re: BSD laptop
David Chapman [EMAIL PROTECTED] writes: Does anyone have any thoughts or experience with Lenovo or ThinkPad laptops? I have a Lenovo Thinkpad X60s running FreeBSD 6.1. See: http://hack.org/mc/freebsd-x60.html Very short version: Usable after PXE boot and installation: both cores are found, the internal NIC usable but with strange latency, running X with VESA fb. powerd works, but I don't get much battery life (4 cell slim version), about 1.5 hour. Doesn't work out of the box, but fixable with patches: Sound, accelerated graphics. Doesn't work at all or barely: suspend/resume, WLAN, SD reader, fingerprint reader. I tried installing NetBSD 3.0 as well, but it couldn't find any disks to install to.
OpenBSD 4.0 and VNC
Having a box running with OpenBSD and KDE I would like to access ma desktop via Openvpn and VNC. Openvpn runns well, however when I try to access my desktop with vncviewer from a remote machine I get the following error message: Error allocating memory for desktop name, 2139029504 bytes Even with a resolution of 1280x1024 memory of about 2GB seems to me a pretty high value. What4s wrong? Harry
Can OpenBSD rfmon WLans
is OBSD able to put a cisco aironet card in rfmon, i want to run kismet and some other wardriving tools to audit my wlan
Re: Why Sendmail?
On Thu, Nov 23, 2006 at 01:32:29PM +, Conrad Winchester wrote: ...why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail... See afterboot(8) for a description of the sendmail configuration. See daily(8) for a discussion of system maintenance logs which are mailed to root.
Re: BSD laptop
I tried installing NetBSD 3.0 as well, but it couldn't find any disks to install to. In my T60, I set disk controller to legacy, which makes it look like PIIX rather than AHCI. Doesn't work at all or barely: suspend/resume, WLAN, SD reader, fingerprint reader. wlan is intel? I have ath(4) in mine (ordered on purpose that way) and it works fine. Newer current (last month or so?) is better on the wm(4) but the PHY programming is still off. Perhaps that's your latency issue. My experience on T60 is otherwise similar. -- Greg Troxel [EMAIL PROTECTED]
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Stuart Henderson writes: On 2006/11/23 15:14, Igor Sobrado wrote: 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). On a typical system, these are better blocked at the firewall. If you need offsite SSH access from unknown IP addresses, you can use authpf to open the ports instead, which gives you a single point of control. Indeed, it is possible blocking these services at the firewall but it is not a clean answer to the problem. I certainly would prefer changing the behaviour of sshd on a fresh installed system to set up a firewall with an ever-growing list of hostile machines. On the other hand I see that, once the brute force attack ends (usually in some hours) that machine will not contact again (these brute force attacks are probably a part of a more general scanning tool). These machines have dynamic addresses and there is a small chance to block addresses that can be used by authorized users in the future too. Some of these tools try passwords that I would not call low- quality ones. PasswordAuthentication no is quite effective against this. Indeed, using certificates is an excellent choice too. I suppose that OpenBSD currently supports using certificates stored in removable media. A bit hard to configure, but highly secure. Indeed. Cheers, Igor.
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Darrin Chandler writes: On Thu, Nov 23, 2006 at 12:24:38PM +0100, Igor Sobrado wrote: First of all, I understand that remote root logins can be easily avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config. Yes. This is a very simple thing to do. Agreed, and if someone misses this change when installing a new system it can be enabled at any time in the future. I guess that remote root logins are allowed by default to simplify management of small network appliances that do not have user accounts on them. But these appliances are only a small number of all OpenBSD installations and, even if this number is not so small, a restricted (non-root) account in the group wheel and probably in the group operator too, on these devices is advisable to avoid damaging these appliances by mistake. These assumptions, I think, are the problem. I have no small network appliances, yet I find SSH root login to be very useful in the initial stages of configuring a new computer installation. I usually prefer doing these initial stages of configuration on the console port. There is a small risk of making the system not functional in some cases. For a compromised password, there's no essential difference between root and someone with full sudo access. If you have 5 people in wheel/sudoers then an attacker can break *any* of those and get root. Well, sudo should not allow full access to the system. Users that require full access should be in the wheel group and know the root password (they *must be* trusted users). sudo is excellent when giving privileges for specific tasks to some users. No. It would be simple enough to disable everything, but that wouldn't be functional. OpenBSD has an excellent track record for security, yet many useful things are enabled by default. Do you *really* believe that nobody has thought about turning off root ssh in the default configs? Of course they have. Yet it remains enabled. Selecting a secure password for root is YOUR responsibility. Agreed, I know that OpenBSD has an excellent track record for security and reliability. I know that good root passwords must be chosen too, it is one of the main goals of a system manager: choosing good passwords for system maintenance accounts and training users to choose good passwords for their own accounts. Someone that really wants to allow remote root logins should be able to enable this feature just changing /etc/ssh/sshd_config. But, in my humble opinion, most users do not really want this dangerous feature enabled by default. And, even on small network appliances, an unprivileged account in the wheel group (and even in the operator group) is a good management practice. Most users just don't care. More security conscious users *do* care, and often turn it off. They also block all icmp packets and a lot of other things that they read somewhere on the web, without understanding why, or assessing how much of a threat it poses to them, or how effective it is in countering the threat. *Really* security conscious people take the time to understand the issues, and to configure their systems. Blocking ICMP packets has serious consequences on the network. ECHO_REQUEST and ECHO_REPLY messages are important for tracing network connections when something goes wrong. Timeouts sent by ICMP are useful to get a fast response when a service is not working without awaiting for the connection to being dropped. Same happens with the time and daytime services enabled by default. Most users choose closing these services. I really like running NTP on one server (and certainly OpenNTP is an excellent and lightweight NTP implementation) and using rdate (and the time service enabled by default) to synchronize the workstations without running NTP on them and setting up a NTP server on the machine that gets the time from the public NTP servers. These services are simple and, as a consequence, reliable... and very useful. Certainly changing the behaviour of sshd is easy to do and, in this case, I find this change useful (as a difference with blocking ICMP -all my pf firewalls reply as they should to ICMP messages- or stopping the useful time services.) Best regards, Igor.
Re: webmail
On Nov 23, 2006, at 10:24 AM, Bryan Allen wrote: On Nov 23, 2006, at 8:19 AM, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Roundcube has been the new hotness for a while now. http://www.roundcube.net/ It's trivial to configure, nice UI (shiny, has drag and drop), persistent IMAP connections... That said, I've only just now started stressing it, so, YMMV. I agree with others here that have suggested RoundCube. It is very simple in features, but it does those things well. I'm currently running revision 373 on a new OpenBSD -stable mailserver running Postfix/Courier-IMAP. I have two other installations running older versions of RoundCube on OpenBSD and RHEL. To compare and contrast, I've also used Squirrelmail and Horde/IMP for years. I can't say that I have any serious problems with Squirrelmail, but the interface sorely needs a freshening-up. Horde/ IMP setup is not for the faint of heart, but has a ton of modules available through the Horde framework. But if all you need is a webmail interface that works well on OpenBSD, RoundCube should be on your short list. Jump on the roundcube-dev list if you want to keep up with HEAD and track any regression bugs. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Can OpenBSD rfmon WLans
On Thu, Nov 23, 2006 at 08:54:42AM -0700, Carlos A. Garcia G. wrote: is OBSD able to put a cisco aironet card in rfmon, i want to run kismet and some other wardriving tools to audit my wlan jajaja... rf monitoring is supported for most of our wireless drivers. with recent wireless drivers using the net80211 stack, you can also use tcpdump to dump raw 802.11 traffic (-y ieee802_11 or -y ieee802_11_radio). kismet can be found in our ports tree, but i actually never tested it with openbsd (why? i can use tcpdump and hostapd(8) for wireless monitoring). reyk
Re: on the remote root login in OpenSSH
Igor Sobrado wrote: Hi again. Out of this thread, Mr. Tongson pointed me to an interesting post from march 2005: http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html i.e., DROP IT. IT WILL NOT CHANGE. The guy in charge has spoken. From this post, it is difficult understanding why disabling remote root logins is not a good idea; but after reading the entire thread I see the point, though: disabling remote root logins make things a bit harder for an intruder, but not impossible at all. I agree with the idea on the thread but we must consider that: 1. Allowing remote root logins by default effectively destroys the security layer created by the wheel group. Even if an attacker is able to get a copy of the root password (something that cannot be underestimated for an internal employee) he must be in the right group or get a second password, this time one of a user in the wheel group. or skip the root PW, and just get the wheel user. That's no layer, that's a coat of stain. Pretty color, but offers no protection. 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). how's that? If the user is running sudo to allow people in the wheel group full access (common config), when they are in wheel, they are seven keystrokes away from root (sudo -s) 3. An Unix and Unix-like system has a root account. The names of other accounts are difficult to guess (my account at string1 is guessable right now, but I can be using a mail alias or receiving email on a system that has no real user accounts). Trying brute force attacks against the root account is probably the best guess for an intruder. yawn. If your system is subject to brute-force attacks, it is subject to brute-force attacks. Hiding the vulnerability and calling it an improvement is just pathetic. My favorite analogy is moving the front door of your house to the side and painting it purple so that thieves won't be able to find it in the usual place and color, so they won't be able to pick your sub-standard lock. It only shows the very low level of skill on the 'net (for both the bad guys and the good guys!) that this is actually considered a security measure, and could actually has some impact on the number of boxes taken over. Only a fool assumes their opponent is a fool. Maybe your opponent IS a fool, but it is much safer and much more productive to assume (s)he is at least as skilled as you, and knows all about your system. Be worried about the skilled people who have financial motivation to get into your systems, who will recognize a door of a different color and location than they expected. Stop those people, the fools will be taken care of, too. I must admit I did not know about that thread before Mr. Tongson sent me an email, and I would probably have not sent my first email in the case I were aware of the existence of the thread of march, 2005. Hello, google! You win no prize by thinking you are more skilled and more knowledgeable than the people who have demonstrated they know how to build a secure OS, or that you have come up with a brilliant idea that no one has ever thought of before. Posts can be offensive and not contain a single unpleasant word. But I think that I am right about remote root login enabled by default weaknessing other security schemes (like the wheel group) provided by the BSD systems. And people who have demonstrated they understand REAL security think you are not right. ... I admit that not allowing remote root logins is an imperfect security measure, it is mostly a Look, I did something! Isn't that great?. That's a popular attitude, like those who put untested RAID systems on their machines and say, hey, now it will never go down! but OpenBSD developers are much more into doing things that really matter. Personally, I just do this: After install, I configure sudo, create my administrative user(s), and then I log in as one of those users, and verify they have administrative rights by altering the hash of root's pw in such a way that the root account will not be usable for direct logins again. Local, ssh, whatever -- no one will directly log in as root. I do this not to protect myself against people who shouldn't be able to guess my password anyway, but to limit the number of unused accounts with administrative access that are on the box. It also makes it easy to ensure that there are multiple capable administrators in business systems that should not be vulnerable to the availability of one person, and it also makes it easy to change administrators when it is needed. If this is an option you want, fine, put it in an install.site file in a siteXX.tgz file, and it will Just Happen when you do your install. But don't advocate
Re: webmail
Having tried this just now, I'm now going to have to agree with the other RoundCube users here. In not quite 10 minutes I had RC downloaded and configured, and it's easily the best webmail client I've seen yet. On Thu, 23 Nov 2006 11:40:58 -0500, Jason Dixon [EMAIL PROTECTED] wrote: On Nov 23, 2006, at 10:24 AM, Bryan Allen wrote: On Nov 23, 2006, at 8:19 AM, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Roundcube has been the new hotness for a while now. http://www.roundcube.net/ It's trivial to configure, nice UI (shiny, has drag and drop), persistent IMAP connections... That said, I've only just now started stressing it, so, YMMV. I agree with others here that have suggested RoundCube. It is very simple in features, but it does those things well. I'm currently running revision 373 on a new OpenBSD -stable mailserver running Postfix/Courier-IMAP. I have two other installations running older versions of RoundCube on OpenBSD and RHEL. To compare and contrast, I've also used Squirrelmail and Horde/IMP for years. I can't say that I have any serious problems with Squirrelmail, but the interface sorely needs a freshening-up. Horde/ IMP setup is not for the faint of heart, but has a ton of modules available through the Horde framework. But if all you need is a webmail interface that works well on OpenBSD, RoundCube should be on your short list. Jump on the roundcube-dev list if you want to keep up with HEAD and track any regression bugs. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Joel Goguen http://iapetus.dyndns.org/
Assistance with kernel pppoe
Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ authkey 'password' up !/sbin/route add default 0.0.0.1 # file /etc/hostname.xl0 up Regards, Alden
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Nick Holland writes: Igor Sobrado wrote: Hi again. Out of this thread, Mr. Tongson pointed me to an interesting post from march 2005: http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html i.e., DROP IT. IT WILL NOT CHANGE. The guy in charge has spoken. How curious... is it not what I said in my last messages? Please, read carefully these messages. or skip the root PW, and just get the wheel user. That's no layer, that's a coat of stain. Pretty color, but offers no protection. Indeed, it is another way to think in this problem. 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). how's that? If the user is running sudo to allow people in the wheel group full access (common config), when they are in wheel, they are seven keystrokes away from root (sudo -s) Agreed, but when it is well configured sudo only allows users to run certain commands that were assigned. It is designed to provide a more fine grained access to administration privileges avoiding the nothing or all privilege scalation provided by the root accounts. If a user can do sudo -s or sudo /bin/sh to get a full root access there is something wrong in the way sudo is being used. Ok, the real root password is hidden for these users (that can be safely removed from the wheel group) but it is too dangerous and no the way sudo works when it is well configured. 3. An Unix and Unix-like system has a root account. The names of other accounts are difficult to guess (my account at string1 is guessable right now, but I can be using a mail alias or receiving email on a system that has no real user accounts). Trying brute force attacks against the root account is probably the best guess for an intruder. yawn. If your system is subject to brute-force attacks, it is subject to brute-force attacks. Indeed, but guessing a username AND its password greatly increases the space where the secret is defined. At least a previous research is required. And getting that unprivileged access, even if it extend the vulnerabilities to the local exploits, is better that being root. [...] Excuse me sir, but I will not continue answering to your email. I certainly do not accept the aggressive attitude you show on the rest of the message and prefer stop here. If you have something useful to say I will be glad to read your emails in the future, but in this case I prefer stop reading your post and, of course, not replying to it. Participate on flamewars is usually not my style and I have certainly more productive ways to waste my time and patience. Igor.
Re: Assistance with kernel pppoe
On 11/23/06, Alden Pierre [EMAIL PROTECTED] wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ authkey 'password' up !/sbin/route add default 0.0.0.1 The only thing I can tell you is that I don't have the final 'up' and it work for me. # file /etc/hostname.xl0 up Post the ouput of the 'dmesg' and the 'ifconfig -a' command (watch out for the username printed in the output for pppoe if you are paranoid) and I'll try to figure it out. Regards, Alden
Re: Assistance with kernel pppoe
On Thu, Nov 23, 2006 at 12:24:21PM -0500, Alden Pierre wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ ^^-- NEEDED? authkey 'password' up ^^-- NEEDED? !/sbin/route add default 0.0.0.1 I did not verify whether it matters, but I do not use `'` in my hostname.pppoe0. # file /etc/hostname.xl0 up Regards, Alden Regards, ahb
Re: on the remote root login in OpenSSH
Igor Sobrado wrote: In message [EMAIL PROTECTED], Stuart Henderson writes: On 2006/11/23 15:14, Igor Sobrado wrote: 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). On a typical system, these are better blocked at the firewall. If you need offsite SSH access from unknown IP addresses, you can use authpf to open the ports instead, which gives you a single point of control. Indeed, it is possible blocking these services at the firewall but it is not a clean answer to the problem. I certainly would prefer changing the behaviour of sshd on a fresh installed system to set up a firewall with an ever-growing list of hostile machines. On the other hand I see that, once the brute force attack ends (usually in some hours) that machine will not contact again (these brute force attacks are probably a part of a more general scanning tool). These machines have dynamic addresses and there is a small chance to block addresses that can be used by authorized users in the future too. Some of these tools try passwords that I would not call low- quality ones. PasswordAuthentication no is quite effective against this. Indeed, using certificates is an excellent choice too. I suppose that OpenBSD currently supports using certificates stored in removable media. A bit hard to configure, but highly secure. Indeed. Cheers, Igor. I block brute force attacks using PF. They get a small set of attempts before they are blocked. Very trivial. pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \ keep state (max-src-conn-rate 5/40, overload scanners) block in log on $ext_if proto tcp from scanners to $ext_if port ssh Voilla, I still have root access, with a hard to guess password, and people trying to brute force me are blocked. Of course, there could be a distributed brute force attack... but how paranoid do you want to get?? I also rely on having the abiltiy to install/upgrade remotly and ssh into the system post install. With root access blocked off, well...kind of hard! Cheers, Steve W.
Re: Assistance with kernel pppoe
On 11/23/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote: On Thu, Nov 23, 2006 at 12:24:21PM -0500, Alden Pierre wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ ^^-- NEEDED? authkey 'password' up ^^-- NEEDED? !/sbin/route add default 0.0.0.1 I did not verify whether it matters, but I do not use `'` in my hostname.pppoe0. This ends up getting run by /bin/sh so it is a matter of interpretation by the shell: $ echo foo foo $ echo 'foo' foo And since the command receives the same string there is no problem. If the username/password are purely alphanumeric it is not needed, but if they contain special characters for the shell, they should be between single quotes so that ifconfig gets them right. # file /etc/hostname.xl0 up Regards, Alden Regards, ahb -- I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt and it doesn't work. What gives??!! -- random troll
dspam config help?
I'm completely confused by dspam. I've installed the package from 4.0 on a 4.0/i386 install. No problems there. I can't figure out what to do to get the thing working and even started for that matter! I made the suggested modifications in the sendmail.txt file to my sendmail.cf file. I don't see an example command line to start dspam anywhere in the README or the man page for dspam. I notice a _dspam user was created by the package. No idea what that's for. And the README keeps referencing the WebUI and directories that need to be copied to /var/www, but I can't find any of that. Help anyone Thanks in advance, Rodney Hopkins [EMAIL PROTECTED] _ Free E-mail by CamaroZ28.Com - FULL THROTTLE INTERNET
Re: on the remote root login in OpenSSH
On 11/23/06 6:35 PM, Igor Sobrado wrote: Participate on flamewars is usually not my style and I have certainly more productive ways to waste my time and patience. Probably not with computer security... Nick is right from start to finish and you can learn a lot of his friendly text. +++chefren
Re: Can OpenBSD rfmon WLans
Ok, jajajaja... On Thu, 23 Nov 2006 17:56:54 +0100, Reyk Floeter wrote On Thu, Nov 23, 2006 at 08:54:42AM -0700, Carlos A. Garcia G. wrote: is OBSD able to put a cisco aironet card in rfmon, i want to run kismet and some other wardriving tools to audit my wlan jajaja... rf monitoring is supported for most of our wireless drivers. with recent wireless drivers using the net80211 stack, you can also use tcpdump to dump raw 802.11 traffic (-y ieee802_11 or -y ieee802_11_radio). kismet can be found in our ports tree, but i actually never tested it with openbsd (why? i can use tcpdump and hostapd(8) for wireless monitoring). reyk -- Open WebMail Project (http://openwebmail.org)
Re: webmail
Roundcube looks REALLY cool, does OpenBSD have a Maintainer for it yet? Does anyone know of a tourtorial to set it up with postfix and PostgreSQL support? is it better to use Postfix/Courier-IMAP or Postfix/Dovecot? Sam Fourman Jr. On 11/23/06, Joel Goguen [EMAIL PROTECTED] wrote: Having tried this just now, I'm now going to have to agree with the other RoundCube users here. In not quite 10 minutes I had RC downloaded and configured, and it's easily the best webmail client I've seen yet. On Thu, 23 Nov 2006 11:40:58 -0500, Jason Dixon [EMAIL PROTECTED] wrote: On Nov 23, 2006, at 10:24 AM, Bryan Allen wrote: On Nov 23, 2006, at 8:19 AM, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Roundcube has been the new hotness for a while now. http://www.roundcube.net/ It's trivial to configure, nice UI (shiny, has drag and drop), persistent IMAP connections... That said, I've only just now started stressing it, so, YMMV. I agree with others here that have suggested RoundCube. It is very simple in features, but it does those things well. I'm currently running revision 373 on a new OpenBSD -stable mailserver running Postfix/Courier-IMAP. I have two other installations running older versions of RoundCube on OpenBSD and RHEL. To compare and contrast, I've also used Squirrelmail and Horde/IMP for years. I can't say that I have any serious problems with Squirrelmail, but the interface sorely needs a freshening-up. Horde/ IMP setup is not for the faint of heart, but has a ton of modules available through the Horde framework. But if all you need is a webmail interface that works well on OpenBSD, RoundCube should be on your short list. Jump on the roundcube-dev list if you want to keep up with HEAD and track any regression bugs. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Joel Goguen http://iapetus.dyndns.org/
Re: Assistance with kernel pppoe
Post the ouput of the 'dmesg' and the 'ifconfig -a' command (watch out for the username printed in the output for pppoe if you are paranoid) and I'll try to figure it out. Here is my dmesg, I'm using a kvm switch btw. OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub2: at uhub0 port 1 (addr 2) disconnected uhidev0: at uhub2 port 3 (addr 3) disconnected wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev0 detached uhidev1: at uhub2 port 3
Can not boot OpenBSD/macppc 4.0-release from cd40.iso on PowerBook G4 15
Hi misc, I'd like to evaluate OpenBSD/macpcc as a replacement for Mac OS X (or dual boot) on my PowerBook G4 15 (fr keyboard). While OpenBSD 3.9 boots flawlessly, OpenBSD 4.0 hangs with a kernel panic (cd40.iso)... As I reboot and try to retrieve my dmesg, I see that OpenFirmware keeps track of my previous boot attempt. Is there a way to retrieve some dmesg under Mac OS X after a failed OpenBSD boot ? How can I report this ? Best regards, Bruno.
Re: Assistance with kernel pppoe
Andreas Bihlmaier wrote: On Thu, Nov 23, 2006 at 12:24:21PM -0500, Alden Pierre wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ ^^-- NEEDED? For my username, the quotes are needed, you are right on this assertion. authkey 'password' up ^^-- NEEDED? !/sbin/route add default 0.0.0.1 However, for my password I must supply it in quotes, my password has a strange character that throws a wrench to the whole thing. It's one of those infamous metacharacter I believe the term is called. I did not verify whether it matters, but I do not use `'` in my hostname.pppoe0. # file /etc/hostname.xl0 up Regards, Alden Regards, ahb Regards, Alden
Re: Assistance with kernel pppoe
I made a typo, it should read: For my username, the quotes are not needed, you are right on this assertion. For my username, the quotes are needed, you are right on this assertion. Regards, Alden
Re: webmail
On Nov 23, 2006, at 2:08 PM, Sam Fourman Jr. wrote:
Roundcube looks REALLY cool, does OpenBSD have a Maintainer for it
yet?
I don't think it needs a port. Squirrelmail has been out there for
years, no ports there either.
Does anyone know of a tourtorial to set it up with postfix and
PostgreSQL support?
The INSTALL document covers everything.
is it better to use Postfix/Courier-IMAP or Postfix/Dovecot?
It depends entirely on your needs. I was almost convinced to use
Dovecot on my new server. It seems like a nice project, but it's a
bit too close to the bleeding edge. Simply too many regression bugs
for my tastes. If you choose that route, at least the port
maintainers seem to keep up with it (in ports -current). One nice
feature is Dovecot-sasl, which Postfix now supports. It is very easy
and straightforward to setup, much more so than Postfix with Cyrus-
SASL. However, in my case, I needed to go with Cyrus-SASL[1].
That said, I chose to stay with Courier. I've been running Courier-
IMAP for 3 years on the 3.0.x base without a single glitch or
exploit. No corruption issues whatsoever. I've installed the
following -current ports, everything is working great. I migrated
all of my customers off the old 3.0.x base without any sort of
maildir changes whatsoever.
courier-authlib-0.58p0 authentication library for courier
courier-authlib-mysql-0.58p0 mysql authentication module for courier-
authLib
courier-imap-4.1.1-imap_bugs imap server for maildir format mailboxes
courier-pop3-4.1.1 pop3 server for maildir format mailboxes
[1] I tend to use MySQL virtual accounts with the passwords stored
via MD5. Unfortunately, Cyrus-SASL will not support MD5 passwords
via the SQL auxprop plugin. I've gotten around this by using Cyrus-
SASL's authdaemond support, which authenticates against Courier's
authdaemond (courier-authlib), which in turn *does* support MD5
passwords in MySQL. This feature is not enabled in Jakob's cyrus-
sasl2 port, so I added a new flavor.
@@ -46,7 +46,7 @@
MODGNU_CONFIG_GUESS_DIRS=${WRKSRC}/config ${WRKSRC}/saslauthd/config
-FLAVORS= db4 ldap mysql pgsql sqlite
+FLAVORS= db4 ldap mysql pgsql sqlite authdaemond
FLAVOR?=
.if ${FLAVOR:L:Mdb4}
@@ -100,6 +100,10 @@
--without-mysql \
--without-pgsql \
--with-sqlite
+.endif
+
+.if ${FLAVOR:L:Mauthdaemond}
+CONFIGURE_ARGS+= --with-authdaemond=/var/run/courier-auth
.endif
post-extract:
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: webmail
Doesn't seem to be in ports, so I'd guess not. There's directions for setting up with MySQL, PostgreSQL, and SQLite in the INSTALL file once you unpack it. On Thu, 23 Nov 2006 13:08:10 -0600, Sam Fourman Jr. [EMAIL PROTECTED] wrote: Roundcube looks REALLY cool, does OpenBSD have a Maintainer for it yet? Does anyone know of a tourtorial to set it up with postfix and PostgreSQL support? is it better to use Postfix/Courier-IMAP or Postfix/Dovecot? Sam Fourman Jr. On 11/23/06, Joel Goguen [EMAIL PROTECTED] wrote: Having tried this just now, I'm now going to have to agree with the other RoundCube users here. In not quite 10 minutes I had RC downloaded and configured, and it's easily the best webmail client I've seen yet. On Thu, 23 Nov 2006 11:40:58 -0500, Jason Dixon [EMAIL PROTECTED] wrote: On Nov 23, 2006, at 10:24 AM, Bryan Allen wrote: On Nov 23, 2006, at 8:19 AM, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Roundcube has been the new hotness for a while now. http://www.roundcube.net/ It's trivial to configure, nice UI (shiny, has drag and drop), persistent IMAP connections... That said, I've only just now started stressing it, so, YMMV. I agree with others here that have suggested RoundCube. It is very simple in features, but it does those things well. I'm currently running revision 373 on a new OpenBSD -stable mailserver running Postfix/Courier-IMAP. I have two other installations running older versions of RoundCube on OpenBSD and RHEL. To compare and contrast, I've also used Squirrelmail and Horde/IMP for years. I can't say that I have any serious problems with Squirrelmail, but the interface sorely needs a freshening-up. Horde/ IMP setup is not for the faint of heart, but has a ton of modules available through the Horde framework. But if all you need is a webmail interface that works well on OpenBSD, RoundCube should be on your short list. Jump on the roundcube-dev list if you want to keep up with HEAD and track any regression bugs. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Joel Goguen http://iapetus.dyndns.org/ -- Joel Goguen http://iapetus.dyndns.org/
Re: Assistance with kernel pppoe
Sorry if you see this message twice an error occurred on my end. Here is my dmesg, I'm using a kvm switch btw. OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub2: at uhub0 port 1 (addr 2) disconnected uhidev0: at uhub2 port 3 (addr 3) disconnected wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev0 detached uhidev1: at uhub2 port 3 (addr 3) disconnected uhid0 detached uhid1 detached wsmouse0 detached ums0 detached uhidev1 detached uhidev2:
Re: webmail
All webmail products suck. I am using horde in one location
and squirrelmail in another.
-Bob
* Jasper Bal [EMAIL PROTECTED] [2006-11-23 07:48]:
Anyone using webmail on OpenBSD? What's good, what's not?
Jasper
--
#!/usr/bin/perl
if ((not 0 not 1) != (! 0 ! 1)) {
print Larry and Tom must smoke some really primo stuff...\n;
}
ulpt and usb-parallel adapters
Do usb to parallel port adapters work with OpenBSD? There seems to be some code commented out in ulpt.c with names including 1284 in them, but I haven't been able to figure out for sure whether that really means these devices aren't supported. I'm debating whether to buy one of them to connect an HP Deskjet 812C, which has only a parallel port connector, to my Macintosh G4 (Powermac 3,4). The USB bus on the G4 is OHCI. -- Mike Small [EMAIL PROTECTED]
Re: Assistance with kernel pppoe
Here is my dmesg, I'm using a kvm switch btw and the ifconfig OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub2: at uhub0 port 1 (addr 2) disconnected uhidev0: at uhub2 port 3 (addr 3) disconnected wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev0 detached uhidev1: at uhub2 port 3 (addr 3) disconnected uhid0 detached uhid1 detached wsmouse0 detached ums0 detached uhidev1 detached uhidev2: at uhub2 port 4 (addr 4) disconnected wsmouse1
Re: Assistance with kernel pppoe
Andreas Bihlmaier wrote: On Thu, Nov 23, 2006 at 12:24:21PM -0500, Alden Pierre wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ ^^-- NEEDED? For my username, the quotes are not needed, you are right on this assertion. authkey 'password' up ^^-- NEEDED? !/sbin/route add default 0.0.0.1 However, for my password I must supply it in quotes, my password has a strange character that throws a wrench to the whole thing. It's one of those infamous metacharacter I believe the term is called. I did not verify whether it matters, but I do not use `'` in my hostname.pppoe0. # file /etc/hostname.xl0 up Regards, Alden Regards, ahb Regards, Alden
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], chefren writes: On 11/23/06 6:35 PM, Igor Sobrado wrote: Participate on flamewars is usually not my style and I have certainly more productive ways to waste my time and patience. Probably not with computer security... Do you stand treat? You evidently don't know me. I am not a security expert, why should I be? But now that you ask... in 2001 I published a paper in an ACM SIGCOMM conference (reprinted in a supplement to the ACM Computer Communication Review in the same month) about security in distributed computing environments. This paper received a recommendation as a very good paper, that should be published even if it means extending the program. In this paper I proposed an answer to a security problem in mobile agents that remained open for more than five years and most people in the field believe was unsolvable. I was one of the youngest speakers at a plenary session of the ACM SIGCOMM. That paper allowed me to get a position as full professor at my University. But I am not a security expert at all. In a year or so, I will probably leave this University to get a position at a research lab at the Institute of Nanotechnology sponsored by our government to work on a very different research field. Nick is right from start to finish and you can learn a lot of his friendly text. Honestly, you have a wicked meaning for the word friendly.
SFTP only access to sshd
From time to time, people come here to ask:
How can i set up an account for SFTP only, forbidding shell access?
One common answer is scponly, http://sublimation.org/scponly/wiki/
This looks quite powerful, in particular if you intend to chroot.
I just had to implement SFTP only access myself. Reading the scponly
sources, i realized that the task is nearly trivial as long as you
only want SFTP, no other protocols, and need no chroot. So i thought
i might as well share with the list. In case i overlooked anything
serious, chances are i shall be beaten... ;-)
Use the following as the shell for the account in question.
Note that just setting the shell to /sbin/nologin or /usr/bin/false,
which is a common solution for FTP only, does not work for SFTP only
because sshd(8) will spawn `$SHELL -c /usr/libexec/sftp-server`
when contacted by sftp(1).
# Ingo Schwarze 2006. Public domain.
#include unistd.h /* execl */
#include string.h /* strcmp */
#include errno.h /* EPERM EINVAL */
#include err.h /* errx */
#define SFTPPATH /usr/libexec/sftp-server
int
main(int argc, char **argv) {
if (argc == 1)
errx(EPERM, interactive login disabled);
if (argc != 3)
errx(EINVAL, got %i instead of 2 arguments, argc-1);
if (strcmp(argv[1], -c) != 0)
errx(EINVAL, first arg is '%s' instead of '-c', argv[1]);
if (strcmp(argv[2], SFTPPATH) != 0)
errx(EINVAL, second arg is '%s' instead of '%s', argv[2], SFTPPATH);
execl(SFTPPATH, SFTPPATH, NULL);
/* NOTREACHED */
}
Re: Assistance with kernel pppoe
Here is my dmesg, I'm using a kvm switch btw and the ifconfig OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub2: at uhub0 port 1 (addr 2) disconnected uhidev0: at uhub2 port 3 (addr 3) disconnected wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev0 detached uhidev1: at uhub2 port 3 (addr 3) disconnected uhid0 detached uhid1 detached wsmouse0 detached ums0 detached uhidev1 detached uhidev2: at uhub2 port 4 (addr 4) disconnected wsmouse1
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Steve Williams writes: I block brute force attacks using PF. They get a small set of attempts before they are blocked. Very trivial. pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \ keep state (max-src-conn-rate 5/40, overload scanners) block in log on $ext_if proto tcp from scanners to $ext_if port ssh Trivial, perhaps... but an excellent example of how using tables to manage possible intrussion attempts. A very good one! Voilla, I still have root access, with a hard to guess password, and people trying to brute force me are blocked. Of course, there could be a distributed brute force attack... but how paranoid do you want to get?? A distributed brute force attack against your set up is, at best, very challenging. This attack would be possible only if you are the target of a highly talented security expert. No one is so paranoid to believe that a distributed attack able to pass your protection will happen, though. I also rely on having the abiltiy to install/upgrade remotly and ssh into the system post install. With root access blocked off, well...kind of hard! I believe I missed the point here. On an upgrade user accounts should not be lost. A fresh install usually requires a console (e.g., a port server connected to the first serial port on the computer) and a special firmware on the device (something like the ComBIOS on the soekris communication computers, or the extended BIOS on the Dell PowerEdges or Siemens Nixdorf PCD-5T computers). In this case, root access from the console should not be a problem at all. I am curious... how can OpenBSD be remotely installed on a computer without a setup like that one? How can the installer be run remotely without a device that the operating system calls console? I usually copy the installation sets of OpenBSD to a bootable CF on my soekris before making a fresh install (I usually avoid upgrades). Even in this case, I need something to use as a console (e.g., a serial cable that connects the soekris computer to a serial port on a machine that can be accessed by ssh). Just curious! Igor.
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], Stuart Henderson writes: On 2006/11/23 17:07, Igor Sobrado wrote: ... to set up a firewall with an ever-growing list of hostile machines. ... I think you misunderstand me. I mean to restrict direct SSH access to only those networks which need access, not to block attackers when you see them. Authorized users would either connect from an approved IP address, or by using authpf. (for this, I'm assuming use of a separate firewall to protect a number of other machines, not 'self- protecting'). You are right, I misunderstand you. We have a similar setup at the machines at FCSI, in Illinois. It is very secure, but somewhat restrictive. I certainly prefer opening the ssh service to the world on a bastion host. If that machine is attacked, only other servers in the DMZ are at risk... well, the second firewall can be attacked too. There aren't a lot of cases where you need to leave SSH access open to the world. You are right, carefully choosing the address ranges that will be allowed there is not a need to leave ssh open to the world. Even if remote root access is disabled (it is usually disabled on my computers) there is a risk of a user john having a password john... I like your proposal a lot but, honestly, I am surprised by the elegant method proposed by Steve. With only a few opportunities to guess the right password it seems that a brute force attack is not possible at all (except with a highly distributed brute force attack, of course, but it is out of the abilities of the standard intruders.) I will consider both your proposal and Steve's one. Thanks a lot for this excellent advice! Igor.
Re: Assistance with kernel pppoe
On Thu, Nov 23, 2006 at 01:47:24PM -0500, Arnaud Bergeron wrote: On 11/23/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote: On Thu, Nov 23, 2006 at 12:24:21PM -0500, Alden Pierre wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ ^^-- NEEDED? authkey 'password' up ^^-- NEEDED? !/sbin/route add default 0.0.0.1 I did not verify whether it matters, but I do not use `'` in my hostname.pppoe0. This ends up getting run by /bin/sh so it is a matter of interpretation by the shell: $ echo foo foo $ echo 'foo' foo And since the command receives the same string there is no problem. If the username/password are purely alphanumeric it is not needed, but if they contain special characters for the shell, they should be between single quotes so that ifconfig gets them right. Thanks for clarification. I didn't think about /etc/netstart being a shell script and normal shell expansion taking place. Since it never _hurts_ should pppoe(4) modified to always have `'` because quite a few passwords use special chars (hopefully). --- /usr/src/share/man/man4/pppoe.4.origThu Nov 23 22:48:03 2006 +++ /usr/src/share/man/man4/pppoe.4 Thu Nov 23 22:48:32 2006 @@ -106,7 +106,7 @@ .Bd -literal -offset indent inet 0.0.0.0 255.255.255.255 NONE \e pppoedev ne0 authproto pap \e - authname testcaller authkey donttell up + authname 'testcaller' authkey 'donttell' up dest 0.0.0.1 !/sbin/route add default 0.0.0.1 .Ed # file /etc/hostname.xl0 up Regards, Alden Regards, ahb
Re: Assistance with kernel pppoe
Mine works just like yours! I only add to /etc/hostname.pppoe0 a line like that: inet 0.0.0.0 255.255.255.255 0.0.0.1 blah blah (eadem to yours) !/sbin/route delete 0.0.0.1 !/sbin/route add default 0.0.0.1 On 11/23/06, Alden Pierre [EMAIL PROTECTED] wrote: Hello all, I'm able to get userland pppoe working, but I'm having a hard time getting kernel pppoe to work properly. Here are my config files. Is there anything I'm doing wrong, I believe my config file follows what man 4 pppoe states. # file /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev xl0 \ authproto pap authname 'username' \ authkey 'password' up !/sbin/route add default 0.0.0.1 # file /etc/hostname.xl0 up Regards, Alden
wirless LAN - DWL-G120 on OPENBSD 4.0
Is any one working on this driver? I have D-LINK DWL-G120 USB wireless. dmesg shows some thing like this - ugen0 at uhub2 port 1 ugen0: D-Link product 0x3701, rev 2.00/2.03, addr 2 - I run ifconfig -a but cannot show it at all? DO you have any ideas to make this card work? do I have to compile the kernel? if yes , what to change? Thanks Minh Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index
Re: webmail
Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper Hi, I use: 1. http://hastymail.sourceforge.net/ - by default Hastymail does NOT use HTML frames, Javascript, or cookies. 2. http://www.roundcube.net/ - browser-based multilingual IMAP client with an application-like user interface (XHTML, CSS 2, AJAX). Regards, Michal
Re: webmail
Last year I replaced an Exchange Server with OpenBSD-based mail, file, print, and webmail server and found the following combination to be the best option for me: Openwebmail Dovecot Samba3 Plone/Zope All work with OpenLDAP so the user needs to remember only one password. They are all available as packages (except Plone 2.5 and Zope 2.8 which I had to build from source) which makes installation and configuration really straightforward. HTTP compression with OpenWebmail made a big difference when accessing mail through DSL uplinks. Also, Openwebmail does not require IMAP, which meant that dovecot could be taken down, upgraded, etc. without users losing access to email. I am able to use the IMAP client in Plone, Oulook 2003, Kontact/Kmail, and Evolution along with OWM without any conflicts. The only problem I had with OWM was that I could not make it work in a chrooted environment properly without having symlinks everywhere. So it is running with -u -DSSL. Also, sometimes dovecot indices get corrupted if I do something silly like deleting email through OWM while composing an email from an IMAP client using the same mailbox (obviously my fault since I use three workstations with Kmail on OpenBSD, Evolution on Ubuntu, Outlook 2003 on Windows XP and leave them all running at the same time ...) Vijay On Thu, 2006-23-11 at 14:19 +0100, Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: raidctl: ioctl (RAIDFRAME_CONFIGURE) failed on 4.0 amd64 for RAID 1 (mirroring)
On Wed, Nov 22, 2006 at 10:35:52PM +0530, Siju George wrote: On 11/22/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Nov 21, 2006 at 08:22:20PM -0600, Vijay Sankar wrote: Good day, I am pretty sure I was booting from /dev/raid0a on the old server but couldn't repeat that with this desktop. Here is my df -h raidctl -A root raid0? Nope it didn't work for me :-( relevant part from my mail earlier === # raidctl -A root raid0 raid0: Autoconfigure: Yes raid0: Root: Yes # #reboot Did you check that you have `option RAID_AUTOCONFIG' enabled? Even a typo will result in interesting behaviour (as I just found out an hour ago, bsd.rd is useful...) Joachim
Re: on the remote root login in OpenSSH
On Thu, Nov 23, 2006 at 05:07:52PM +0100, Igor Sobrado wrote: [U]sing certificates is an excellent choice too. I suppose that OpenBSD currently supports using certificates stored in removable media. A bit hard to configure, but highly secure. Indeed. I find it hard to think of a situation in which this would actually stop an attacker, instead of making his/her work a little harder. I suppose securelevel 2, an immutable kernel, and immutable system binaries might make it harder to compromise the box across reboots. Provided the securelevels actually work as advertised (I'm not sure; Theo thinks them useless, and they can certainly be circumvented just by mounting something over directories - at least until reboot). Things like gdb and systrace are scarily powerful. Joachim
Re: on the remote root login in OpenSSH
On Thu, Nov 23, 2006 at 10:28:20PM +0100, Igor Sobrado wrote: In message [EMAIL PROTECTED], Steve Williams writes: I block brute force attacks using PF. They get a small set of attempts before they are blocked. Very trivial. pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \ keep state (max-src-conn-rate 5/40, overload scanners) block in log on $ext_if proto tcp from scanners to $ext_if port ssh Voilla, I still have root access, with a hard to guess password, and people trying to brute force me are blocked. Of course, there could be a distributed brute force attack... but how paranoid do you want to get?? A distributed brute force attack against your set up is, at best, very challenging. This attack would be possible only if you are the target of a highly talented security expert. No one is so paranoid to believe that a distributed attack able to pass your protection will happen, though. While I'm inclined to agree with the last part, setting up a botnet isn't *that* hard. I also rely on having the abiltiy to install/upgrade remotly and ssh into the system post install. With root access blocked off, well...kind of hard! I am curious... how can OpenBSD be remotely installed on a computer without a [serial console]? How can the installer be run remotely without a device that the operating system calls console? Well, at least theoretically, one could just replace the install script by one that does whatever you want it to, without asking any questions. Joachim
Re: Assistance with kernel pppoe
Here's my dmesg and ifconfig Here is my dmesg, I'm using a kvm switch btw and the ifconfig OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub2: at uhub0 port 1 (addr 2) disconnected uhidev0: at uhub2 port 3 (addr 3) disconnected wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd0 detached uhidev0 detached uhidev1: at uhub2 port 3 (addr 3) disconnected uhid0 detached uhid1 detached wsmouse0 detached ums0 detached uhidev1 detached uhidev2: at uhub2 port 4 (addr
Re: SFTP only access to sshd
On Thu, 23 Nov 2006, Ingo Schwarze wrote: From time to time, people come here to ask: How can i set up an account for SFTP only, forbidding shell access? You can do sftp only with OpenSSH. See the ForceCommand in sshd_config(5). -- Antti Harri
Re: SFTP only access to sshd
On Thu, 23 Nov 2006, Ingo Schwarze wrote: From time to time, people come here to ask: How can i set up an account for SFTP only, forbidding shell access? One common answer is scponly, http://sublimation.org/scponly/wiki/ This looks quite powerful, in particular if you intend to chroot. I just had to implement SFTP only access myself. Reading the scponly sources, i realized that the task is nearly trivial as long as you only want SFTP, no other protocols, and need no chroot. So i thought i might as well share with the list. In case i overlooked anything serious, chances are i shall be beaten... ;-) In OpenSSH-4.5: Match user djm X11Forwarding no AllowTCPForwarding no ForceCommand /usr/libexec/sftp-server -d
Re: Assistance with kernel pppoe
Hello, OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a # My ifconfig, this is from a script file.name, unfortunately when I opened it under windows the format looks ugly. lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:75:ad:69:67 media: Ethernet autoselect (100baseTX
Re: webmail
On Thu, Nov 23, 2006 at 10:28:43PM +0100, Michal Lesniewski wrote: Jasper Bal wrote: Anyone using webmail on OpenBSD? What's good, what's not? Jasper Hi, I use: 1. http://hastymail.sourceforge.net/ - by default Hastymail does NOT use HTML frames, Javascript, or cookies. 2. http://www.roundcube.net/ - browser-based multilingual IMAP client with an application-like user interface (XHTML, CSS 2, AJAX). Regards, Michal I have been playing with IMP lately. It is more like a suite than just webmail. If that is what someone is after then SQWebmail is good as well. One thing is that setting all the php.ini for mini_sendmail as well as sendmail with libs simply does not work in chroot w/IMP. IMO IMP debug is not verbose enough. Best Regards, [EMAIL PROTECTED]
Re: Assistance with kernel pppoe
#dmesg OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481329152 (470048K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 11 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:04:75:ad:69:69 exphy1 at xl1 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f365 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 uhidev2 at uhub2 port 4 configuration 1 interface 0 uhidev2: Microsoft Microsoft 5-Button Mouse with IntelliEye(TM), rev 1.10/3.00, addr 4, iclass 3/1 ums1 at uhidev2: 5 buttons and Z dir. wsmouse1 at ums1 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:75:ad:69:67 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::204:75ff:fead:6967%xl0 prefixlen 64 scopeid 0x1 xl1:
Re: Bind performance
I can't reach that value with a Dell OptiPlex GX280 w/ onboard bge(4) MP kernel, net.inet.ip.ifq.maxlen=250, 4.0 or -current, doesn't matter. Collision count increases monotonically. Stops forwarding packets, etc. Switching to em(4) carries limit to ~25k to ~30k. consider trying to increase ifq.maxlen higher than that and see if it helps. It did for me. --Matt
bad udp cksum messages from client ipsec connection
We have someone connecting from an FC4 host running Openswan 2.4.4 behind a firewall to our VPN server running OpenBSD 4.0. They are able to establish a connection ok but tcpdump shows a bad cksum value for pings from the client connection: # tcpdump -avs 1440 -e -ttt -i fxp4 host 60.44.70.140 and port ipsec-nat-t Nov 23 20:51:48.326651 0:a0:c8:9:79:cb 0:7:e9:5d:62:f8 ip 60: p5140-ipad207kobeminato.hyogo.ocn.ne.jp.10019 ip67-95-107-117.z107-95-67.customer.algx.net.ipsec-nat-t: [udp sum ok] NAT-T Keepalive (DF) (ttl 39, id 0, len 29) Nov 23 20:52:02.680356 0:a0:c8:9:79:cb 0:7:e9:5d:62:f8 ip 174: p5140-ipad207kobeminato.hyogo.ocn.ne.jp.10019 ip67-95-107-117.z107-95-67.customer.algx.net.ipsec-nat-t: [bad udp cksum e73a!] udpencap: esp p5140-ipad207kobeminato.hyogo.ocn.ne.jp ip67-95-107-117.z107-95-67.customer.algx.net spi 0x6AF734AB seq 1 len 132 (DF) (ttl 39, id 256, len 160) Nov 23 20:52:03.689467 0:a0:c8:9:79:cb 0:7:e9:5d:62:f8 ip 174: p5140-ipad207kobeminato.hyogo.ocn.ne.jp.10019 ip67-95-107-117.z107-95-67.customer.algx.net.ipsec-nat-t: [bad udp cksum 62fa!] udpencap: esp p5140-ipad207kobeminato.hyogo.ocn.ne.jp ip67-95-107-117.z107-95-67.customer.algx.net spi 0x6AF734AB seq 2 len 132 (DF) (ttl 39, id 30211, len 160) Nov 23 20:52:04.714478 0:a0:c8:9:79:cb 0:7:e9:5d:62:f8 ip 174: p5140-ipad207kobeminato.hyogo.ocn.ne.jp.10019 ip67-95-107-117.z107-95-67.customer.algx.net.ipsec-nat-t: [bad udp cksum faae!] udpencap: esp p5140-ipad207kobeminato.hyogo.ocn.ne.jp ip67-95-107-117.z107-95-67.customer.algx.net spi 0x6AF734AB seq 3 len 132 (DF) (ttl 39, id 256, len 160) Nov 23 20:52:05.714428 0:a0:c8:9:79:cb 0:7:e9:5d:62:f8 ip 174: p5140-ipad207kobeminato.hyogo.ocn.ne.jp.10019 ip67-95-107-117.z107-95-67.customer.algx.net.ipsec-nat-t: [bad udp cksum 7874!] udpencap: esp p5140-ipad207kobeminato.hyogo.ocn.ne.jp ip67-95-107-117.z107-95-67.customer.algx.net spi 0x6AF734AB seq 4 len 132 (DF) (ttl 39, id 256, len 160) ... I've tested both an FC4 and FC5 client behind an OpenBSD 4.0 firewall connecting to the same OpenBSD 4.0 VPN server and I don't have any problems. Anyone with ideas on why this is happening? The client is behind a Panasonic DN-C200NC firewall (VOIP/NAT/...). -- albert chin ([EMAIL PROTECTED])
Re: raidctl: ioctl (RAIDFRAME_CONFIGURE) failed on 4.0 amd64 for RAID 1 (mirroring)
On 11/24/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Nov 22, 2006 at 10:35:52PM +0530, Siju George wrote: On 11/22/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Nov 21, 2006 at 08:22:20PM -0600, Vijay Sankar wrote: Good day, I am pretty sure I was booting from /dev/raid0a on the old server but couldn't repeat that with this desktop. Here is my df -h raidctl -A root raid0? Nope it didn't work for me :-( relevant part from my mail earlier === # raidctl -A root raid0 raid0: Autoconfigure: Yes raid0: Root: Yes # #reboot Did you check that you have `option RAID_AUTOCONFIG' enabled? Even a typo will result in interesting behaviour (as I just found out an hour ago, bsd.rd is useful...) Joachim # cat /usr/src/sys/arch/amd64/conf/GENERIC.RAID include arch/amd64/conf/GENERIC option RAID_AUTOCONFIG pseudo-device raid 4 # Yes I had this config file :-) kind Regards Siju
Re: on the remote root login in OpenSSH
Hi, how about this one: PermitRootLogin 192.168.1 Should any of the SSH maintainers be reading this: possible new SSH feature? Bill On Thu, 2006-11-23 at 12:24 +0100, Igor Sobrado wrote: Hi again! I have a question on the default behaviour of OpenSSH. Please, do not understand that I am complaining on it or trying to change its behaviour in relation with remote root logins allowed by default on OpenSSH (but I certainly believe it would be nice, that is the reason I write this message to the misc@ mailing list). Just want to share my opinion with the members of this mailing list. First of all, I understand that remote root logins can be easily avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config. I guess that remote root logins are allowed by default to simplify management of small network appliances that do not have user accounts on them. But these appliances are only a small number of all OpenBSD installations and, even if this number is not so small, a restricted (non-root) account in the group wheel and probably in the group operator too, on these devices is advisable to avoid damaging these appliances by mistake. In my humble opinion, there are three reasons to deny remote root logins by default: 1. Remote root login enabled by default makes the wheel group superfluous (i.e., why are used added to the wheel group when a user not in this group can log in as root, once the root password is known to him, by just typing ssh [EMAIL PROTECTED]?) 2. There are a lot of threats against the root account based in brute force attacks. Most of us see logs on this matter in our workstations and servers. Sometimes these threats, done by humans, network scanners or even worms, are successful. It is just a matter of (bad) luck. 3. OpenBSD is secure by default; all services should be configured to the most secure defaults. I think that this reason is as good as the previous ones. And not allowing remote root logins by default makes sense to me in relation with this goal. Someone that really wants to allow remote root logins should be able to enable this feature just changing /etc/ssh/sshd_config. But, in my humble opinion, most users do not really want this dangerous feature enabled by default. And, even on small network appliances, an unprivileged account in the wheel group (and even in the operator group) is a good management practice. [please, send copies of replies to this post to me if possible. I will do my best to answer any post, even if not sent to me, but it will be more difficult tracking who sent the message I am replying to.] Cheers, Igor.
Re: on the remote root login in OpenSSH
Bill Maas wrote: how about this one: PermitRootLogin 192.168.1 Should any of the SSH maintainers be reading this: possible new SSH feature? AllowUsers # Han
Re: Connecting to OpenBSD 4.0 isakmpd with racoon on FC5
On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
4.0 VPN server running isakmpd. I already have things working with
Openswan but would like to get it working with racoon for our Mac OS
clients.
The OpenBSD /etc/ipsec.conf config:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
...
Am I getting the sainfo section wrong in racoon.conf? With the sainfo
section, do I still need setkey?
I've made some more changes but still cannot get it working. Looks
like I do need to use setkey. I modified the OpenBSD /etc/ipsec.conf
to:
ike passive esp from 192.168.10.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED]
and racoon.conf:
remote 67.95.107.100 {
exchange_mode main;
my_identifier user_fqdn [EMAIL PROTECTED];
peers_identifier fqdn vpn-server.thewrittenword.com;
certificate_type x509 [EMAIL PROTECTED] /etc/ipsec.d/private/local.key;
ca_type x509 /etc/ipsec.d/cacerts/ca.crt;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
dh_group modp1024;
authentication_method rsasig;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
and /etc/racoon/ipsec.conf:
flush;
spdflush;
spdadd -4 192.168.6.1 192.168.10.0/24 any -P out ipsec
esp/tunnel/192.168.6.1-67.95.107.100/require;
spdadd -4 192.168.10.0/24 192.168.6.1 any -P in ipsec
esp/tunnel/67.95.107.100-192.168.6.1/require;
An ideas?
--
albert chin ([EMAIL PROTECTED])
Re: ktrace interpretation
On Thu, 23 Nov 2006, Jan Stary wrote: [snip] 2153 foo CALL munmap(0x470d7000,0x1000) 2153 foo RET munmap 0 2153 foo CALL exit(0) $ thanks! This exactly is the minimal example I wanted to understand. Would you please recommend a piece of literature where I can learn this from the begining? The 4.4BSD book by McKusick et al comes to mind for a general overview. But for the gory details you must turn to the source tree. It might not be literature, but it reads like a book. -Otto
Re: Connecting to OpenBSD 4.0 isakmpd with racoon on FC5
2006/11/24, Albert Chin [EMAIL PROTECTED]:
quick auth hmac-sha1 enc aes \
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
I think it's better to setup the same auth algo for both end (and
maybe comment out pfs_group in sainfo).
Re: on the remote root login in OpenSSH
On Thu, 23 Nov 2006, Darrin Chandler wrote: No. It would be simple enough to disable everything, but that wouldn't be functional. OpenBSD has an excellent track record for security, yet many useful things are enabled by default. Do you *really* believe that nobody has thought about turning off root ssh in the default configs? Of course they have. Yet it remains enabled. Selecting a secure password for root is YOUR responsibility. You know, I seem to recall that many versions ago (maybe even as far back as 2.xx) root login on ssh *was* disallowed by default. I recall being bitten by it, too, on remote (other-side-of-the-room) installations on headless machines. At worst you have a small window during installation in which root logins are allowed, before you shut them off by chroot'ing as Paul outlined in his post. btw, that chroot to /mnt may not be obvious to some, and a little advisory (or even a menu choice) at the end of the install script might be a good use of a 100 bytes or so. Halt now (H), Chroot to installed system (C) or shell (S)? [S] Dave -- Confound these wretched rodents! For every one I fling away, a dozen more vex me! -- Doctor Doom
OpenCON hardware.
Greetings Any developer that is going to be at OpenCON and wants a USRobotics WiFi card using the unsupported GW3887 (Conexant) chipset ? Please contact me in private. Best Laurent.
Re: Connecting to OpenBSD 4.0 isakmpd with racoon on FC5
On Fri, Nov 24, 2006 at 12:04:57PM +0500, Igor Goldenberg wrote:
2006/11/24, Albert Chin [EMAIL PROTECTED]:
quick auth hmac-sha1 enc aes \
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
I think it's better to setup the same auth algo for both end (and
maybe comment out pfs_group in sainfo).
My /etc/ipsec.conf is:
ike passive esp from 192.168.10.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED]
So yes, I could change the above to:
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
--
albert chin ([EMAIL PROTECTED])
Re: Connecting to OpenBSD 4.0 isakmpd with racoon on FC5
On Fri, Nov 24, 2006 at 12:38:46AM -0600, Albert Chin wrote:
On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
4.0 VPN server running isakmpd. I already have things working with
Openswan but would like to get it working with racoon for our Mac OS
clients.
The OpenBSD /etc/ipsec.conf config:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
...
Am I getting the sainfo section wrong in racoon.conf? With the sainfo
section, do I still need setkey?
I've made some more changes but still cannot get it working. Looks
like I do need to use setkey. I modified the OpenBSD /etc/ipsec.conf
to:
ike passive esp from 192.168.10.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED]
and racoon.conf:
remote 67.95.107.100 {
exchange_mode main;
my_identifier user_fqdn [EMAIL PROTECTED];
peers_identifier fqdn vpn-server.thewrittenword.com;
certificate_type x509 [EMAIL PROTECTED]
/etc/ipsec.d/private/local.key;
ca_type x509 /etc/ipsec.d/cacerts/ca.crt;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
dh_group modp1024;
authentication_method rsasig;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
and /etc/racoon/ipsec.conf:
flush;
spdflush;
spdadd -4 192.168.6.1 192.168.10.0/24 any -P out ipsec
esp/tunnel/192.168.6.1-67.95.107.100/require;
spdadd -4 192.168.10.0/24 192.168.6.1 any -P in ipsec
esp/tunnel/67.95.107.100-192.168.6.1/require;
Ok, this actually does work. On Linux, the SAs don't get authenticated
until after you issue a network connection to the remote end. Ugh! So,
with the above, ping 192.168.10.13 x2 gets past Phase 2.
--
albert chin ([EMAIL PROTECTED])
Re: on the remote root login in OpenSSH
On Fri, 24 Nov 2006, Joachim Schipper wrote: While I'm inclined to agree with the last part, setting up a botnet isn't *that* hard. Particularly in the domain .kr, which Igor sees intermittent attack from. Korea has the perfect ecosystem for such a botnet -- very large numbers of pretty fast CPU machines (Made in Korea, very good, fast enough to run a bot without the user noticing ;-), a very, very large amount of ADSL or cable-modem connections, (and good world-wide trunks, too), high percentage of unpatched or neglected Windoze machines of ancient OS release, since Internet use is very wide-spread and most users are (therefor) very naive, a government that does not do gross censorship as in China, and in fact is not too interested in security or related issues. Hence all the @#$% spam from .kr -- the bot nets already exist, are in the hands of professional spammers, and any organization intersted in scanning lots and lots of hosts, say knocking on ssh ports, can hire them and run them without a lot of expertise. Now let's say that that person interested in scanning/mapping the world and starting stealthy attacks against ssh open machines happens to be a Chinese governmental agency, and they want deniability. After a scan of a netblock, you find some hosts that look real secure, all nicely buttoned up, no rpc crap hanging out for the world to probe, no goofy toy services running -- you fingerprint that box as OpenBSD, latest release. The ssh port is open. This is a high-value machine, probably. People don't buy tanks and hire armed guards to protect their lawnmower. BTW, this is the *sole* security disadvantage to OpenBSD I've ever really noted: it's like a new bank with a big, shiny vault and a sign out front, Gold stored here! Security is our Lifeblood!. Armored trucks are seen driving in and out through the heavily guarded gates. Serious badguys are going to be interested. I get probed all the time, even sitting on the end of a 56K dialup, including brute ssh hacks, when I have ssh open. I've thought of hanging a sort of Tiergrube off that port, but at 56K it would also DoS myself. I also rely on having the abiltiy to install/upgrade remotly and ssh into the system post install. With root access blocked off, well...kind of hard! I am curious... how can OpenBSD be remotely installed on a computer without a [serial console]? How can the installer be run remotely without a device that the operating system calls console? Well, at least theoretically, one could just replace the install script by one that does whatever you want it to, without asking any questions. Yup, build a custom bsd.rd. Not that hard for upgrading purposes, no operator on the remote end is required. I don't know how to do this for a clean install on, say, (pardon me) a Windoze machine that is being improved, without having a remote operator install a floppy or CD (or other appropriate installation medium for other arch's) at the remote end. Dave -- Confound these wretched rodents! For every one I fling away, a dozen more vex me! -- Doctor Doom
