Problem with Pf

[Léo Goehrs]

Hi Guys,

I hope I am posting on the right mailing list. I am sending you this email
because I have been experiencing a lot of BAD State in pf recently.

I don't know if this has been discussed previously.

More and and more people are now using Oses that can adapt the TCP Windows
Size. In pf, I could see that pf checks for the sequence number to make sure
it is in the expected range. Therefore, pf will make the following check:

Sequence number + tcpwindow size = Maximum expected sequence number.

This check was fin when there were on on the fly tcp window change. Now, on
very low latency network (few ms), we might experience a race condition where
pf will not see the packet in the right order, therefore, pf will see packets
coming in with a new tcp window size, but will not see the first modified
packet on time. Therefore, it will produce a Bad State in the logs.

To correct this, I had to remove in pf this check. From now on, I don't have
any problem anymore. I think we should work to find a correct alternative
solution for this. More and More oses adapt there Window size, startng with
Windows Vista, Linux (from 2.6.18 I think), Mac OSX Leopard.


I am also seeing a strange behavior while running backups. The backup will run
for about a Gig, then I will have bad stated and the following error:

Dec  5 08:34:24 pf01a-std /bsd: pf: BAD state: TCP 193.189.125.226:9103
193.189.125.226:9103 77.72.89.171:1900 [lo=1110166540 high=1110165037
win=65535 modulator=0] [lo=3660513330 high=3660578711 win=32767 modulator=0]
4:4 A seq=1110132270 (1110132270) ack=3660513330 len=1456 ackskew=0
pkts=127312:59301 dir=in,fwd
Dec  5 08:34:24 pf01a-std /bsd: pf: State failure on:   2 |

You could notice that the lo=1110166540 is higher than high=1110165037 and of
course the Sequence Number is outbound: seq=1110132270

Any idea what could cause such a mess ?

I am using OpenBSD 4.1, custom built kernel just to comment on check in pf.

Lio

Re: Compliments and Knob Question

[Brian]

Richard Toohey wrote:

On 5/12/2007, at 7:09 PM, Richard Toohey wrote:


On 5/12/2007, at 4:24 PM, L wrote:


Question about buttons and knobs..
What exactly is a knob?

[cut]

it simpler. For example the CP command is just a knob for copy..



My understanding of knob is an option or a switch.  I guess the 
meaning is like a music console - all those knobs you can turn to 
fiddle with sound.





Like this stuff ...

http://digitalmedia.oreilly.com/2005/01/26/synthedit1_0105.html

Lots and lots and LOTS of knobs all to fiddle with sound.
I always thought of the BGP routing protocol as the ultimate example of 
software knobbage.


Brian

Re: Access to a remote Oracle database

[Christoph Leser]

Hi,

afaik all access to oracle databases require oracle client software. only
exception I know of is JDBC ( java database connectivity, which has a thin
client requiring only tcp and the oracle jdbc client, which is pure java.
maybe that is an option.

if not you might connect your ms sql server to the oracle database with Oracle
OLE DB or something like and access oracle via mssql.

regards

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
 von Joaquin Herrero
 Gesendet: Dienstag, 4. Dezember 2007 23:09
 An: misc@openbsd.org
 Betreff: Access to a remote Oracle database


 Hi,

 I'm using freetds from my OpenBSD machine to connect to a
 MS SQL Server
 and works like a charm. Now I need to access to a Oracle
 server but it
 seems that the TDS protocol is not supported by Oracle
 databases, they use
 their own protocol named TNS and there is no freetns available.

 I investigated if I could use ODBC, but it seems (afaik) that
 ODBC needs a
 specific driver for each database and I do not know if there
 is such driver
 for OpenBSD.

 Perhaps someone know...
 a) if with freetds it is possible to connect to Oracle
 (perhaps activating
 some tds listener in the database)
 b) if ODBC is usable in OpenBSD to talk to Oracle.

 I'm using OpenBSD in a sparc machine at the moment (Sun Netra
 T1), but I can
 use a x86 machine as well.

 Any comments appreciated.

 --
 Joaquin Herrero

DLT4000 on openbsd st0: 10240-byte record too big

[Khalid Schofield]

Hi,
this error seems to have been around a bit on the news groups but I  
see no answers only questions (yeh I've got a bible on the shelf next  
to the Koran so I could try that).


I've a DLT4000 tape drive connected to a scsi card in my sun blade  
100 running openbsd 4.2


I'm getting this error in dmesg

st0: 10240-byte record too big


When I try to write to the tape I get this error:

# dd if=/dev/zero of=/dev/st0
dd: /dev/st0: Input/output error
1+0 records in
0+0 records out
0 bytes transferred in 1.138 secs (0 bytes/sec)

I'm guessing its a simple block size thing but if I have to set the  
block size every time It's going to be a major pain.


tar -cvf /dev/st0 /var/mail /home

was going to be my backup system :)

mt seems to be able to set the block size but I've no idea what it  
should be. Are any of you using DLT4000 tape drives under openbsd?


thanks

Re: DLT4000 on openbsd st0: 10240-byte record too big

[Khalid Schofield]

working :)

many thanks



On 5 Dec 2007, at 10:52, Otto Moerbeek wrote:


On Wed, Dec 05, 2007 at 10:23:46AM +, Khalid Schofield wrote:


Hi,
this error seems to have been around a bit on the news groups but  
I see no
answers only questions (yeh I've got a bible on the shelf next to  
the Koran

so I could try that).

I've a DLT4000 tape drive connected to a scsi card in my sun blade  
100

running openbsd 4.2

I'm getting this error in dmesg

st0: 10240-byte record too big


When I try to write to the tape I get this error:

# dd if=/dev/zero of=/dev/st0
dd: /dev/st0: Input/output error
1+0 records in
0+0 records out
0 bytes transferred in 1.138 secs (0 bytes/sec)

I'm guessing its a simple block size thing but if I have to set  
the block

size every time It's going to be a major pain.

tar -cvf /dev/st0 /var/mail /home

was going to be my backup system :)

mt seems to be able to set the block size but I've no idea what it  
should

be. Are any of you using DLT4000 tape drives under openbsd?

thanks


As mentioned in st(4), use the raw interface.

-Otto

A necessary evil: snmpd(8) and snmpctl(8)

[Reyk Floeter]

Hi!

I just imported snmpd(8) and snmpctl(8), an initial attempt to 
implement a new SNMP daemon for OpenBSD.  SNMP is the Simple Network
Management Protocol and it is still very commonly used in corporate
networks, by network vendors, and in network management systems (NMS).

SNMP is very essential for me since I'm using it at work; our security
appliances based on OpenBSD need to integrate into various SNMP
scenarios.  We had to use net-snmp for this; the BSD license is good
but the code is very bad and full of ancient cruft and portability
glue.  Then there were many problems with the net-snmp port in
OpenBSD, people reported 90% CPU usage on -misc, crashes, bugs, ...it
was just a pain.

So I decided to have a look at SNMP to implement something new.  When
we don't like the existing alternatives or ports, we tend to
re-implement it in OpenBSD, right?  Having a new snmpd(8) using
privilege separation, the imsg framework from ospfd/bgpd, knf,
security in mind, and a nice control program like snmpctl(8) would
be really nice and solve some of our problems.  And I knew that
claudio@ already started working on a little ASN.1 BER implementation
for another project; this was the perfect base for handling the
annoying BER-encoding of SNMP messages.

I talked to some people during OpenCON (http://www.openbsd.org/) about
my idea and the initial code that I was working on.  The expected
reaction was always like This is nice, but I don't like SNMP.  SNMP
is a necessary evil.  People are upset and happy at the same time;
will it be possible to implement a sane SNMP?  Will it be possible to
make it secure?

The code is still in a very early stage, snmpctl(8) is mostly a stub
without any functionality, and the implemented MIBs are limited to
(most of) the MIB-2, SNMPv3-MIB, and the IF-MIB.  I plan to implement
the IP-MIB, TCP-MIB, UDP-MIB, and BRIDGE-MIB next and continue with
working on the daemon's infrastructure.  There needs to be a way to
talk to other daemons in OpenBSD without using SNMP BER messages:
IMSG.  snmpd(8) may connect to the daemons, query some IMSG
information, and provide the SNMP MIBs for the outside world.  I also
plan to export some useful information like sensor status in an
OpenBSD-specific MIB. 

I DON'T want to provide a plug-in or module API, people can use
net-snmp if they need a hyper-extensible codebase.

The daemon is currently based on the SNMPv2/3 RFCs, supporting
SNMPv1/2 messages and a very simple community-based security model
(SNMPv2c).  The User-based Security Model (USM) will be added later,
but the complexity of the new SNMPv3 standards is a little bit scary;
they turned a simple protocol into a mess of layers, modules, and
abstractions.  There is also a very interesting draft about a
SSH-based security model for SNMP (draft-ietf-isms-secshell), but it
is defined by Cisco and Huawai...

Sure, I'm looking for volunteers to test and to contribute to
snmpd(8), have a look at the src/usr.sbin/snmpd/README file and the
code in the OpenBSD source tree.  It is not enabled in the builds yet
and it will take some time before we are satisfied enough to enable
it.  Again, please don't propose any useless features XYZ, it is good
to have net-snmp for all the additional foo.

reyk

# client: snmpwalk from net-snmp, server: new OpenBSD snmpd(8)
sysDescr = STRING: OpenBSD john.hq.vantronix.net 4.2 GENERIC.MP#6 amd64
sysObjectID = OID: enterprises.26766.42.2.1.42
sysUpTime = Timeticks: (2472) 0:00:24.72
sysContact = STRING: [EMAIL PROTECTED]
sysName = STRING: john.hq.vantronix.net
sysLocation = STRING: 
sysServices = INTEGER: 74
sysORLastChange = Timeticks: (0) 0:00:00.00
sysORIndex.1 = INTEGER: 1
sysORIndex.2 = INTEGER: 2
sysORIndex.3 = INTEGER: 3
sysORID.1 = OID: mib-2
sysORID.2 = OID: snmp
sysORID.3 = OID: ifMIB
sysORDescr.1 = STRING: iso.org.dod.internet.mgmt.mib-2
sysORDescr.2 = STRING: iso.org.dod.internet.mgmt.mib-2.snmp
sysORDescr.3 = STRING: iso.org.dod.internet.mgmt.mib-2.ifMIB
sysORUpTime.1 = Timeticks: (0) 0:00:00.00
sysORUpTime.2 = Timeticks: (0) 0:00:00.00
sysORUpTime.3 = Timeticks: (0) 0:00:00.00
ifNumber = INTEGER: 4
ifIndex.1 = INTEGER: 1
ifIndex.2 = INTEGER: 2
ifIndex.3 = INTEGER: 3
ifIndex.4 = INTEGER: 4
ifDescr.1 = STRING: em0
ifDescr.2 = STRING: ath0
ifDescr.3 = STRING: enc0
ifDescr.4 = STRING: lo0
ifType.1 = INTEGER: ethernetCsmacd(6)
ifType.2 = INTEGER: ethernetCsmacd(6)
ifType.3 = INTEGER: other(1)
ifType.4 = INTEGER: softwareLoopback(24)
ifMtu.1 = INTEGER: 1500
ifMtu.2 = INTEGER: 1500
ifMtu.3 = INTEGER: 1536
ifMtu.4 = INTEGER: 33168
ifSpeed.1 = Gauge32: 10
ifSpeed.2 = Gauge32: 5400
ifSpeed.3 = Gauge32: 0
ifSpeed.4 = Gauge32: 0
ifPhysAddress.1 = STRING: 0:1a:6b:36:2e:5
ifPhysAddress.2 = STRING: 0:16:cf:ab:4c:97
ifPhysAddress.3 = STRING: 
ifPhysAddress.4 = STRING: 
ifAdminStatus.1 = INTEGER: up(1)
ifAdminStatus.2 = INTEGER: down(2)
ifAdminStatus.3 = INTEGER: down(2)
ifAdminStatus.4 = INTEGER: up(1)
ifOperStatus.1 = INTEGER: up(1)
ifOperStatus.2 = INTEGER: 

Re: DLT4000 on openbsd st0: 10240-byte record too big

[Otto Moerbeek]

On Wed, Dec 05, 2007 at 10:23:46AM +, Khalid Schofield wrote:

 Hi,
 this error seems to have been around a bit on the news groups but I see no 
 answers only questions (yeh I've got a bible on the shelf next to the Koran 
 so I could try that).

 I've a DLT4000 tape drive connected to a scsi card in my sun blade 100 
 running openbsd 4.2

 I'm getting this error in dmesg

 st0: 10240-byte record too big


 When I try to write to the tape I get this error:

 # dd if=/dev/zero of=/dev/st0
 dd: /dev/st0: Input/output error
 1+0 records in
 0+0 records out
 0 bytes transferred in 1.138 secs (0 bytes/sec)

 I'm guessing its a simple block size thing but if I have to set the block 
 size every time It's going to be a major pain.

 tar -cvf /dev/st0 /var/mail /home

 was going to be my backup system :)

 mt seems to be able to set the block size but I've no idea what it should 
 be. Are any of you using DLT4000 tape drives under openbsd?

 thanks

As mentioned in st(4), use the raw interface.

-Otto

Re: More than 255 vhid's w/ CARP

[SeDoFa]

It's true, but this can't solve any problems.
In my case I have a /16 subnet and I need to nat every single IP to a
different IP, for a total amount of about 400 IPs.
Same subnet, same interface, redundant firewall with carp. Is there
another way to increase vhid limit?


On Aug 10, 2006 2:47 AM, Ryan McBride [EMAIL PROTECTED] wrote:
 On Wed, Aug 09, 2006 at 07:33:08PM -0400, Jason Dixon wrote:
  Unless you're using more than 255 VLANs (unlikely), you don't need
  that many vhids.

 Also, if the carp(4) devices are connected are on different VLANS
 (distinct layer 2 segments), you can use the same vhid on multiple
 interfaces.

Re: A necessary evil: snmpd(8) and snmpctl(8)

[John Jackson]

This is great news!  Hopefully I'll find the time to help test.

John


On Wed, Dec 05, 2007 at 11:52:12AM +0100, Reyk Floeter wrote:
 Hi!
 
 I just imported snmpd(8) and snmpctl(8), an initial attempt to 
 implement a new SNMP daemon for OpenBSD.  SNMP is the Simple Network
 Management Protocol and it is still very commonly used in corporate
 networks, by network vendors, and in network management systems (NMS).
 
 SNMP is very essential for me since I'm using it at work; our security
 appliances based on OpenBSD need to integrate into various SNMP
 scenarios.  We had to use net-snmp for this; the BSD license is good
 but the code is very bad and full of ancient cruft and portability
 glue.  Then there were many problems with the net-snmp port in
 OpenBSD, people reported 90% CPU usage on -misc, crashes, bugs, ...it
 was just a pain.
 
 So I decided to have a look at SNMP to implement something new.  When
 we don't like the existing alternatives or ports, we tend to
 re-implement it in OpenBSD, right?  Having a new snmpd(8) using
 privilege separation, the imsg framework from ospfd/bgpd, knf,
 security in mind, and a nice control program like snmpctl(8) would
 be really nice and solve some of our problems.  And I knew that
 claudio@ already started working on a little ASN.1 BER implementation
 for another project; this was the perfect base for handling the
 annoying BER-encoding of SNMP messages.
 
 I talked to some people during OpenCON (http://www.openbsd.org/) about
 my idea and the initial code that I was working on.  The expected
 reaction was always like This is nice, but I don't like SNMP.  SNMP
 is a necessary evil.  People are upset and happy at the same time;
 will it be possible to implement a sane SNMP?  Will it be possible to
 make it secure?
 
 The code is still in a very early stage, snmpctl(8) is mostly a stub
 without any functionality, and the implemented MIBs are limited to
 (most of) the MIB-2, SNMPv3-MIB, and the IF-MIB.  I plan to implement
 the IP-MIB, TCP-MIB, UDP-MIB, and BRIDGE-MIB next and continue with
 working on the daemon's infrastructure.  There needs to be a way to
 talk to other daemons in OpenBSD without using SNMP BER messages:
 IMSG.  snmpd(8) may connect to the daemons, query some IMSG
 information, and provide the SNMP MIBs for the outside world.  I also
 plan to export some useful information like sensor status in an
 OpenBSD-specific MIB. 
 
 I DON'T want to provide a plug-in or module API, people can use
 net-snmp if they need a hyper-extensible codebase.
 
 The daemon is currently based on the SNMPv2/3 RFCs, supporting
 SNMPv1/2 messages and a very simple community-based security model
 (SNMPv2c).  The User-based Security Model (USM) will be added later,
 but the complexity of the new SNMPv3 standards is a little bit scary;
 they turned a simple protocol into a mess of layers, modules, and
 abstractions.  There is also a very interesting draft about a
 SSH-based security model for SNMP (draft-ietf-isms-secshell), but it
 is defined by Cisco and Huawai...
 
 Sure, I'm looking for volunteers to test and to contribute to
 snmpd(8), have a look at the src/usr.sbin/snmpd/README file and the
 code in the OpenBSD source tree.  It is not enabled in the builds yet
 and it will take some time before we are satisfied enough to enable
 it.  Again, please don't propose any useless features XYZ, it is good
 to have net-snmp for all the additional foo.
 
 reyk
 
 # client: snmpwalk from net-snmp, server: new OpenBSD snmpd(8)
 sysDescr = STRING: OpenBSD john.hq.vantronix.net 4.2 GENERIC.MP#6 amd64
 sysObjectID = OID: enterprises.26766.42.2.1.42
 sysUpTime = Timeticks: (2472) 0:00:24.72
 sysContact = STRING: [EMAIL PROTECTED]
 sysName = STRING: john.hq.vantronix.net
 sysLocation = STRING: 
 sysServices = INTEGER: 74
 sysORLastChange = Timeticks: (0) 0:00:00.00
 sysORIndex.1 = INTEGER: 1
 sysORIndex.2 = INTEGER: 2
 sysORIndex.3 = INTEGER: 3
 sysORID.1 = OID: mib-2
 sysORID.2 = OID: snmp
 sysORID.3 = OID: ifMIB
 sysORDescr.1 = STRING: iso.org.dod.internet.mgmt.mib-2
 sysORDescr.2 = STRING: iso.org.dod.internet.mgmt.mib-2.snmp
 sysORDescr.3 = STRING: iso.org.dod.internet.mgmt.mib-2.ifMIB
 sysORUpTime.1 = Timeticks: (0) 0:00:00.00
 sysORUpTime.2 = Timeticks: (0) 0:00:00.00
 sysORUpTime.3 = Timeticks: (0) 0:00:00.00
 ifNumber = INTEGER: 4
 ifIndex.1 = INTEGER: 1
 ifIndex.2 = INTEGER: 2
 ifIndex.3 = INTEGER: 3
 ifIndex.4 = INTEGER: 4
 ifDescr.1 = STRING: em0
 ifDescr.2 = STRING: ath0
 ifDescr.3 = STRING: enc0
 ifDescr.4 = STRING: lo0
 ifType.1 = INTEGER: ethernetCsmacd(6)
 ifType.2 = INTEGER: ethernetCsmacd(6)
 ifType.3 = INTEGER: other(1)
 ifType.4 = INTEGER: softwareLoopback(24)
 ifMtu.1 = INTEGER: 1500
 ifMtu.2 = INTEGER: 1500
 ifMtu.3 = INTEGER: 1536
 ifMtu.4 = INTEGER: 33168
 ifSpeed.1 = Gauge32: 10
 ifSpeed.2 = Gauge32: 5400
 ifSpeed.3 = Gauge32: 0
 ifSpeed.4 = Gauge32: 0
 ifPhysAddress.1 = STRING: 0:1a:6b:36:2e:5
 ifPhysAddress.2 = STRING: 0:16:cf:ab:4c:97
 

AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics with powersave on.

[Taisto Qvist XX]

Hi Folks,

I am running, or at least trying to run, OpenBSD 4.2 on a minipc using
AMD's GEODE LX-800.
(Its a
http://www.sdlsystem.se/shop/product_info.php?cPath=23_56products_id=65
6 )

At first I had almost given up, since trying to boot the system was
impossible
since I always got a kernel-panic just a few seconds into the booting.
Similar problems with both FreeBSD and NetBSD, whisperbut linux worked
w/o issues./whisper

But after booting with all powersave turned off, everything looked good
though,
and I could finally start to install and configurealmost.

After building a new custom kernel that didnt work properly, re-trying
with
the GENERIC kernel that can be downloaded from the i386
install-directory(didnt work),
rebuilding a new GENERIC kerneln (didnt work), I finally managed to
understand
that the ONLY to kernels I can boot with, is either the bsd.rd ramdisk,
or the
bsd-kernel thats stored in the install32.iso!?!

All the others startup fine, no problem, but the network interfaces(
realtek, rl0-3)
cant be configured! Dmesg looks almost identical for a working and
non-working kernel,
but with all the nonworking one's, i just get

# ifconfig -a
: no such interface.

Not even loopback gets created!

It looks like the working kernel is from 4.2-current, so I am really
just wondering
wether this is my only solution, to start running -current, or if there
is a bug somewhere
that might be fixedif nothing else, it would be nice to be able to
turn on power-save
functions on the box again.

Any thoughts? (attaching the two dmesgs...)

Regards
Taisto Qvist

 dmesg.515.txt  dmesg.375.txt
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 
MHz

cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX

real mem  = 1047097344 (998MB)

avail mem = 1004806144 (958MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.5 @ 0xf9580 (53 entries)

bios0: vendor American Megatrends Inc. version 080014  date 06/05/2007

bios0: Advanced Micro Devices, Inc. Geode LX Norwich Development Board

pcibios0 at bios0: rev 3.0 @ 0xf/0x1

pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3ab0/144 (7 entries)

pcibios0: no compatible PCI ICU found: ICU vendor 0x1022 product 0x2090

pcibios0: Warning, unable to fix up PCI interrupt routing

pcibios0: PCI bus #0 is the last bus

bios0: ROM list: 0xc/0x8000

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (bios)

pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31

vga1 at pci0 dev 1 function 1 AMD Geode LX Video rev 0x00

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES

rl0 at pci0 dev 10 function 0 Realtek 8139 rev 0x10: irq 15, address 
00:04:a7:04:da:2f

rlphy0 at rl0 phy 0: RTL internal PHY

rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address 
00:04:a7:04:da:30

rlphy1 at rl1 phy 0: RTL internal PHY

rl2 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11, address 
00:04:a7:04:da:31

rlphy2 at rl2 phy 0: RTL internal PHY

rl3 at pci0 dev 13 function 0 Realtek 8139 rev 0x10: irq 10, address 
00:04:a7:04:da:32

rlphy3 at rl3 phy 0: RTL internal PHY

pcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03

pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: SAMSUNG HM120JC

wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors

wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

pciide0: channel 1 ignored (disabled)

ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 10, version 1.0, 
legacy support

ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 10

usb0 at ehci0: USB revision 2.0

uhub0 at usb0: AMD EHCI root hub, rev 2.00/1.00, addr 1

isa0 at pcib0

isadma0 at isa0

pckbc0 at isa0 port 0x60/5

pckbd0 at pckbc0 (kbd slot)

pckbc0: using irq 1 for kbd slot

wskbd0 at pckbd0: console keyboard, using wsdisplay0

pcppi0 at isa0 port 0x61

midi0 at pcppi0: PC speaker

spkr0 at pcppi0

lpt0 at isa0 port 0x378/4 irq 7

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo

usb1 at ohci0: USB revision 1.0

uhub1 at usb1: AMD OHCI root hub, rev 1.00/1.00, addr 1

biomask 774d netmask ff6d ttymask ffef

pctr: user-level cycle counter enabled

mtrr: K6-family MTRR support (2 registers)

umass0 at uhub0 port 2 configuration 1 interface 0

umass0: LaCie LaCie DVDRW USB, rev 2.00/0.00, addr 2

umass0: using ATAPI over Bulk-Only

scsibus0 at umass0: 2 targets

cd0 at scsibus0 targ 1 lun 0: _NEC, DVD+-RW ND-6650A, 1.23 SCSI0 5/cdrom 
removable

dkcsum: wd0 matches BIOS drive 0x80

root on wd0a swap on wd0b 

Re: More than 255 vhid's w/ CARP

[Ryan McBride]

On Wed, Dec 05, 2007 at 01:00:11PM +0100, SeDoFa wrote:
 It's true, but this can't solve any problems.  In my case I have a /16
 subnet and I need to nat every single IP to a different IP, for a
 total amount of about 400 IPs.  Same subnet, same interface, redundant
 firewall with carp. Is there another way to increase vhid limit?

You can't put multiple aliases on a single carp interface?

Either way, this is a pretty scary setup because both addresses and
interfaces are managed in linked lists in many places within the kernel,
so when you do hundreds of them, performance will suffer.

You may want to look at other ways you can modify your network
architecture to make this possible - starting with routing the subnet to
you firewall, so that you don't have to actually assign the addresses to
an interface in order to nat to them.

-Ryan

Re: pfctl - show port numbers

[MikeM]

On 12/4/2007 at 6:53 PM Henning Brauer wrote:


|actually, if I were to implement these parts now I'd make it print
port 
|numbers only and not names 
 =

That's what I plan to do when I change the code.I don't need the
command line option part because I have never needed the name info for
the ports in the other commands that support the option capability.  So
if I am going to customize the pfctl code, I'll want to keep it as
contained as possible. (though the perl options look intriguing. :)

I use OpenBSD as the firewall/router on the cable modem for my little
home network.  Nothing real serious.  While my suggestion is helpful to
me and my uses, I'm sure the developers have more important features to
implement.  That's why I just presented my reasons and went quiet...

Re: PF problems

[Stuart Henderson]

On 2007/12/05 13:02, Kleber Rocha wrote:
 My rule is being ignored and the connection is being blocked by the
 default block rule:
 block in log all
 
 But these rules work well in OpenBSD 4.0

See the 4.0 - 4.1 upgrade guide.

Re: Code signing in OpenBSD

[Kevin Stam]

What is the benefit of doing so? What's the point? Is the website so likely
to be hacked into, that the developers need to sign all communication just
to ensure that it comes from them? There's absolutely no need to signing
errata or official communications. Name one justifiable use for them. If the
OpenBSD developers didn't care about secure communications, then OpenSSH
would not exist.

On Dec 5, 2007 3:03 PM, new_guy [EMAIL PROTECTED] wrote:

 Lars Hansson-5 wrote:
 
  No. OpenBSD doesn't sign code.
 
  ---
  Lars Hansson
 

 Oh that surprises me, are OpenPGP signatures used for anything? Errata,
 official communication, etc... maybe this is a stupid question, by it
 seems
 everyone does it these days... even small software projects. Not being
 critical of OpenBSD (I love it and buy CDs) just curious as to the
 reasoning
 for not using pgp/gpg keys to sign stuff, secure communication, etc.


 --
 View this message in context:
 http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14173498
 Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Code signing in OpenBSD

[Nick Guenther]

On 12/5/07, Lars Hansson [EMAIL PROTECTED] wrote:
 On Dec 5, 2007 11:16 AM, new_guy [EMAIL PROTECTED] wrote:
  I've searched OpenBSD.org and google for source code signing practices in
  OpenBSD, nothing obvious stands out. I've probably overlooked it. Just
  curious about this... is the process described someplace?

 No. OpenBSD doesn't sign code.

Well, there's the MD5 files (e.g.
http://openbsd.arcticnetwork.ca/pub/OpenBSD/4.2/i386/MD5).
but yeah, for the most part OpenBSD doesn't need it.
-Nick

PF problems

[Kleber Rocha]

I have the following rule in pf.
pass in quick from 10.1.100.210 to any

Here the result of pfctl -sr
pass in quick inet from 10.1.100.210 to any flags S/SA keep state

But the connection is being blocked by pf, follows log of pflog0:
Dec 02 06:58:58.343862 rule 0/(match) [uid 0, pid 23271] block in on
bge1: 10.1.100.210.8080  10.1.1.78.4899: S [tcp sum ok]
423727301:423727301(0) win 16384 mss 1360,nop,nop,sackOK (DF) (ttl
111, id 54108, len 48)

This ip 10.1.100.210 is my proxy server, This network this in vlan0.

My rule is being ignored and the connection is being blocked by the
default block rule:
block in log all

But these rules work well in OpenBSD 4.0

Re: OpenBSD mentioned in Bruce Schneier interview

[Nick Guenther]

On 12/5/07, Lars Noodin [EMAIL PROTECTED] wrote:
 OpenBSD gets a short mention in a blog:

 Q:
 ... why in the world canb t we design a computer that can
 b cold bootb  nearly instantaneously? I know about
 hibernation, etc., but when I do have to reboot, I hate
 waiting those three or four minutes.  

 Schneier:
 Of course we  can; Amiga was a fast booting computer,
 and OpenBSD boxes  boot in less than a minute. But the
 current crop of major  operating systems just donb t.
 This is an economics  blog, so you tell me: why donb t
 the computer companies  compete on boot-speed?


http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-throug
h-your-questions/

 It's interesting that the issue of why a computer must be cold booted is
 not brought up, especially in the day and age where hibernation modes
 are readily available.  Perhaps, the interviewer is a victim of the
 Microsoft effect.

Hibernation modes readily available?
Hibernation is flakey flakey flakey.

Still, it's a good point. OpenBSD manages to boot so quickly even
though it has all drivers enabled and running at boot--though I'm not
sure if it's always under a minute.

-Nick

Re: Code signing in OpenBSD

[new_guy]

Nick Guenther wrote:
 
 Well, there's the MD5 files (e.g.
 http://openbsd.arcticnetwork.ca/pub/OpenBSD/4.2/i386/MD5).
 but yeah, for the most part OpenBSD doesn't need it.
 -Nick
 

Could you explain in more detail? Why doesn't OpenBSD need to use pgp keys?
Really, I'm not trying to start anything, I just want to understand.
Especially since everyone else seems to do it. FreeBSD, NetBSD, Linux
Kernel, etc... they all employ some sort of PKI mechanism... so how does
OpenBSD handle these sort of things?

-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14176001
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Code signing in OpenBSD

[bofh]

On Dec 5, 2007 11:46 AM, new_guy [EMAIL PROTECTED] wrote:
 Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
 user community? Knowing that xyz binary is signed by OpenBSD for
 distribution or abc email came from an official OpenBSD source is a good
 thing. Trojaned binaries and forged emails happen. PKI can help mitigate
 this. The benefit of PKI is widely known and accepted and does not need to
 be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
 does not use it, that's all I'm saying. I also thought there would be a real
 reason for not doing so and there may in fact be and I may just be unaware
 of it.

What are the risks you are trying to address?  What are the widely
known benefits of PKI?  Who downloads and installs openbsd binaries
*FROM AN EMAIL*?

Would you consider Bruce Schneier to be knowledgeable about PKI?  Have you read:
http://www.schneier.com/paper-pki.html



-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: binary installed? or not?

[Kevin Stam]

$ man pkg_info

On Dec 5, 2007 5:22 PM, badeguruji [EMAIL PROTECTED] wrote:

 Hello,

 On solaris, i can do:

 grep name /var/sadm/install/contents

 and see whether it is installed or not, also location
 etc.

 But, How can i do it on OB? where is the system map?
 to see whether/where name is installed.

 Thanks in advance for your guidance.

 -BG


 
 ~~Kalyan-mastu~~

Re: binary installed? or not?

[Nick Guenther]

On 12/5/07, badeguruji [EMAIL PROTECTED] wrote:
 Hello,

 On solaris, i can do:

 grep name /var/sadm/install/contents

 and see whether it is installed or not, also location
 etc.

 But, How can i do it on OB? where is the system map?
 to see whether/where name is installed.

 Thanks in advance for your guidance.

use pkg_info -L

Re: inetd needed for basic NAT/Firewall operation?

[Allie D.]

I have run an OBSD firewall for years and run nothing on it...the only
listening port is 22 on one of the internal interfaces. You don't need
identd or any of that crap on a firewall...it's forwarding or blocking
packets only.
-- 
~Allie D.


On Wed, December 5, 2007 10:58, Andreas Maus wrote:
 On Wed, Dec 05, 2007 at 11:49:07AM -0500, Chris Smith wrote:
 Hello,

 When using OpenBSD only as a NAT router / Firewall with all of the
 services in inetd.conf commented out is there any need to enable inetd?
 Hi Chris.

 The only service that should (or could,depends on your point of view)
 be allowed from the internet is IMHO the identd service.

 Blocking this service may cause some delay because some mailers and
 irc servers are checking for this service.

 OTOH it may be considered as a security risc to give strangers valid
 usernames. (If you need inetd requests from the outside and dont want
 to give them valid usernames you can install a other identd, e.g.
 oidentd or just a fakeidentd to return an arbitrary username)

 I believe it's no longer necessary for ftp-proxy and want to make sure
 I'm not missing anything.
 I don't run ftp-proxy so I don't know about this, sorry.

 HTH,

 Andreas

 --
 Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
 an 8-bit operating system written for a 4-bit processor by a 2-bit
 company who cannot stand 1 bit of competition.

Re: Code signing in OpenBSD

[Kevin Stam]

Ah, my apologies. I was looking at the wrong thing. No further comment.

On Dec 5, 2007 6:18 PM, Brad Tilley [EMAIL PROTECTED] wrote:

 Wow, my surprise grows... I shall no longer add to this thread... Bye now.

 http://www.kernel.org/signature.html
 http://www.freebsd.org/doc/pgpkeyring.txt

 * One example of a signed Linux Kernel path... there are many others:
 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-2.6.9.sign

 * One example of signed FreeBSD code... there are others:

 http://taosecurity.blogspot.com/2007/11/updating-freebsd-70-beta2-to-70-beta3.html

 Some examples of signed communications from FreeBSD  NetBSD:
 http://www.freebsd.org/internal/ssh-keys.asc
 http://mail-index.netbsd.org/netbsd-announce/2004/02/20/.html


 On Dec 5, 2007 12:59 PM, Kevin Stam  [EMAIL PROTECTED] wrote:

  For one thing, I think you're quite confused. Unless I'm missing
  something, I'm not noticing the FreeBSD, NetBSD, Linux kernel developers
  signing their code, or doing anything particularly differently from the
  OpenBSD developers. Please explain.
 
  You've also conveniently ignored bofh's question. Why do you see this as
  being an issue? What risks does PKI mitigate? Did you just vaguely read
  somewhere in an advertisement about the supposed security benefits?

Re: Code signing in OpenBSD

[Kevin Stam]

For one thing, I think you're quite confused. Unless I'm missing something,
I'm not noticing the FreeBSD, NetBSD, Linux kernel developers signing
their code, or doing anything particularly differently from the OpenBSD
developers. Please explain.

You've also conveniently ignored bofh's question. Why do you see this as
being an issue? What risks does PKI mitigate? Did you just vaguely read
somewhere in an advertisement about the supposed security benefits?

On Dec 5, 2007 5:22 PM, new_guy [EMAIL PROTECTED] wrote:

 Nick Guenther wrote:
 
  Well, there's the MD5 files (e.g.
  http://openbsd.arcticnetwork.ca/pub/OpenBSD/4.2/i386/MD5).
  but yeah, for the most part OpenBSD doesn't need it.
  -Nick
 

 Could you explain in more detail? Why doesn't OpenBSD need to use pgp
 keys?
 Really, I'm not trying to start anything, I just want to understand.
 Especially since everyone else seems to do it. FreeBSD, NetBSD, Linux
 Kernel, etc... they all employ some sort of PKI mechanism... so how does
 OpenBSD handle these sort of things?

 --
 View this message in context:
 http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14176001
 Sent from the openbsd user - misc mailing list archive at Nabble.com.


JI

Re: Code signing in OpenBSD

[new_guy]

BOFH-5 wrote:
 
 Would you consider Bruce Schneier to be knowledgeable about PKI?  Have you
 read:
 http://www.schneier.com/paper-pki.html
 

Yes, I've read that. He's talking about CA's. He does not ridicule PGP keys
as you seem to. In fact, he has a few of his own:

Bruce Schneier [EMAIL PROTECTED]  0x4C92D93D  20481997/10/16 
Never   
Bruce Schneier [EMAIL PROTECTED]  0x7EDE4C65  10241995/09/26 
Never

Look him and his company Counterpane up yourself:

http://keyserver.veridis.com:11371/

-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14176573
Sent from the openbsd user - misc mailing list archive at Nabble.com.

inetd needed for basic NAT/Firewall operation?

[Chris Smith]

Hello,

When using OpenBSD only as a NAT router / Firewall with all of the 
services in inetd.conf commented out is there any need to enable inetd? 
I believe it's no longer necessary for ftp-proxy and want to make sure 
I'm not missing anything.

Thank you.
-- 
Chris

Re: Code signing in OpenBSD

[Rui Miguel Silva Seabra]

On Wed, Dec 05, 2007 at 11:59:31AM -0500, Nick Guenther wrote:
  I'm surprised that OpenBSD (the most secure OS I know of)
  does not use it, that's all I'm saying. I also thought there would be a real
  reason for not doing so and there may in fact be and I may just be unaware
  of it.
 
 OpenBSD is the most secure OS, the devs know what they are doing.. and
 they've rejected this as uneccessary.

I don't see what is the problem with blessing a fingerprint of the
binaries with a PKI signature, which would mean that *these* are the
binaries the devs intended to release.

Come on... twice a year and get the benefit of not being excluded from
company policies which require digital signature of software downloaded
through the internet.

 You can check the MD5 files for the main distribution, and for
 packages.. well the official OpenBSD mirrors are all trustworthy--if
 they aren't, it will be discovered and they will no longer be official
 mirrors.
 This isn't a great answer, I know.

Definitely not a great answer, as there are vectors of attack which
cover the client acessing the mirror and not the mirror in itself, like
changing on-the-fly the md5sums to match the bad binaries, etc...

A digital signature would enable the non-repudiation of the fingerprints
file (at least), giving a moderate level of assurance that attack
vectors would have to concentrate on upstream development servers (where
the devs *really* know what they are doing).

Rui

-- 
Hail Eris!
Today is Prickle-Prickle, the 47th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Re: Code signing in OpenBSD

[Brad Tilley]

Wow, my surprise grows... I shall no longer add to this thread... Bye now.

http://www.kernel.org/signature.html
http://www.freebsd.org/doc/pgpkeyring.txt

* One example of a signed Linux Kernel path... there are many others:
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-2.6.9.sign

* One example of signed FreeBSD code... there are others:
http://taosecurity.blogspot.com/2007/11/updating-freebsd-70-beta2-to-70-beta3.html

Some examples of signed communications from FreeBSD  NetBSD:
http://www.freebsd.org/internal/ssh-keys.asc
http://mail-index.netbsd.org/netbsd-announce/2004/02/20/.html

On Dec 5, 2007 12:59 PM, Kevin Stam [EMAIL PROTECTED] wrote:

 For one thing, I think you're quite confused. Unless I'm missing
 something, I'm not noticing the FreeBSD, NetBSD, Linux kernel developers
 signing their code, or doing anything particularly differently from the
 OpenBSD developers. Please explain.

 You've also conveniently ignored bofh's question. Why do you see this as
 being an issue? What risks does PKI mitigate? Did you just vaguely read
 somewhere in an advertisement about the supposed security benefits?

Re: Code signing in OpenBSD

[Ted Unangst]

On 12/5/07, new_guy [EMAIL PROTECTED] wrote:
 Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
 user community?

yes.

Re: binary installed? or not?

[Mayuresh Kathe]

See the following link
http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_infosektion=1manpath=OpenBSD+4.2


On Dec 5, 2007 10:52 PM, badeguruji [EMAIL PROTECTED] wrote:
 Hello,

 On solaris, i can do:

 grep name /var/sadm/install/contents

 and see whether it is installed or not, also location
 etc.

 But, How can i do it on OB? where is the system map?
 to see whether/where name is installed.

 Thanks in advance for your guidance.

 -BG


 
 ~~Kalyan-mastu~~

OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

[Douglas Secco dos Santos]

Hi all,
I have a lot of VPN connections from all subsidiaries of my business (46
subsidiaries/46 tunnels exactly).
At the matriz i have an CISCO ASA 5520 VPN concentrator.
Over subsidiaries, i have a openbsd 4.1.

my ipsec.conf is:
--
ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \
peer Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk SECRETKEY
flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z
--

My key lifetime (it works and is correct usage about
ipsec.conf+isakmpd.conf):
--
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
--
Okey, all vpn comes up normally but.. the problem is:
At random time, the tunnel turn down and dont come up again !

My /var/log/messages at the moment of blackout show this message:
--
Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on
exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500
--
Another message can be found at random moments is about INVALID COOKIE(S)

The DPS functionality is configured in both ends, I believe this is not the
problem.
When the ADSL link falls for a few seconds this problem also occurs.

PS.:
1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and
3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall
script) over the subsidiaries and another openbsd 3.9 on the matriz and this
problem never comes up.
2. I configured my CISCO ASA and its all okey.
3. My NAT and FIREWALL its OKEY.

please it's a urgent request, thankz for all/any reply!
thankz.

binary installed? or not?

[badeguruji]

Hello,

On solaris, i can do:

grep name /var/sadm/install/contents

and see whether it is installed or not, also location
etc.

But, How can i do it on OB? where is the system map?
to see whether/where name is installed.

Thanks in advance for your guidance.

-BG



~~Kalyan-mastu~~

Re: Code signing in OpenBSD

[Bob Beck]

 Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
 user community? Knowing that xyz binary is signed by OpenBSD for
 distribution or abc email came from an official OpenBSD source is a good
 thing. Trojaned binaries and forged emails happen. PKI can help mitigate
 this. The benefit of PKI is widely known and accepted and does not need to
 be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
 does not use it, that's all I'm saying. I also thought there would be a real
 reason for not doing so and there may in fact be and I may just be unaware
 of it.


If you want a secure binary. buy an official CD.. This is
what most people do.  PKI requires infrastructure that would cost OpenBSD
money and developer time. Official CD's keep OpenBSD alive. 

Oh wait, we should devote resources to people who care about
security, just not enough to spend $50 on it..   Yeah. I'll get right
on that.

-Bob

Re: Code signing in OpenBSD

[bofh]

On Dec 5, 2007 12:41 PM, new_guy [EMAIL PROTECTED] wrote:
 BOFH-5 wrote:
 
  Would you consider Bruce Schneier to be knowledgeable about PKI?  Have you
  read:
  http://www.schneier.com/paper-pki.html
 

 Yes, I've read that. He's talking about CA's. He does not ridicule PGP keys
 as you seem to. In fact, he has a few of his own:

I'm not ridiculing PGP keys.  I used to run PKI (Entrust) at a fortune
100 company.  Whenever I hear people screaming about using PKI, I
always want to know - exactly what problem are you trying to solve or
prevent, or what risk you are trying to address.


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Nick Guenther]

On 12/5/07, new_guy [EMAIL PROTECTED] wrote:
 Harpalus a Como wrote:
 
  What is the benefit of doing so? What's the point? Is the website so
  likely
  to be hacked into, that the developers need to sign all communication just
  to ensure that it comes from them? There's absolutely no need to signing
  errata or official communications. Name one justifiable use for them. If
  the
  OpenBSD developers didn't care about secure communications, then OpenSSH
  would not exist.
 

 Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
 user community? Knowing that xyz binary is signed by OpenBSD for
 distribution or abc email came from an official OpenBSD source is a good
 thing. Trojaned binaries and forged emails happen. PKI can help mitigate
 this. The benefit of PKI is widely known and accepted and does not need to
 be rehashed here.

Are you *sure* of that? You might want to read
http://www.schneier.com/paper-pki-ft.txt

 I'm surprised that OpenBSD (the most secure OS I know of)
 does not use it, that's all I'm saying. I also thought there would be a real
 reason for not doing so and there may in fact be and I may just be unaware
 of it.

OpenBSD is the most secure OS, the devs know what they are doing.. and
they've rejected this as uneccessary.
You can check the MD5 files for the main distribution, and for
packages.. well the official OpenBSD mirrors are all trustworthy--if
they aren't, it will be discovered and they will no longer be official
mirrors.
This isn't a great answer, I know.

-Nick

Re: Code signing in OpenBSD

[new_guy]

Harpalus a Como wrote:
 
 What is the benefit of doing so? What's the point? Is the website so
 likely
 to be hacked into, that the developers need to sign all communication just
 to ensure that it comes from them? There's absolutely no need to signing
 errata or official communications. Name one justifiable use for them. If
 the
 OpenBSD developers didn't care about secure communications, then OpenSSH
 would not exist.
 

Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
user community? Knowing that xyz binary is signed by OpenBSD for
distribution or abc email came from an official OpenBSD source is a good
thing. Trojaned binaries and forged emails happen. PKI can help mitigate
this. The benefit of PKI is widely known and accepted and does not need to
be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
does not use it, that's all I'm saying. I also thought there would be a real
reason for not doing so and there may in fact be and I may just be unaware
of it.
-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14175339
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: A necessary evil: snmpd(8) and snmpctl(8)

[Jason George]

Hi!

I just imported snmpd(8) and snmpctl(8), an initial attempt to 
implement a new SNMP daemon for OpenBSD.  SNMP is the Simple Network
Management Protocol and it is still very commonly used in corporate
networks, by network vendors, and in network management systems (NMS).

SNMP is very essential for me since I'm using it at work; our security
appliances based on OpenBSD need to integrate into various SNMP
scenarios.  We had to use net-snmp for this; the BSD license is good
but the code is very bad and full of ancient cruft and portability
glue.  Then there were many problems with the net-snmp port in
OpenBSD, people reported 90% CPU usage on -misc, crashes, bugs, ...it
was just a pain.

Thank you!  Thank you!  Thank you!

Re: inetd needed for basic NAT/Firewall operation?

[Stuart VanZee]

I have inetd disabled on almost all of my systems (including all my

firewalls).  If you have commented out every service in inetd.conf,

there is no need to run inetd, it has nothing to do and just sits

there.



s



-Original Message-

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of

Chris Smith

Sent: Wednesday, December 05, 2007 11:49 AM

To: misc@openbsd.org

Subject: inetd needed for basic NAT/Firewall operation?





Hello,



When using OpenBSD only as a NAT router / Firewall with all of the 

services in inetd.conf commented out is there any need to enable inetd? 

I believe it's no longer necessary for ftp-proxy and want to make sure 

I'm not missing anything.



Thank you.

-- 

Chris

Re: OpenCON 2007 thanks

[Lars Noodén]

fabioFVZ wrote:
 ...
 See you next year! 

Between now and then is there a chance of listening to the talks online?

If so, what is the URL for the audio?

Regards
-Lars

OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

[Douglas Secco dos Santos]

Hi all,
I have a lot of VPN connections from all subsidiaries of my business (46
subsidiaries/46 tunnels exactly).
At the matriz i have an CISCO ASA 5520 VPN concentrator.
Over subsidiaries, i have a openbsd 4.1.

my ipsec.conf is:
--
ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \
peer Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk SECRETKEY
flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z
--

My key lifetime (it works and is correct usage about
ipsec.conf+isakmpd.conf):
--
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
--
Okey, all vpn comes up normally but.. the problem is:
At random time, the tunnel turn down and dont come up again !

My /var/log/messages at the moment of blackout show this message:
--
Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on
exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500
--
Another message can be found at random moments is about INVALID COOKIE(S)

The DPS functionality is configured in both ends, I believe this is not the
problem.
When the ADSL link falls for a few seconds this problem also occurs.

PS.:
1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and
3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall
script) over the subsidiaries and another openbsd 3.9 on the matriz and this
problem never comes up.
2. I configured my CISCO ASA and its all okey.
3. My NAT and FIREWALL its OKEY.

please it's a urgent request, thankz for all/any reply!

Re: Code signing in OpenBSD

[Ted Unangst]

On 12/5/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
 Come on... twice a year and get the benefit of not being excluded from
 company policies which require digital signature of software downloaded
 through the internet.

sign it yourself, then download it.  problem solved.

Re: inetd needed for basic NAT/Firewall operation?

[Rod Whitworth]

On Wed, 5 Dec 2007 19:58:59 +0100, Andreas Maus wrote:

The only service that should (or could,depends on your point of view)
be allowed from the internet is IMHO the identd service.

Blocking this service may cause some delay because some mailers and
irc servers are checking for this service.

OTOH it may be considered as a security risc to give strangers valid
usernames. (If you need inetd requests from the outside and dont want
to give them valid usernames you can install a other identd, e.g.
oidentd or just a fakeidentd to return an arbitrary username)


Or better still leave inetd running and use its built-in identd and
give it -helo as its flags.
 man identd will tell you why.

Rod/

A consultant is someone who's called in when someone has painted himself into a 
corner.  He's expected to levitate his client out of that corner.

-The Sayings of Chairman Morrow. 1984.

Re: Code signing in OpenBSD

[Rod Whitworth]

On Wed, 5 Dec 2007 08:46:16 -0800 (PST), new_guy wrote:

Can you dismiss PKI and the benefits that OpenPGP signatures provide to your
user community? Knowing that xyz binary is signed by OpenBSD for
distribution or abc email came from an official OpenBSD source is a good
thing. Trojaned binaries and forged emails happen. PKI can help mitigate
this. The benefit of PKI is widely known and accepted and does not need to
be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
does not use it, that's all I'm saying. I also thought there would be a real
reason for not doing so and there may in fact be and I may just be unaware
of it.

Hmm, you have a financial interest in a CA? Or you just believe you
know more about PKI security than Schneier does?

http://www.schneier.com/paper-pki.html

Now tell us all why you would trust PKI so absolutely.


Rod/

Me...a skeptic?  I trust you have proof.

Re: Code signing in OpenBSD

[Kevin Stam]

Yes, that's what I gathered was meant. Going into PKI and code signing,
however, I assumed he meant signing and verifying the underlying source
code, and navigating the trees, I haven't noticed that.

Evidently he meant signing binary packages. In that case, I can kind of
understand the requirement - particularly for business - but whether it's
worth it is up to the OpenBSD team, not me. :) I'm having trouble seeing how
somebody could easily manage to get a compromised binary onto OpenBSD
servers. Seems more trouble to implement then it's worth.

On Dec 5, 2007 7:13 PM, Dave Ewart [EMAIL PROTECTED] wrote:

 On Wednesday, 05.12.2007 at 17:59 +, Kevin Stam wrote:

  For one thing, I think you're quite confused. Unless I'm missing
  something, I'm not noticing the FreeBSD, NetBSD, Linux kernel
  developers signing their code, or doing anything particularly
  differently from the OpenBSD developers. Please explain.

 I'm guessing that he's referring to the fact that some Linux
 *distributions* (not the kernel developers or necessarily any of the
 components) sign their binary packages: for example Debian do this.

 I believe one of the supposed benefits of this is that it allows anyone
 to set up a public Debian mirror and, after checking the signatures
 during download, one can be sure that they are 'real' Debian packages.

 I believe that in some circumstances this may lead to a false sense of
 security:

 - Said mirror could have old (vulnerable) versions of packages.  Just
  because they're signed doesn't mean they're safe;

 - The signing relates only to the packaging: if the underlying source
  code is compromised, then all bets are off.

 Would signing help for OpenBSD?  I don't particular see that it would,
 given that you are trading off the hassle of implementing it,
 maintaining it and so on, against the benefits of doing so, which are
 probably small or non-existent.

 Dave.

 --
 Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee
 All email from me is now digitally signed, http://www.sungate.co.uk/
 Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

 [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]

Re: Code signing in OpenBSD

[Floor Terra]

On Dec 5, 2007, at 7:46 PM, Rui Miguel Silva Seabra wrote:


I don't see what is the problem with blessing a fingerprint of the
binaries with a PKI signature, which would mean that *these* are the
binaries the devs intended to release.


Who would sign the binaries?
Would each package maintainer sign his own packages?
Does Theo have to sign each package?
I don't see a problem in having signatures for software but I do see
problems in creating and maintaining an infrastructure for these  
signatures.

And what would you gain?
What guarantees would these signatures give you?
You can verify package consistency with md5 sums.

If you are paranoid, why would you trust the devs? You would just  
compile
the software yourself. But only after reading each line of code of  
course.



Floor Terra

Re: Code signing in OpenBSD

[Brad Tilley]

If you want a secure binary. buy an official CD.. This is
 what most people do.  PKI requires infrastructure that would cost OpenBSD
 money and developer time. Official CD's keep OpenBSD alive.

Oh wait, we should devote resources to people who care about
 security, just not enough to spend $50 on it..   Yeah. I'll get right
 on that.


I do buy CDs. T-shirts too. I also donate. You guys live up to the
reputation :)

Re: OpenCON 2007 thanks

[Rouven Floeter]

See you next year!



Thank you it was a great event with perfect presentations.

Rouven

Re: inetd needed for basic NAT/Firewall operation?

[Andreas Maus]

On Wed, Dec 05, 2007 at 11:49:07AM -0500, Chris Smith wrote:
 Hello,

 When using OpenBSD only as a NAT router / Firewall with all of the 
 services in inetd.conf commented out is there any need to enable inetd? 
Hi Chris.

The only service that should (or could,depends on your point of view)
be allowed from the internet is IMHO the identd service.

Blocking this service may cause some delay because some mailers and
irc servers are checking for this service.

OTOH it may be considered as a security risc to give strangers valid
usernames. (If you need inetd requests from the outside and dont want
to give them valid usernames you can install a other identd, e.g.
oidentd or just a fakeidentd to return an arbitrary username)

 I believe it's no longer necessary for ftp-proxy and want to make sure 
 I'm not missing anything.
I don't run ftp-proxy so I don't know about this, sorry.

HTH,

Andreas

-- 
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Re: Code signing in OpenBSD

[Nick Bender]

On Dec 5, 2007 2:23 PM, Ted Unangst [EMAIL PROTECTED] wrote:
 On 12/5/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
  Come on... twice a year and get the benefit of not being excluded from
  company policies which require digital signature of software downloaded
  through the internet.

 sign it yourself, then download it.  problem solved.


Buy the CDs?

Re: Code signing in OpenBSD

[Marco Peereboom]

blah blah blah

have you ever wondered why openbsd doesn't do binary updates?

maybe you are now going to be able to figure out why we don't need
complex signing mechanisms.

On Wed, Dec 05, 2007 at 06:46:01PM +, Rui Miguel Silva Seabra wrote:
 On Wed, Dec 05, 2007 at 11:59:31AM -0500, Nick Guenther wrote:
   I'm surprised that OpenBSD (the most secure OS I know of)
   does not use it, that's all I'm saying. I also thought there would be a 
   real
   reason for not doing so and there may in fact be and I may just be unaware
   of it.
  
  OpenBSD is the most secure OS, the devs know what they are doing.. and
  they've rejected this as uneccessary.
 
 I don't see what is the problem with blessing a fingerprint of the
 binaries with a PKI signature, which would mean that *these* are the
 binaries the devs intended to release.
 
 Come on... twice a year and get the benefit of not being excluded from
 company policies which require digital signature of software downloaded
 through the internet.
 
  You can check the MD5 files for the main distribution, and for
  packages.. well the official OpenBSD mirrors are all trustworthy--if
  they aren't, it will be discovered and they will no longer be official
  mirrors.
  This isn't a great answer, I know.
 
 Definitely not a great answer, as there are vectors of attack which
 cover the client acessing the mirror and not the mirror in itself, like
 changing on-the-fly the md5sums to match the bad binaries, etc...
 
 A digital signature would enable the non-repudiation of the fingerprints
 file (at least), giving a moderate level of assurance that attack
 vectors would have to concentrate on upstream development servers (where
 the devs *really* know what they are doing).
 
 Rui
 
 -- 
 Hail Eris!
 Today is Prickle-Prickle, the 47th day of The Aftermath in the YOLD 3173
 + No matter how much you do, you never do enough -- unknown
 + Whatever you do will be insignificant,
 | but it is very important that you do it -- Gandhi
 + So let's do it...?

Re: Code signing in OpenBSD

[Nick Guenther]

On 12/5/07, bofh [EMAIL PROTECTED] wrote:

 Why, I tell you, if you can just make openbsd more like windows,
 you'll get a lot more users  Don't you care about
 market share?  (Cue Theo's story about the VC who tried to dotcom-ize
 openbsd :-))

Oh? What story is that? I can't google it.

 Maybe the faq needs a prequel in front of it - if you are not willing
 to do the work, don't use openbsd.

Doesn't it already have that, pretty much?

-Nick

Re: Two carp firewalls keep swapping from master/backup

[Bob Beck]

 Are you allowing the carp traffic in and out?

This is the more common fuckup I make when configuring them that has
this result.  make sure the carp and pfsync traffic makes it in and
out. 

Re: Code signing in OpenBSD

[bofh]

That's irrelevant (the impersonating bit).

What you have to understand is this - this is not a commercial
venture, nor is openbsd looking to grow marketshare or ease of use or
anything.  This is a project by developers for themselves.

Yes, they do sell CDs and so on to help support the project, and yes
they have users that they support.  But the moment the users become
annoying and passes a certain threshold (which are different for
different developers) those users become lusers (not saying you are
one, btw).

So, look at their objectives - does using pki solve anything for them?
 No, not really.  Signing source code that goes into the tree - does
it help?  No, if an intruder got in, they would have gotten the key
anyway.  Signing binaries?  What's on the primary server is considered
authoritative.  Or you can compile your own.  Binary updates?  Don't
do it.  Mirrors - they currently use MD5 which is cheap and fast and
good enough.

So, to put in a complicated pki and so on would add overhead that is
really useless to the developers.  It may benefit some users.  But
does the benefit outweigh the cost?  Not currently, according to the
developers.

Now, if you're willing to fund it, and do the work, and manages to
gain Theo's trust, then you get to do it.  But else, I don't really
see the devs taking on this additional work for fun.  And ultimately
that's what they're doing - having fun.

Now, it could be that tomorrow one of the devs catches the pki bug -
then suddenly, all these can and will happen.  But I doubt it.





On 12/5/07, new_guy [EMAIL PROTECTED] wrote:
 Bob Beck-2 wrote:
 
  If you want a secure binary. buy an official CD.. This is
  what most people do.  PKI requires infrastructure that would cost OpenBSD
  money and developer time. Official CD's keep OpenBSD alive.
 
  Oh wait, we should devote resources to people who care about
  security, just not enough to spend $50 on it..   Yeah. I'll get right
  on that.
 
  -Bob
 

 One last thought. You insinuate in this post that I do not buy CDs or
 support OpenBSD. I claim that I do. There is a person listed by my name on
 the donations page... but since I was not given the opportunity to digitally
 sign my donation ;) I could just be impersonating that person. How is that
 for irony? I'll go away now.

 Thanks,
 Brad

 --
 View this message in context:
 http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14180803
 Sent from the openbsd user - misc mailing list archive at Nabble.com.




-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

hoststated - some questions

[Chad M Stewart]

I am working with hoststated and trying to figure out if it will work  
for what I want to do.   I have some questions that I hope people can  
answer for me.


kern.version=OpenBSD 4.2-stable (GENERIC) #0: Sun Dec  2 13:43:16 GMT  
2007

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC


- where does it log?  Even running with -dvv I don't see output that  
I am expecting, which could simply be I'm expecting the wrong thing.   
For example


# from configuration file
protocol httpcustom {
protocol http
 header append $REMOTE_ADDR to X-Forwarded-For log
 header append $SERVER_ADDR:$SERVER_PORT to X- 
Forwarded-By log

tcp { nodelay, sack, socket buffer 65536, backlog 128 }
}


Results in the following output when run with -dvv

protocol 0: name httpcustom
flags: 0x0004
type: http
request append $SERVER_ADDR:$SERVER_PORT to X- 
Forwarded-By

request append $REMOTE_ADDR to X-Forwarded-For


Note the log action is gone.  When I hit the service with a browser  
and watch the tcpdump on the web server, the headers are added,  
great.  But I don't see any evidence of it from hoststated.   I'm  
trying to see if/how I would have hoststated go about looking at the  
Host: header in HTTP.   Figured I'd start with the example and work  
from there.  I'm wondering if hoststated can replace squid in front  
of a couple of name based virtual http servers, thus the need to get  
at the host header to find/lookup the destination.



Also hoststatectl reload does not work for me.

[EMAIL PROTECTED] root# hoststatectl reload
command failed

Expected behavior?




Thank you,
Chad

Re: Two carp firewalls keep swapping from master/backup

[Josh]

Dag Richards wrote:

Your understanding of preempt seems correct

I had a similar issue on a pair of 4.1 FW's.

A careful examination revealed that one of the carp ifaces on one system 
had ip addrs that were missing on the other.



Carefully compare ifconfig -aA on each machine to each other.
I now slavishly alsoensure that the addrs occur in the same order ... I 
am sure that has no effect, but there it is.



Are you allowing the carp traffic in and out?
Does a tcpdump show the expected traffic?.



I have checked all those things... ifconfig output (in relation to carp) 
is identical with the obvious exceptions of BACKUP/MASTER and advskew.


One of the first lines in my pf.conf is always pass in quick on foo 
proto carp keep state... and a look at pflog shows nothing in the carp 
department is being blocked.


It does not happen all the time, just seems to happen when I put some 
network load on the secondary firewall.


I will investigate what Stuart Henderson mentioned.

Cheers,
Josh

Two carp firewalls keep swapping from master/backup

[Josh]

Hello, A quick question.

I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc.

The primary has advskew 0, the backup has advskew 100. I have 
net.inet.carp.preempt=1 on both.


So anyway, I was downloading some 4.2 install binaries onto the backup 
fw, and I noticed that the backup/primary carp interfaces kept on 
switching between master/backup fairly rapidly ( around every 5 - 10 
seconds or so ) despite both hosts being up just fine.


Any ideas on what might be causing this?

Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I 
think; I thought that it meant if one carp interface goes down, ie, 
unplugged or whatever, then the rest go down, ie all other interfaces on 
the box? Is this right?



Thanks,
   Josh

Re: Code signing in OpenBSD

[new_guy]

Bob Beck-2 wrote:
 
   If you want a secure binary. buy an official CD.. This is
 what most people do.  PKI requires infrastructure that would cost OpenBSD
 money and developer time. Official CD's keep OpenBSD alive. 
 
   Oh wait, we should devote resources to people who care about
 security, just not enough to spend $50 on it..   Yeah. I'll get right
 on that.
 
   -Bob
 

One last thought. You insinuate in this post that I do not buy CDs or
support OpenBSD. I claim that I do. There is a person listed by my name on
the donations page... but since I was not given the opportunity to digitally
sign my donation ;) I could just be impersonating that person. How is that
for irony? I'll go away now.

Thanks,
Brad

-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14180803
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Two carp firewalls keep swapping from master/backup

[Stuart Henderson]

On 2007/12/06 10:06, Josh wrote:
 So anyway, I was downloading some 4.2 install binaries onto the backup fw, 
 and I noticed that the backup/primary carp interfaces kept on switching 
 between master/backup fairly rapidly ( around every 5 - 10 seconds or so ) 
 despite both hosts being up just fine.

 Any ideas on what might be causing this?

If you reconfigured addresses on the interfaces after configuring
them, it's most likely to be the problem fixed in r1.135 of
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c

 Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I 
 think; I thought that it meant if one carp interface goes down, ie, 
 unplugged or whatever, then the rest go down, ie all other interfaces on the 
 box? Is this right?

Not always, see http://www.mail-archive.com/misc@openbsd.org/msg34354.html

Re: Code signing in OpenBSD

[new_guy]

Lars Hansson-5 wrote:
 
 No. OpenBSD doesn't sign code.
 
 ---
 Lars Hansson
 

Oh that surprises me, are OpenPGP signatures used for anything? Errata,
official communication, etc... maybe this is a stupid question, by it seems
everyone does it these days... even small software projects. Not being
critical of OpenBSD (I love it and buy CDs) just curious as to the reasoning
for not using pgp/gpg keys to sign stuff, secure communication, etc.


-- 
View this message in context: 
http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14173498
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: /var/log/messages permissions in 4.2

[Douglas A. Tutty]

On Tue, Dec 04, 2007 at 02:30:28PM -0800, Bryan Irvine wrote:
  What would be the rationale for 640? ;)
 
 Well according to cvs log:
 it can be easily changed if you like it another way. millert,
 
 So I guess one rationale might be as simple as because  ;)
 

Does anything get posted to the log that a normal user should not see?
I suppose it depends on the machine's context.  Can traffic analysis on
the log be used to determine what another user is doing any more than
watching top?  If you're concerned about normal users reading logs, you
need to look at those logs and determine why you are concerned and 
determine the implcations of those concerns.

Doug.

OpenCON 2007 thanks

[fabioFVZ]

OpenCON 2007 is over.

This year due to problems at work I had to leave OpenCON 2007
organization in the hands of Marc Balmer and Vera Hardmeier.

I'd like to thank them for their perfect work (as for the usual OpenBSD way of 
doing things).
Without their support OpenCON shouldn't happened.

Many many thanks Marc and Vera.

I'd also like to thank the staff:

* Alessio Pennasilico (mayhem), for the talk and funny support
* Antonio Stano (busyantos), for the registration/tickets
* Matteo Centenaro (bugant), for the beautiful SSH Cake, OpenCON website 
and booklets
* Sandro Zaccarini (guly), for the OpenCON t-shirt and booklets
* Wim Wandeputte, for the OpenBSD stuff
* Federico Biancuzzi (Ed) for cooperation 

Many thank for all talkers and OpenBSD Developers for technical and 
professional talks.

A special thank goes to all our sponsors which made possible to keep the 
conference FREE!

http://www.opencon.org/site/sponsor

See you next year!

Fabio Cazzin,
Founder and inventor of OpenCON

PCMCIA card Reader...

[Mayuresh Kathe]

Hello,

Will the product at the following link work under OpenBSD?
http://www.synchrotech.com/products/card-rw_06_p111_p222_elan_pcmcia_pc-card_reader_slot.html

It's costing US$75, paying that kind of money and not have it work
would be quite heart breaking.

Thanks,

~Mayuresh

Re: Two carp firewalls keep swapping from master/backup

[Josh]

Stuart Henderson wrote:

On 2007/12/06 11:48, Josh wrote:

I will investigate what Stuart Henderson mentioned.


If it's that, tcpdump on the parent iface will show proto 112 IPv6
packets every few seconds, and ifconfig carpXX destroy  sh /etc/netstart
carpXX should clear things out.

It does not happen all the time, just seems to happen when I put some 
network load on the secondary firewall.


In that case, also check sysctl net.inet.ip.ifq.drops. If any are present,
bump net.inet.ip.ifq.maxlen (256 is a good starting point, used by default
in 4.2).



Hmmm,

sysctl net.inet.ip.ifq.drops
net.inet.ip.ifq.drops=7895040

Will make the changes you suggest... But what does net.inet.ip.ifq.drops 
mean?


Thanks,
Josh

Re: PCMCIA card Reader...

[Steve Shockley]

Mayuresh Kathe wrote:
Will the product at the following link work under OpenBSD? 
http://www.synchrotech.com/products/card-rw_06_p111_p222_elan_pcmcia_pc-card_reader_slot.html


I haven't actually tried it, but their web site says it uses the TI 
PCI-1420 PCI-Cardbus bridge, and OpenBSD appears to support that bridge.


With that said, you'd have to have a pretty special PCMCIA/Cardbus 
device to make using a bridge in a desktop worthwhile.  I'd think most 
of the Cardbus cards you could plug in would be available in PCI or USB 
for less than $75.

Re: Code signing in OpenBSD

[Claus Assmann]

On Wed, Dec 05, 2007, STeve Andre' wrote:

 Yes, one can dismiss the benefits.  Think about what an MD5 (or any
 other cyptographic) checksum means.  If the OpenBSD site publishes
 that list, how does something more complicated help?

 Answer: it doesn't.

Wrong.

If someone cracks a website, then he can put up a modified binary
and a modified MD5 checksum. Creating a (digital) signature (with
the right key) is significantly more complex.

Using CDs to distribute the code make the attack of course rather
complicated.

Someone actually did the former with sendmail.org (to distribute a
version of sendmail with a backdoor).  The problem was only noted
because users checked the (digital) signature.

Re: Code signing in OpenBSD

[Dave Ewart]

On Wednesday, 05.12.2007 at 17:59 +, Kevin Stam wrote:

 For one thing, I think you're quite confused. Unless I'm missing
 something, I'm not noticing the FreeBSD, NetBSD, Linux kernel
 developers signing their code, or doing anything particularly
 differently from the OpenBSD developers. Please explain.

I'm guessing that he's referring to the fact that some Linux
*distributions* (not the kernel developers or necessarily any of the
components) sign their binary packages: for example Debian do this.

I believe one of the supposed benefits of this is that it allows anyone
to set up a public Debian mirror and, after checking the signatures
during download, one can be sure that they are 'real' Debian packages.

I believe that in some circumstances this may lead to a false sense of
security:

- Said mirror could have old (vulnerable) versions of packages.  Just
  because they're signed doesn't mean they're safe;

- The signing relates only to the packaging: if the underlying source
  code is compromised, then all bets are off.

Would signing help for OpenBSD?  I don't particular see that it would,
given that you are trading off the hassle of implementing it,
maintaining it and so on, against the benefits of doing so, which are
probably small or non-existent.

Dave.

--
Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee
All email from me is now digitally signed, http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenCON 2007 thanks

[Edd Barrett]

On 05/12/2007, fabioFVZ [EMAIL PROTECTED] wrote:
 OpenCON 2007 is over.

 This year due to problems at work I had to leave OpenCON 2007
 organization in the hands of Marc Balmer and Vera Hardmeier.

Thankyou. I had a great time!

-- 
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: Code signing in OpenBSD

[Rui Miguel Silva Seabra]

On Wed, Dec 05, 2007 at 11:23:28AM -0800, Ted Unangst wrote:
 On 12/5/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
  Come on... twice a year and get the benefit of not being excluded from
  company policies which require digital signature of software downloaded
  through the internet.
 
 sign it yourself, then download it.  problem solved.

Forgive them, for they know not what they say... *sigh* :)

Rui

-- 

Today is Prickle-Prickle, the 47th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics with powersave on.

[Taisto Qvist XX]

And naturally I attached the wrong files, apart from the mistyping of
install42.iso.

Here's the dmesg from the working kernel.

TQ


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Taisto Qvist XX
 Sent: den 5 december 2007 13:14
 To: misc@openbsd.org
 Subject: AMD GEODE LX-800 just works with kernel from
 install42.iso and kernelpanics with powersave on.

 Hi Folks,

 I am running, or at least trying to run, OpenBSD 4.2 on a
 minipc using AMD's GEODE LX-800.
 (Its a
 http://www.sdlsystem.se/shop/product_info.php?cPath=23_56prod
 ucts_id=65
 6 )

 At first I had almost given up, since trying to boot the
 system was impossible since I always got a kernel-panic just
 a few seconds into the booting.
 Similar problems with both FreeBSD and NetBSD, whisperbut
 linux worked w/o issues./whisper

 But after booting with all powersave turned off, everything
 looked good though, and I could finally start to install and
 configurealmost.

 After building a new custom kernel that didnt work properly,
 re-trying with the GENERIC kernel that can be downloaded from
 the i386 install-directory(didnt work), rebuilding a new
 GENERIC kerneln (didnt work), I finally managed to understand
 that the ONLY to kernels I can boot with, is either the
 bsd.rd ramdisk, or the bsd-kernel thats stored in the install32.iso!?!

 All the others startup fine, no problem, but the network
 interfaces( realtek, rl0-3) cant be configured! Dmesg looks
 almost identical for a working and non-working kernel, but
 with all the nonworking one's, i just get

 # ifconfig -a
 : no such interface.

 Not even loopback gets created!

 It looks like the working kernel is from 4.2-current, so I am
 really just wondering wether this is my only solution, to
 start running -current, or if there is a bug somewhere that
 might be fixedif nothing else, it would be nice to be
 able to turn on power-save functions on the box again.

 Any thoughts? (attaching the two dmesgs...)

 Regards
 Taisto Qvist

  dmesg.515.txt  dmesg.375.txt
 OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Geode(TM) Integrated Processor by AMD PCS
 (AuthenticAMD 586-class) 499 MHz
 cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
 real mem  = 1047097344 (998MB)
 avail mem = 1004806144 (958MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0
 @ 0xf0010, SMBIOS rev. 2.5 @ 0xf9580 (53 entries)
 bios0: vendor American Megatrends Inc. version 080014  date
 06/05/2007
 bios0: Advanced Micro Devices, Inc. Geode LX Norwich
 Development Board pcibios0 at bios0: rev 3.0 @ 0xf/0x1
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3ab0/144 (7 entries)
 pcibios0: no compatible PCI ICU found: ICU vendor 0x1022
 product 0x2090
 pcibios0: Warning, unable to fix up PCI interrupt routing
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xc/0x8000
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at
 pci0 dev 1 function 0 AMD Geode LX rev 0x31
 vga1 at pci0 dev 1 function 1 AMD Geode LX Video rev 0x00
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation) glxsb0
 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG
 AES rl0 at pci0 dev 10 function 0 Realtek 8139 rev 0x10:
 irq 15, address 00:04:a7:04:da:2f rlphy0 at rl0 phy 0: RTL
 internal PHY
 rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: irq 5,
 address 00:04:a7:04:da:30
 rlphy1 at rl1 phy 0: RTL internal PHY
 rl2 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq
 11, address 00:04:a7:04:da:31
 rlphy2 at rl2 phy 0: RTL internal PHY
 rl3 at pci0 dev 13 function 0 Realtek 8139 rev 0x10: irq
 10, address 00:04:a7:04:da:32
 rlphy3 at rl3 phy 0: RTL internal PHY
 pcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03
 pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01:
 DMA, channel 0 wired to compatibility, channel 1 wired to
 compatibility wd0 at pciide0 channel 0 drive 0: SAMSUNG HM120JC
 wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
 pciide0: channel 1 ignored (disabled)
 ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02:
 irq 10, version 1.0, legacy support ehci0 at pci0 dev 15
 function 5 AMD CS5536 USB rev 0x02: irq 10 usb0 at ehci0:
 USB revision 2.0 uhub0 at usb0: AMD EHCI root hub, rev
 2.00/1.00, addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at
 isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0
 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at
 pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port
 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0
 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
 usb1 at ohci0: USB revision 1.0
 uhub1 at usb1: AMD OHCI root hub, rev 1.00/1.00, addr 1
 

Re: Code signing in OpenBSD

[Tony Abernethy]

Claus Assmann wrote:
 
 Wrong.
 
 If someone cracks a website, then he can put up a modified binary
 and a modified MD5 checksum. 

This is silly. You mean that you get the checksums and the 
associated binaries from the *SAME* website? 

Re: Code signing in OpenBSD

[bofh]

On Dec 5, 2007 7:15 PM, Tony Abernethy [EMAIL PROTECTED] wrote:
 Claus Assmann wrote:
 
  Wrong.
 
  If someone cracks a website, then he can put up a modified binary
  and a modified MD5 checksum.

 This is silly. You mean that you get the checksums and the
 associated binaries from the *SAME* website?

You're probably being sarcastic, but in the case of the master site,
it doesn't matter, because all the slaves probably rsync from the
master anyway.


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Two carp firewalls keep swapping from master/backup

[Dag Richards]

Josh wrote:

Hello, A quick question.

I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc.

The primary has advskew 0, the backup has advskew 100. I have 
net.inet.carp.preempt=1 on both.


So anyway, I was downloading some 4.2 install binaries onto the backup 
fw, and I noticed that the backup/primary carp interfaces kept on 
switching between master/backup fairly rapidly ( around every 5 - 10 
seconds or so ) despite both hosts being up just fine.


Any ideas on what might be causing this?

Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I 
think; I thought that it meant if one carp interface goes down, ie, 
unplugged or whatever, then the rest go down, ie all other interfaces on 
the box? Is this right?



Thanks,
   Josh


Your understanding of preempt seems correct

I had a similar issue on a pair of 4.1 FW's.

A careful examination revealed that one of the carp ifaces on one system 
had ip addrs that were missing on the other.



Carefully compare ifconfig -aA on each machine to each other.
I now slavishly alsoensure that the addrs occur in the same order ... I 
am sure that has no effect, but there it is.



Are you allowing the carp traffic in and out?
Does a tcpdump show the expected traffic?.

Re: Two carp firewalls keep swapping from master/backup

[Stuart Henderson]

On 2007/12/06 11:48, Josh wrote:
 I will investigate what Stuart Henderson mentioned.

If it's that, tcpdump on the parent iface will show proto 112 IPv6
packets every few seconds, and ifconfig carpXX destroy  sh /etc/netstart
carpXX should clear things out.

 It does not happen all the time, just seems to happen when I put some 
 network load on the secondary firewall.

In that case, also check sysctl net.inet.ip.ifq.drops. If any are present,
bump net.inet.ip.ifq.maxlen (256 is a good starting point, used by default
in 4.2).

Re: Compliments and Knob Question

[Edd Barrett]

On 05/12/2007, Jeremy Huiskamp [EMAIL PROTECTED] wrote:
 That thing on the door is a handle.  A knob would let you adjust how
 far the door opens, how much it resists being opened, whether or not
 it shuts itself (and how quickly) and how far you have to turn the
 handle to get it to start opening.  Clearly most doors work just fine
 without knobs.

Good answer.

-- 
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

OpenBSD mentioned in Bruce Schneier interview

[Lars Noodén]

OpenBSD gets a short mention in a blog:

Q:
... why in the world canbt we design a computer that can
bcold bootb nearly instantaneously? I know about
hibernation, etc., but when I do have to reboot, I hate
waiting those three or four minutes.  

Schneier:
Of course we  can; Amiga was a fast booting computer,
and OpenBSD boxes  boot in less than a minute. But the
current crop of major  operating systems just donbt.
This is an economics  blog, so you tell me: why donbt
the computer companies  compete on boot-speed?

http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-through-your-questions/

It's interesting that the issue of why a computer must be cold booted is
not brought up, especially in the day and age where hibernation modes
are readily available.  Perhaps, the interviewer is a victim of the
Microsoft effect.

-Lars

Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics with powersave on.

[Claudio Jeker]

On Wed, Dec 05, 2007 at 01:13:31PM +0100, Taisto Qvist XX wrote:
 Hi Folks,
 
 I am running, or at least trying to run, OpenBSD 4.2 on a minipc using
 AMD's GEODE LX-800.
 (Its a
 http://www.sdlsystem.se/shop/product_info.php?cPath=23_56products_id=65
 6 )
 
 At first I had almost given up, since trying to boot the system was
 impossible
 since I always got a kernel-panic just a few seconds into the booting.
 Similar problems with both FreeBSD and NetBSD, whisperbut linux worked
 w/o issues./whisper
 
 But after booting with all powersave turned off, everything looked good
 though,
 and I could finally start to install and configurealmost.
 
 After building a new custom kernel that didnt work properly, re-trying
 with
 the GENERIC kernel that can be downloaded from the i386
 install-directory(didnt work),
 rebuilding a new GENERIC kerneln (didnt work), I finally managed to
 understand
 that the ONLY to kernels I can boot with, is either the bsd.rd ramdisk,
 or the
 bsd-kernel thats stored in the install32.iso!?!
 
 All the others startup fine, no problem, but the network interfaces(
 realtek, rl0-3)
 cant be configured! Dmesg looks almost identical for a working and
 non-working kernel,
 but with all the nonworking one's, i just get
 
 # ifconfig -a
 : no such interface.
 
 Not even loopback gets created!
 

Your userland is not in sync with the kernel. Make sure your userland and
kernel are in sync. There was a networking flag day that causes these
issues.

-- 
:wq Claudio

Re: PCMCIA card Reader...

[Stuart Henderson]

On 2007/12/05 18:22, Steve Shockley wrote:
 Mayuresh Kathe wrote:
 Will the product at the following link work under OpenBSD? 
 http://www.synchrotech.com/products/card-rw_06_p111_p222_elan_pcmcia_pc-card_reader_slot.html

 I haven't actually tried it, but their web site says it uses the 
 TI PCI-1420 PCI-Cardbus bridge, and OpenBSD appears to support 
 that bridge.

I don't know this particular card, but they usually work ok.
They're *much* cheaper on ebay though.

more unimplemented commands in azalia driver

[Rob Lytle]

Hi,

I was trying to use the gmfsk digital radio communication program with
azalia but ran into some snags.

It is giving the sound card commands it can't recognize:

sound_open_for_read: sndopen: setinfo failed: m   and
sound_open_for_write: sndopen: setinfo failed: m

Gmfsk uses /dev/audio.  I assume those are OSS commands.

Thanks,  Rob

-- 
Emancipate yourself from mental slavery, none but ourselves can free
our minds  Bob Marley, Redemption Song

Re: Code signing in OpenBSD

[STeve Andre']

On Wednesday 05 December 2007 11:46:16 new_guy wrote:
 Harpalus a Como wrote:
  What is the benefit of doing so? What's the point? Is the website so
  likely
  to be hacked into, that the developers need to sign all communication
  just to ensure that it comes from them? There's absolutely no need to
  signing errata or official communications. Name one justifiable use for
  them. If the
  OpenBSD developers didn't care about secure communications, then
  OpenSSH would not exist.

 Can you dismiss PKI and the benefits that OpenPGP signatures provide to
 your user community? Knowing that xyz binary is signed by OpenBSD for
 distribution or abc email came from an official OpenBSD source is a good
 thing. Trojaned binaries and forged emails happen. PKI can help mitigate
 this. The benefit of PKI is widely known and accepted and does not need to
 be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of)
 does not use it, that's all I'm saying. I also thought there would be a
 real reason for not doing so and there may in fact be and I may just be
 unaware of it.

Yes, one can dismiss the benefits.  Think about what an MD5 (or any
other cyptographic) checksum means.  If the OpenBSD site publishes
that list, how does something more complicated help?

Answer: it doesn't.

--STeve Andre'

Re: Code signing in OpenBSD

[Gilbert Fernandes]

On Wed, Dec 05, 2007 at 08:46:16AM -0800, new_guy wrote:

 Can you dismiss PKI

Seems they do.

The problem of signing code does not remove the problem
of checking the signature.

When you sign code and when you ask developers to do so,
they need to own some private key which will let you check
on the other side with a public key.

This private key will have to be very protected. Now,
what happens if there's a problem and that key is lost
or stolen ? And more specifically, what will happen if this
very trouble happens and no ones does see it ? The key can
be stolen without anyone knowing and then ? Of course, a
blatant and direct hack will be detected but someone who does
steal a private key is very cautious in acting as if the key
is still secure (exactly like the Allies were able to decipher
Enigma encoded messages because of re-use of IV-alike blocks
by german submarine crypto responsables or predictible IV-alike
according to the date on calendar : the Allies could read a lot
but did not act on most and let some ships go down because they
needed that secret, being able to decipher, to be kept a secret
in order to remain a strategical advantage).

You have two main things here. The code signing can be used
in the developing process to only let developers add code
(this would be another layer over the authentication that already
does exist when they do cvs commits to the OpenBSD source tree)
and that's Theo (and his developers) choice. If the technology
is available and if those clever guys dont use it, I think there's
a *hint* there. History has proven Theo and his folks do know
a lot about security and especially its culture.

Then, you have the distribution itself. Having the hashes
stored at the same place as the files itself is not the best
thing because if someone is able to change a file on a FTP
(be it an official or non official ftp repository) I would hope
this cracker will be clever enough to also update the hash files.

Having the hashes being signed in some way could help if they
are stored at the same place as binary or sources files, and if
it's a writable media. Ok. Why not. But how many people are
really going to download sources and/or binaries and have
a gnupg locally installed PLUS having the public key that goes
with the signing private key and are going to check ? Very, very
few.

If you want this to work, it has to be automated. Otherwise,
it's going to be a lot of work, a lot of time spent by people
that are quite busy and not for a lot of people on the other
side that will really use it.

And here comes the head of the nightmare snake we all know
about : implementation.

Security is a good thing to have. Ideas that can improve it
too. But implementation is critical, as it's very often a weak
point to attack (remember Netscape's PRNG generator used
to attack its SSL ?)

And if I remember correctly, Theo often said that if you do
think a feature is missing, you should code and shut up and
when it's working, tell the people about hey guys I did start
from OpenBSD and did this and that to improve the distribution
security, how about using it now since it works and it's a real
friendly license ?

I do not think thus that adding signing to sources will help
that much and if it does, the openbsd devs will do it if it's
really a good thing (openbsd, openssh.. those guys fucking
now what they are doing man..)

Signing the hashes could help but you do know very few
people are really going to check those.

And when you do binary installation, you have hashes of the
packages (source and binary) that are used and automatically
checked when using ports. This is good because it is systematic
and automated. But the problem of trust remains : a signature
proves nothing. It just tells you that a package is indeed
signed by someone you probably dont personally know and you
should ask yourself if you trust him/her.

And if it comes to a trust problem, well don't use it.
History did prove them right and serious and that's enough
for me.

And I trust my backups first or before anything else.

-- 
unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ;
yes ; fsck ; umount ; sleep

Re: Code signing in OpenBSD

[STeve Andre']

On Wednesday 05 December 2007 18:22:19 Claus Assmann wrote:
 On Wed, Dec 05, 2007, STeve Andre' wrote:
  Yes, one can dismiss the benefits.  Think about what an MD5 (or any
  other cyptographic) checksum means.  If the OpenBSD site publishes
  that list, how does something more complicated help?
 
  Answer: it doesn't.

 Wrong.

 If someone cracks a website, then he can put up a modified binary
 and a modified MD5 checksum. Creating a (digital) signature (with
 the right key) is significantly more complex.

 Using CDs to distribute the code make the attack of course rather
 complicated.

 Someone actually did the former with sendmail.org (to distribute a
 version of sendmail with a backdoor).  The problem was only noted
 because users checked the (digital) signature.

You know, you're descending into a recursive loop of if, if, if... and
it never ends.  OF COURSE if someone breaks into the site they could
do things--once you've lost control of your site all bets are off.  I dare
say that someone breaking into a site might find all the appropriate
tools to re-sign things, too, and do the spoof that way.

--STeve Andre'

Re: A question about pecl install fileinfo

[Vijay Sankar]

A good night's sleep did the trick. Probably this is common knowledge but no 
amount of searching for the error messages when I did pecl install fileinfo 
gave me useful results. Anyways, if there is anyone who has had problems 
installing horde on OpenBSD as a result of fileinfo not being available, here 
is a quick note. Hope this is useful info.

To install fileinfo on OpenBSD 4.2, I had to do the following:

1) Install libmagic, autoconf, libtool from packages
2) export PHP_AUTOCONF=autoconf-2.59
3) export PHP_AUTOHEADER=autoheader-2.59
4) download from http://pecl.php.net/get/Fileinfo-1.0.4.tgz
5) tar xvzf Fileinfo-1.0.4.tgz
6) cd Fileinfo-1.0.4
7) /usr/local/bin/phpize
8) ./configure  make  make install
9) edit php.ini and add extension=fileinfo.so
10) restart httpd

-- 
Vijay Sankar, M.Eng., P.Eng.
President  CEO
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: Code signing in OpenBSD

[Tony Abernethy]

bofh wrote:
 On Dec 5, 2007 7:15 PM, Tony Abernethy [EMAIL PROTECTED] wrote:
  Claus Assmann wrote:
  
   Wrong.
  
   If someone cracks a website, then he can put up a modified binary
   and a modified MD5 checksum.
 
  This is silly. You mean that you get the checksums and the
  associated binaries from the *SAME* website?
 
 You're probably being sarcastic, but in the case of the master site,
 it doesn't matter, because all the slaves probably rsync from the
 master anyway.

You know something is wrong when the checksum changes when
the files have not changed ;-)
 
 
 -- 
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[bofh]

But, my god, you're asking people to do actual work?  Goddamn it, you
aren't doing your bit to improve the ease of use of people using
openbsd.  Where's the one click gui to install everything that I want
(but only what I want and nothing more!)?  It is positively
embarassing that I have to use a text based installer when my linux
lusing friends can use a mouse and click install (never mind that I
get it done in a quarter of the time they do - but they have a pretty
gui, and it's even skinnable)

Why, I tell you, if you can just make openbsd more like windows,
you'll get a lot more users  Don't you care about
market share?  (Cue Theo's story about the VC who tried to dotcom-ize
openbsd :-))

Oh, by the way, can I have some dancing girls to come hold my hands as
I install it.

Maybe the faq needs a prequel in front of it - if you are not willing
to do the work, don't use openbsd.

Tongue in cheek

On 12/5/07, Marco Peereboom [EMAIL PROTECTED] wrote:
 blah blah blah

 have you ever wondered why openbsd doesn't do binary updates?

 maybe you are now going to be able to figure out why we don't need
 complex signing mechanisms.

 On Wed, Dec 05, 2007 at 06:46:01PM +, Rui Miguel Silva Seabra wrote:
  On Wed, Dec 05, 2007 at 11:59:31AM -0500, Nick Guenther wrote:
I'm surprised that OpenBSD (the most secure OS I know of)
does not use it, that's all I'm saying. I also thought there would be
 a real
reason for not doing so and there may in fact be and I may just be
 unaware
of it.
  
   OpenBSD is the most secure OS, the devs know what they are doing.. and
   they've rejected this as uneccessary.
 
  I don't see what is the problem with blessing a fingerprint of the
  binaries with a PKI signature, which would mean that *these* are the
  binaries the devs intended to release.
 
  Come on... twice a year and get the benefit of not being excluded from
  company policies which require digital signature of software downloaded
  through the internet.
 
   You can check the MD5 files for the main distribution, and for
   packages.. well the official OpenBSD mirrors are all trustworthy--if
   they aren't, it will be discovered and they will no longer be official
   mirrors.
   This isn't a great answer, I know.
 
  Definitely not a great answer, as there are vectors of attack which
  cover the client acessing the mirror and not the mirror in itself, like
  changing on-the-fly the md5sums to match the bad binaries, etc...
 
  A digital signature would enable the non-repudiation of the fingerprints
  file (at least), giving a moderate level of assurance that attack
  vectors would have to concentrate on upstream development servers (where
  the devs *really* know what they are doing).
 
  Rui
 
  --
  Hail Eris!
  Today is Prickle-Prickle, the 47th day of The Aftermath in the YOLD 3173
  + No matter how much you do, you never do enough -- unknown
  + Whatever you do will be insignificant,
  | but it is very important that you do it -- Gandhi
  + So let's do it...?




-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford

Re: Code signing in OpenBSD

[Linus Swälas]

On Thu, 06 Dec 2007 02:35:38 +0100, Gilbert Fernandes
[EMAIL PROTECTED] wrote:



Signing the hashes could help but you do know very few
people are really going to check those.


Or you pull the MD5s from another source than your packages,
not bloody likely that the two different sites you've selected
for download has both been hacked.
This does not protect against the master site being owned though,
though I guess that'd be noticed and announced.


Easy thing is to use the CDs though, just as people has already
stated. =)



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Re: more unimplemented commands in azalia driver

[Deanna Phillips]

Rob Lytle writes:

 It is giving the sound card commands it can't recognize:

 sound_open_for_read: sndopen: setinfo failed: m   and
 sound_open_for_write: sndopen: setinfo failed: m

Is that really the error message?  What a horrible error
message.

The program is probably trying to use an unsupported sample
rate. If there are options that allow you to set the sample
rate, try either 44100 or 48000 Hz.

Re: Code signing in OpenBSD

[Gilbert Fernandes]

On Thu, Dec 06, 2007 at 04:03:48AM +0100, Linus Sw?las wrote:

 Or you pull the MD5s from another source than your packages,
 not bloody likely that the two different sites you've selected
 for download has both been hacked.
 This does not protect against the master site being owned though,
 though I guess that'd be noticed and announced.

Having this being the default on ports could be a good
thing perhaps. The script would download the package
from a FTP and hashes from another one. But the hashes
are already stored inside the folder of the package on the
ports.. so to what use ?

Sources that get downloaded are hashed and the value compared
to the one stored by the package maintainer.

And you have to trust this person to be serious. And even
if he is, if he grabs the latest version of sources for XYZ
and those got a hole non published (far, far more easy to
use tools to check sources for potential holes to use rather
than go hack their repositories...) that won't change anything.

Security is a link as Bruce Schneier explained, and it will
break at its weakest point. And if it breaks anywhere, the
whole thing can go down.

Thus, security is a constant process. You select a good
quality operating system (a BSD for example) and you don't
install anything on it eyes closed. And you do backups.
And you store them in a media not connected to anything.
And you use various tools to check everything (firewall,
rootkit checker, arp tool, etc. etc. ad nauseum).

It's really an education.

And if you are cautious with backups and make it part
of your current life, when shit happens you have solutions.

And if shit can happen, it will.. :)

-- 
unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ;
yes ; fsck ; umount ; sleep

Re: Code signing in OpenBSD

[Claus Assmann]

On Wed, Dec 05, 2007, STeve Andre' wrote:
 On Wednesday 05 December 2007 18:22:19 Claus Assmann wrote:

  Someone actually did the former with sendmail.org (to distribute a
  version of sendmail with a backdoor).  The problem was only noted
  because users checked the (digital) signature.

 You know, you're descending into a recursive loop of if, if, if... and
 it never ends.  OF COURSE if someone breaks into the site they could
 do things--once you've lost control of your site all bets are off.  I dare
   

Hmm, did you read what I wrote?

The breakin was detected due to the digital signature.


Anyway, it's obviously up to the OpenBSD developers what they do.

Re: Code signing in OpenBSD

[Lars Hansson]

On Dec 6, 2007 2:46 AM, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
 Come on... twice a year and get the benefit of not being excluded from
 company policies which require digital signature of software downloaded
 through the internet.

It's not really OpenBSD's problem that some companies implement pointless
security policies.

---
Lars Hansson

Re: PCMCIA card Reader...

[Mayuresh Kathe]

On Dec 6, 2007 4:52 AM, Steve Shockley [EMAIL PROTECTED] wrote:
 Mayuresh Kathe wrote:
  Will the product at the following link work under OpenBSD?
  http://www.synchrotech.com/products/card-rw_06_p111_p222_elan_pcmcia_pc-card_reader_slot.html

 I haven't actually tried it, but their web site says it uses the TI
 PCI-1420 PCI-Cardbus bridge, and OpenBSD appears to support that bridge.

 With that said, you'd have to have a pretty special PCMCIA/Cardbus
 device to make using a bridge in a desktop worthwhile.  I'd think most
 of the Cardbus cards you could plug in would be available in PCI or USB
 for less than $75.

Thanks for the reply.

I'm primarily buying this so that I can help Felix Kronlage test out
various data cards under OpenBSD.

Buying a $75 PCMCIA reader would certainly turn out to be cheaper than
investing money in a $800 laptop :-)

Best,

~Mayuresh

Re: OpenBSD mentioned in Bruce Schneier interview

[Ioan Nemes]

 ...  hibernation modes are readily available.

Lars, you misspelled this, `available` = sucks!

Ioan



 Lars NoodC)n [EMAIL PROTECTED] 05/12/2007 11:40 
OpenBSD gets a short mention in a blog:

Q:
... why in the world canbt we design a computer that can
bcold bootb nearly instantaneously? I know about
hibernation, etc., but when I do have to reboot, I hate
waiting those three or four minutes.  

Schneier:
Of course we  can; Amiga was a fast booting computer,
and OpenBSD boxes  boot in less than a minute. But the
current crop of major  operating systems just donbt.
This is an economics  blog, so you tell me: why donbt
the computer companies  compete on boot-speed?

http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-throug
h-your-questions/


It's interesting that the issue of why a computer must be cold booted
is
not brought up, especially in the day and age where hibernation modes
are readily available.  Perhaps, the interviewer is a victim of the
Microsoft effect.

-Lars






This e-mail is intended for the addressee(s) named and may contain
confidential and/or privileged information. If you are not the intended
recipient, please delete it immediately and notify the sender. Any views
expressed in this email are those of the individual sender except where
the sender expressly and with authority states them to be the views of
Fairfield City Council.

Re: Code signing in OpenBSD

[Otto Moerbeek]

On Wed, Dec 05, 2007 at 07:02:03PM -0800, Claus Assmann wrote:

 On Wed, Dec 05, 2007, STeve Andre' wrote:
  On Wednesday 05 December 2007 18:22:19 Claus Assmann wrote:
 
   Someone actually did the former with sendmail.org (to distribute a
   version of sendmail with a backdoor).  The problem was only noted
   because users checked the (digital) signature.
 
  You know, you're descending into a recursive loop of if, if, if... and
  it never ends.  OF COURSE if someone breaks into the site they could
  do things--once you've lost control of your site all bets are off.  I dare

 
 Hmm, did you read what I wrote?
 
 The breakin was detected due to the digital signature.
 
 
 Anyway, it's obviously up to the OpenBSD developers what they do.

Code signing has it's use, but it does not come for free. It's quite
involved. As always, the key problem is key management, not the
signing itself.

As an illustration, read what I wrote when similar questions came up 5
years ago, and dont forget Dug Song's answer to my post.

http://marc.info/?l=openbsd-miscm=103769360002468w=2

-Otto

Re: more unimplemented commands in azalia driver

[Jacob Meuser]

On Wed, Dec 05, 2007 at 05:27:31PM -0800, Rob Lytle wrote:
 Hi,
 
 I was trying to use the gmfsk digital radio communication program with
 azalia but ran into some snags.
 
 It is giving the sound card commands it can't recognize:
 
 sound_open_for_read: sndopen: setinfo failed: m   and
 sound_open_for_write: sndopen: setinfo failed: m
 
 Gmfsk uses /dev/audio.  I assume those are OSS commands.

you assume incorrectly.  gmfsk doesn't use OSS.

gmfsk uses 8000Hz sampling rates by default, which probably doesn't work
with some (most) azalia(4) codecs.

Settings-Preferences-Devices-Sound-Requested sample rate-48000

-- 
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org