Re: encryption
On Wed, Aug 26, 2009 at 09:46:11PM -0400, My List Mail wrote: Been waiting for a while to see some current encryption added to openbsd. Surprised it has not been already, and frankly find it weak that the 'worlds most secure OS' does not have current encryption. Why is this? I use vnconfig for encryption, which uses Blowfish. Blowfish is old, early 1990's. 64-bit block size. I realize there is no known cryptanalysis of it out in the public domain. But I would feel safer using AES (Rijndael), Serpent, or Twofish. Something with a 128-bit block size (and 256-bit key). Something that is recommended and in use as a current standard. Even Bruce Schneier, blowfish's creator has recommended that a stronger cipher be used. At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead. from http://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful?pp=1fp=4194304fpid=1 on page 3 of article He also recently blogged about some attacks on AES, although none are effective against all 14 rounds What cipher is used to protect confidential information on the SECRET and TOP SECRET levels? Its not blowfish, its AES-256. I love OpenBSD, been using it since 3.3. Bought my 3.6 CD set and a few t-shirts to support the project (Was surprised to read recently that t-shirts do not directly support the project. Something else that needs to be fixed. I know I'll buy more t-shirts, but CD sets are doubtful) Tried to donate some old mac ppc hardware to support the project, but never got a response from developers. I want to continue using it and supporting it. But the operating system that is so focused on security needs some cipher updates. Options for people to choose from, not just old blowfish. I am writing this because i am torn. On one end, the OS I love, am familiar with, and includes so many great security features, by default. On the other end, is this concern about encryption and openbsd's lack of it. I am considering using any linux flavor, because they all support AES(Rijndael) as well as the the most popular finalists for AES, like Serpent and Twofish. I want to use OpenBSD, but need to use the AES cipher. I do not feel safe with just blowfish. Blowfish just does not 'cut it' Please update the OS to include these new encryption standards. If someone can explain why openbsd still only uses blowfish, after all this time, that would be helpful too. If this is the case, it is time for me to look for a secure operating system. Something with ciphers that are current, relevant, and still recommended for use J-BSD If you feel so strongly this is needed, get involved. -Otto
Re: bgpd q
On Wed, Aug 26, 2009 at 01:00:05PM +0300, Gregory Edigarov wrote: Hi, Could I rewrite as-paths in bgpd? I.e. if I have an incoming as-path like this: 1 2 3 3 3 3 3 3 3 3 4 and would like for some reason to rewrite it like: 1 2 3 4, or 1 2 3 3 4, can I do this? No. You're not allowed to change path elements. You're only allowed to prepend elements. Adding such an option would break bgp routing on a global scale. -- :wq Claudio
Re: encryption
On 2009-08-27, My List Mail emaillistem...@gmail.com wrote: I use vnconfig for encryption, which uses Blowfish. softraid(4) crypto uses AES.
[pf question] Positive condition for adding in the table?
I am new into pf configuration and I am curious if it is possible to add some host into table in firewall rules if some conditions are met (not if they are broken). I was thinking about some way to prevent port scanning of machine and what came to me as obvious way to do it is this (in some pseudocode) block all communication with bad_guys allow all communication with good_guys allow any communication with my open port and put ip in good_guys table block sending any rst packet from me and put ip in bad_guys table /* somebody tried to connect to non-open port */ /* more criteria to remove someone from good_guys and put in bad_guys, according to connection rate, etc */ Anyway when I tried to code this into pf rules I discovered that I can't put host into table according to positive condition. Is there some workaround for this, or maybe some better/smarter way to achieve the same thing I want to achieve? Regards, Ivan P.S. I am using pf on FreeBSD 7.2 I don't know how to check for pf's version - tag in source file is /* add: $OpenBSD: pf.c,v 1.559 2007/09/18 18:45:59 markus Exp $ */
Re: [pf question] Positive condition for adding in the table?
On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovicriv...@gmail.com wrote: I am new into pf configuration and I am curious if it is possible to add some host into table in firewall rules if some conditions are met (not if they are broken). I was thinking about some way to prevent port scanning of machine and what came to me as obvious way to do it is this (in some pseudocode) block all communication with bad_guys allow all communication with good_guys allow any communication with my open port and put ip in good_guys table block sending any rst packet from me and put ip in bad_guys table /* somebody tried to connect to non-open port */ /* more criteria to remove someone from good_guys and put in bad_guys, according to connection rate, etc */ Anyway when I tried to code this into pf rules I discovered that I can't put host into table according to positive condition. Is there some workaround for this, or maybe some better/smarter way to achieve the same thing I want to achieve? Please read up on pf(4) anchors. And also on connection overloads in pf.conf(5). Stuff like max-conn-rate and so on. You already said you know about pf(4) tables. You need to populate the tables based on different criteria. I know that connection overload is one. You should be able to define other conditions to populate the tables. And you can use anchors along with tables, define conditions and get what you want. I hope I have not left out anything important. Best of luck. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: [pf question] Positive condition for adding in the table?
Girish Venkatachalam napisa: Please read up on pf(4) anchors. And also on connection overloads in pf.conf(5). Stuff like max-conn-rate and so on. You already said you know about pf(4) tables. You need to populate the tables based on different criteria. I know that connection overload is one. You should be able to define other conditions to populate the tables. And you can use anchors along with tables, define conditions and get what you want. I hope I have not left out anything important. Thanks for your respone. If I understand you correctly pf kernel module actually supports operating with tables based on positive conditions (ie not only when rule is broken, but also when rule is true), and the way to define rules of that kind is using directly some of IOCTLs documented in pf(4)? Plese confirm if that is true, since I couldn't find that kind of functionality with pfctl(8) (I tried making conditions with max-src-conn-rate set to 0 with idea that making one connection will break this rule so I could add ip in table that way, but pfctl(8) is too smart to accept rules with max-src-conn-rate set to 0) Regards, Ivan
Softraid crypto - stable in 4.6?
I read somewhere [1] on misc@ that softraid-crypto is still considered experimental. Can one of developers confirm that in 4.6 it will be safe to use it in production? Actually I would like to use crypto on top of RAID 1 (both softraid) - good/bad idea? (before anyone asks: backups are in place...) regards, Robert [1] http://marc.info/?l=openbsd-miscm=121574753906319w=2
Re: [pf question] Positive condition for adding in the table?
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovicriv...@gmail.com wrote: Thanks for your respone. If I understand you correctly pf kernel module actually supports operating with tables based on positive conditions (ie not only when rule is broken, but also when rule is true), and the way to define rules of that kind is using directly some of IOCTLs documented in pf(4)? Plese confirm if that is true, since I couldn't find that kind of functionality with pfctl(8) (I tried making conditions with max-src-conn-rate set to 0 with idea that making one connection will break this rule so I could add ip in table that way, but pfctl(8) is too smart to accept rules with max-src-conn-rate set to 0) There is no need to write any C code with pf(4) ioctls. A simple pf.conf should get you what you want. What do you mean by max-src-conn-rate set to zero? I think you are needlessly complicating things. If your goal is to send reset, then you can always do them with pf in a much more straight forward manner. set block-policy return bad-guys Try to keep things simple. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: [pf question] Positive condition for adding in the table?
Girish Venkatachalam napisa: On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovicriv...@gmail.com wrote: Thanks for your respone. If I understand you correctly pf kernel module actually supports operating with tables based on positive conditions (ie not only when rule is broken, but also when rule is true), and the way to define rules of that kind is using directly some of IOCTLs documented in pf(4)? Plese confirm if that is true, since I couldn't find that kind of functionality with pfctl(8) (I tried making conditions with max-src-conn-rate set to 0 with idea that making one connection will break this rule so I could add ip in table that way, but pfctl(8) is too smart to accept rules with max-src-conn-rate set to 0) There is no need to write any C code with pf(4) ioctls. A simple pf.conf should get you what you want. What do you mean by max-src-conn-rate set to zero? I think you are needlessly complicating things. If your goal is to send reset, then you can always do them with pf in a much more straight forward manner. set block-policy return bad-guys Try to keep things simple. I think you misunderstood me - what I want is to add host to bad_guys if it tries to connect to some closed port on my machine - in that case i would like to intercept RST and put host in bad_guys table - that is why I wrote block sending any rst packet from me and put ip in bad_guys table /* somebody tried to connect to non-open port */ maybe equivalent problem to this would be - how to add host to bad_guys table if it tries to connect to port 0? (That is probably one line in pf.conf if pfctl supports adding to table on positive conditions - I am currently failing to find the way to achieve this)
tmux status bar
Hi misc@, just noticed the status bar of tmux gone with the latest snapshot. I didn't followed the cvs entries for a couple of days. Is this a normal behaviour? My .tmux.conf is below: --.tmux.conf-- set-option -g status-bg default set-option -g status-fg black set-option -g message-bg yellow set-option -g message-fg black set-option -g history-limit 32768 set-window-option -g main-pane-width 80 -- Any hints? Thank you. -- Daniel Bolgheroni FEI - Faculdade de Engenharia Industrial http://www.dbolgheroni.eng.br/mykey ASCII ribbon campaign ( ) against HTML e-mail X / \
Re: Authentication method fallback not working
Hi, I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS authentication. What I want is for the system to try the RADIUS server, and if it fails, fall back to the local password file. In login.conf I have auth-defaults:auth=radius,passwd:radius-server=my.radius.server If the RADIUS server isn't there for whatever reason, the system doesn't fallback to password file authentication. The same happens if I specify the methods the other way round: the RADIUS server is never tried even if the password-file-based login fails. I need to make sure that I can always log in even if the RADIUS server has gone away. Is it possible to configure the system in this way? Thanks - Ian Why not make a new login class for radius users and make yourself backup users in default class? Normally you'd login with users from the radius class and if that fails you'd use a user form the default class. Of course, that way you'd have to use different login names for the two classes. Regards, Daniel.
Re: tmux status bar
Daniel Bolgheroni wrote: just noticed the status bar of tmux gone with the latest snapshot. I didn't followed the cvs entries for a couple of days. Is this a normal behaviour? Works fine here. Are you sure you ran make depend all or make clean all? Otherwises changes in tmux.h won't propagate in rebuilding all objects and you get funny behaviour. # Han
Fully Automatic (network-based) Installation of OpenBSD?
Hi, I dimly remember seeing a short thread flowing by that mentions someone's hacks to bsd.rd to arrive at an installation system that works w/o human intervention, but can't seem to find it anymore. Pointers are greatly appreciated! -- Kind regards, --Toni++
Revista D Agosto - No te pierdas la nueva forma en info-entretenimiento social. Solo da click en la portada
Su servicio de correo no permite lectura de Html por favor visite http://www.revistad.com.mx/06/ para ver el contenido de este mensaje. [demime 1.01d removed an attachment of type application/octet-stream which had a name of edi06-RD.jpg]
Re: Automated service/daemon management
Hi, On Tue, 09.06.2009 at 15:52:55 -0400, Bryan Allen b...@mirrorshades.net wrote: My suggestion would be to move all your services to run under runit or daemontools. You can manage both with Puppet. I'm not familiar with runit, really, but I've used daemontools for years, quite happily, on several platforms, including OpenBSD. imho, runit is almost a drop-in replacement for daemontools, only better (eg. more powerful, and easier to handle). Kind regards, --Toni++
Funny T22 Freezes with 4.5
Hi list, I m experiencing random freezes with few T22 fairly old laptops. I know those have crazy bios with few bugs. I tried a jump at UKC then disabled the acpi with no effect. I disabled the power mangement for cpu and pci bus with no more luke. I ve been amused to discover at last boot the laptop is faster than ever (no explanation yet ) but i do have a really singular dmesg... # dmesg|grep cpu cpu0: Intel Pentium III (GenuineIntel 686-class) 186 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0 at mainbus0: (uniprocessor) Nope this is not a troll with modified frequency :)) # time dd if=/dev/zero of=/dev/null bs=1k count=1024 1024+0 records in 1024+0 records out 1048576 bytes transferred in 0.004 secs (239237052 bytes/sec) 0m0.17s real 0m0.00s user 0m0.00s system So do not expect something serious with a peecee :) Cheers
Re: tmux status bar
Hi On Thu, Aug 27, 2009 at 11:00:54AM +, Daniel Bolgheroni wrote: Hi misc@, just noticed the status bar of tmux gone with the latest snapshot. I didn't followed the cvs entries for a couple of days. Is this a normal behaviour? My .tmux.conf is below: --.tmux.conf-- set-option -g status-bg default set-option -g status-fg black This is probably because the behaviour changed a while ago so reverse is no longer in the default status-attr and message-attr, so this now sets the colours to black on black. Change these it should be fine (I guess you want green on black?). set-option -g message-bg yellow set-option -g message-fg black set-option -g history-limit 32768 set-window-option -g main-pane-width 80 -- Any hints? Thank you.
Re: tmux status bar
On Thu, 27 Aug 2009, Han Boetes wrote: Daniel Bolgheroni wrote: just noticed the status bar of tmux gone with the latest snapshot. I didn't followed the cvs entries for a couple of days. Is this a normal behaviour? Works fine here. Are you sure you ran make depend all or make clean all? Otherwises changes in tmux.h won't propagate in rebuilding all objects and you get funny behaviour. I've installed from snapshots. Thank you. -- Daniel Bolgheroni FEI - Faculdade de Engenharia Industrial http://www.dbolgheroni.eng.br/mykey ASCII ribbon campaign ( ) against HTML e-mail X / \
listserver test
Sorry for the noise. My messages don't seem to be getting to the list. -- One of the main causes of the fall of the roman empire was that, lacking zero, they had no way to indicate successful termination of their C programs.
mail issue
I am using OpenBSD 4.5 When I try to use mail to send email from a user account I get an error: can not chdir(/var/spool/mqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Searching for this, I have found in various places many different explanations of why this is and quite a few different possible fixes, but none of them seemed to work. Sending mail from my OpenBSD 4.4 box works fine. I am sure I have just missed something. Could someone point me in the right direction? Please let me know if there is any more info that you need. Stuart van Zee stua...@datalinesys.com
SFTP - Max Users
G'day, I searched around but couldn't find a simple answer to this question. I want to host a sftp server and there could be thousands of accounts, although not all used at once. I was wondering if there is a limit to the number of user accounts I can create on a machine? I had originally thought of using a database for authentication but I don't see an easy way of doing that on OpenBSD. thanks Roy
Re: a dump question
On Thu, Aug 27, 2009 at 12:15:50PM -0400, stan wrote: I am still fiighting with Amanda on 4.5 It seems to invoke dump as follows: /sbin/dump dump 0usf 1048576 - /dev/rwd0a Which reesults in the follwing error: $ /sbin/dump dump 0usf 1048576 - /dev/rwd0a | cat /tmp/foo dump: density is invalid [10 - 327670] As I understand this invocation from reading the man page, it should do a level 0 dump sending the dump to STDOUT, and assume the atle is 1048576 feet long. Can anyone tell me why it is compalining about density? Hmm, my bad. Runing: /sbin/dump dump 0usf 1048576 - /dev/rwd0a /dev/null works fine. Not certain why sending it to a ipe caused a problem, but it seems that it did. -- One of the main causes of the fall of the roman empire was that, lacking zero, they had no way to indicate successful termination of their C programs.
Re: mail issue
--- Stuart VanZee [Thu, Aug 27, 2009 at 11:55:39AM -0400]: --- I am using OpenBSD 4.5 When I try to use mail to send email from a user account I get an error: can not chdir(/var/spool/mqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. what are the filesystem permissions on /var/spool/mqueue and /usr/libexec/sendmail/sendmail ? what MUA are you using to send?
Re: mail issue
From: John Cosimano Sent: Thursday, August 27, 2009 1:41 PM To: Openbsd Misc (E-mail) Subject: Re: mail issue --- Stuart VanZee [Thu, Aug 27, 2009 at 11:55:39AM -0400]: --- I am using OpenBSD 4.5 When I try to use mail to send email from a user account I get an error: can not chdir(/var/spool/mqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. what are the filesystem permissions on /var/spool/mqueue and /usr/libexec/sendmail/sendmail ? what MUA are you using to send? /var/spool/mqueue: drwx-- 2 root wheel512 Aug 27 13:38 mqueue /usr/libexec/sendmail/sendmail: -r-xr-sr-x 1 root smmsp 634364 May 19 15:21 sendmail I am using the mail command like I usually do like: $ mail stua...@datalinesys.com thanks. s
Re: Fully Automatic (network-based) Installation of OpenBSD?
Hi Toni Is it this one you are thinking of ? http://nbender.com/install.netboot/install.html Kind regards Sxren Aurehxj Den 27/08/2009 kl. 17.53 skrev Toni Mueller: Hi, I dimly remember seeing a short thread flowing by that mentions someone's hacks to bsd.rd to arrive at an installation system that works w/o human intervention, but can't seem to find it anymore. Pointers are greatly appreciated! -- Kind regards, --Toni++
Re: encryption
Brad Tilley wrote: They still have mainframes. Sure. And mainframes have very good encryption, see for example http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100810 -pu
Re: Softraid crypto - stable in 4.6?
As long as you can deal with the limitations then it is fine. The really big one being unable to change the password. Stacking RAID sets can be done but isn't a good idea. We are debating options but no decision has been made. On Thu, Aug 27, 2009 at 01:59:58PM +0200, Robert wrote: I read somewhere [1] on misc@ that softraid-crypto is still considered experimental. Can one of developers confirm that in 4.6 it will be safe to use it in production? Actually I would like to use crypto on top of RAID 1 (both softraid) - good/bad idea? (before anyone asks: backups are in place...) regards, Robert [1] http://marc.info/?l=openbsd-miscm=121574753906319w=2
Re: SFTP - Max Users
On Thu, 27 Aug 2009 13:23:18 -0400 Morris, Roy rmor...@internetsecure.com wrote: G'day, I searched around but couldn't find a simple answer to this question. I want to host a sftp server and there could be thousands of accounts, although not all used at once. I was wondering if there is a limit to the number of user accounts I can create on a machine? I had originally thought of using a database for authentication but I don't see an easy way of doing that on OpenBSD. thanks Roy Number of local user accounts is liminted by the available user id's. Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' rule, that'd leave you with 64536 possible accounts. - Robert
JenJOBS.com - Where Employers Jobseekers Win
img file Please add customerserv...@jenjobs.net to your address book to ensure job alerts and updates are sent directly to your Inbox! JenJOBS.com Logo Dear Friend, Whether you are an employer with a vacancy to advertise or a job seeker looking for your first or next job, JenJOBS.com can help! As part of the Jen Group and having over 18 years of experience in recruiting, JenJOBS.com stands for convenience and speed. Classified job advertisers will also enjoy FREE Classified job postings as well. For the full list of benefits you will enjoy by using JenJOBS.com, please visit www.jenjobs.com/benefits. If you have any queries, drop us a line at customerserv...@jenjobs.com or call Amy at 03-7952-8500. To your success, JenJOBS.com p.s. Please feel free to forward this email to those you know who can benefit from this. You can also drop us a line to remove your email address from our mailing list. If you do not wish to receive communications from JenJOBS.com, please click here. Copyright ) JenJOBS.com 2009. All Rights Reserved.
Re: encryption
On Thu, Aug 27, 2009 at 2:22 PM, puuselpa.l...@gmail.com wrote: Brad Tilley wrote: They still have mainframes. Sure. And mainframes have very good encryption [snip] Yes, my point exactly. Those mainframes *still* support plain, old DES. Read the link you sent.
maybe OT 5 year anniversay of Chuck Yerkes death
I don't think it's off topic but others might. I'm writing this post to remember Chuck Yerkes, a long time contributor to the m...@openbsd list. Chuck died 5 years ago today while riding his motorcycle. http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm http://marc.theaimsgroup.com/?l=openbsd-miscm=109385676632581w=2 Just wanted to remember you Chuck, take it easy wherever you are. diana
/dev in mfs permissions
I'm running OpenBSD 4.6-current (GENERIC) #125: Tue Aug 25 06:13:48 MDT 2009 on an i386 and notice that mfs seems different than earlier versions. What have I missed in mounting /dev ram using MFS? From /etc/fstab: /dev/wd0a / ffs ro 1 1 swap /dev mfs rw,-P=/templates/dev.base,-s=3000,-i=1024 0 0 From mount output: /dev/wd0a on / type ffs (local, read-only) mfs:7390 on /dev type mfs (asynchronous, local, size=3000 512-blocks) Examples of unexpected behavior: $ sudo -H -u torrent /usr/local/bin/btpd -d /var/torrents/ \ -p 24556 --bw-out 100 --max-peers 10 \ --logfile /var/log/btpd/bt.log freopen of stdin failed (Permission denied). $ cat /etc/fstab cat: stdout: Bad file descriptor Although 'cat' does not work, as seen above, 'less' does work. Regards -Lars
Re: encryption
Brad Tilley wrote: On Thu, Aug 27, 2009 at 2:22 PM, puuselpa.l...@gmail.com wrote: Brad Tilley wrote: They still have mainframes. Sure. And mainframes have very good encryption [snip] Yes, my point exactly. Those mainframes *still* support plain, old DES. Read the link you sent. Unless I misunderstood, you seem to imply that using a mainframe means you *need* to use weak encryption. That's wrong. -pu
Re: Fully Automatic (network-based) Installation of OpenBSD?
Thank you both, Miod and Soeren - I think I was actually after the link Soeren posted, but didn't think that it was that long ago already. -- Kind regards, --Toni++
Re: SFTP - Max Users
excellent thanks. -Original Message- From: Robert [mailto:rob...@openbsd.pap.st] Sent: Thursday, August 27, 2009 2:53 PM To: Morris, Roy Cc: misc@openbsd.org Subject: Re: SFTP - Max Users On Thu, 27 Aug 2009 13:23:18 -0400 Morris, Roy rmor...@internetsecure.com wrote: G'day, I searched around but couldn't find a simple answer to this question. I want to host a sftp server and there could be thousands of accounts, although not all used at once. I was wondering if there is a limit to the number of user accounts I can create on a machine? I had originally thought of using a database for authentication but I don't see an easy way of doing that on OpenBSD. thanks Roy Number of local user accounts is liminted by the available user id's. Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' rule, that'd leave you with 64536 possible accounts. - Robert
rwho protocol and bridging
I have 2 4.5 machine functioning as a bridge between 2 physical locations. I have teh 4.6. rwhod daemon running on both. I'm running the 4.6 version because it appears that teh 4.5 version is a listner only. All teh macines at both ends (Linux FreeBSD, HP-UX and OpenBSD) are all running rwhod. Yhe issue is that the machines can only see the ones at that location, and not the ones at the otehr end. I am suing bridge, and gif for my bridging. Shouldn't the machine at eahc end be able to see the other end? -- One of the main causes of the fall of the roman empire was that, lacking zero, they had no way to indicate successful termination of their C programs.
Re: Softraid crypto - stable in 4.6?
Those limitations are ok. You said it isn't a good idea; is there a possibility for data loss or will it just be slow an ugly hack? So what would currently (4.6) be a sane way to have an encrypted disk mirrored? (no hardware raid, except if someone gives me the hardware for free...) * raidframe with softraid crypto on top * softraid mirror with vnconfig -k on top * something weird with ccd * currently no solution My goal is that if one disk dies then I would like to be able to shutdown the system in a clean way and replace the broken disk, without having to restore everything from a backup. Afaik this was not supported in 4.5, can a broken disk in (Soft-)Raid1 be recovered in 4.6? Marco Peereboom wrote: As long as you can deal with the limitations then it is fine. The really big one being unable to change the password. Stacking RAID sets can be done but isn't a good idea. We are debating options but no decision has been made.
Re: encryption
On Thu, Aug 27, 2009 at 3:35 PM, puuselpa.l...@gmail.com wrote: Unless I misunderstood, you seem to imply that using a mainframe means you *need* to use weak encryption. That's wrong. Yes, you misunderstand. Financial institutions use DES today because of backward compatibility. They've been using DES for roughly 20 years now. Banks buy a lot of mainframes and keep them in service for many, many years. That is why new mainframes today *still* do DES as the lowest common denominator for symmetric encryption (their customers have to have it). Sure, newer algos are supported as well, I realize that. But DES is still there and still sees big use in that sector. That's all I mean to point out to the OP who was berating Blowfish his ATM very likely uses DES or passes his financial data back to systems that do... now do you see my point? Brad
Re: SFTP - Max Users
Robert wrote: Number of local user accounts is liminted by the available user id's. Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' rule, that'd leave you with 64536 possible accounts. Hi, Thats wrong, uid_t and gid_t are 32-bit unsigned integers on at least i386. ./sys/_types.h:typedef __uint32_t __uid_t;/* user id * ./sys/types.h:typedef __uid_t uid_t; /* user id */ ./sys/_types.h:typedef __uint32_t __gid_t;/* group id */ ./sys/types.h:typedef __gid_t gid_t; /* group id */ SUS only says that uid_t and gid_t must be integer types, without referring to signedness or size. Hope that helps. -Brynet -Brynet
Re: /dev in mfs permissions
On Thu, Aug 27, 2009 at 12:20 PM, Lars Noodenlars.cura...@gmail.com wrote: I'm running OpenBSD 4.6-current (GENERIC) #125: Tue Aug 25 06:13:48 MDT 2009 on an i386 and notice that mfs seems different than earlier versions. What have I missed in mounting /dev ram using MFS? ... $ cat /etc/fstab cat: stdout: Bad file descriptor That would seem to imply that stdout isn't actually open in your shell. So what's the output of ls -ld / /dev /dev/stdout /dev/log and what does ktrace $SHELL -c 'echo' ; kdump show for errors?
Sendmail and SMTPAuth
I know this topic has been touched on before but I have what I believe is a simple question. Instead of creating a SASL password db and having to keep two password databases in check I want SASL to use OpenBSD's password file. There's no definitive answer so I want to try and put it out there. In /usr/local/lib/sasl2/Sendmail.conf I would have pwcheck_method: saslauthd. This would tell Sendmail to use saslauthd to authenticate SMTP connections. I would start saslauthd with the -a getpwent flag to have it check not against a SASL password database but against the system database. Are my assumptions correct?
Re: [pf question] Positive condition for adding in the table?
Iqigo Ortiz de Urbina napisa: You could also take a look at the match, tag and tagged keywords in pf.conf. Additionally, you may require parsing your custom logs (pflogN interfaces or binary logs in /var/log/) in order to populate your tables for use in the main ruleset or anchors. Have a nice day, Iqigo Thank you so much for pointing me in the right direction - I wasn't aware of /dev/pflog interface, I just wrote simple program to sniff packets going through it and to add host to appropriate table if I don't like the activity I see there Thanks again, Ivan
Re: SFTP - Max Users
On Thu, 27 Aug 2009 16:43:34 -0400 Brynet bry...@gmail.com wrote: Robert wrote: Number of local user accounts is liminted by the available user id's. Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' rule, that'd leave you with 64536 possible accounts. Hi, Thats wrong, uid_t and gid_t are 32-bit unsigned integers on at least i386. ./sys/_types.h:typedef __uint32_t __uid_t;/* user id * ./sys/types.h:typedef __uid_t uid_t; /* user id */ ./sys/_types.h:typedef __uint32_t __gid_t;/* group id */ ./sys/types.h:typedef __gid_t gid_t; /* group id */ SUS only says that uid_t and gid_t must be integer types, without referring to signedness or size. Hope that helps. -Brynet -Brynet And here i was thinking about being limited to 256*256 uid's. uid 123456 actually works. The ugly, now i have to find out where i got the 16bit constraint from. Thanks! :) Atleast it still should take care of 'thoundsands of accounts'. ;) - Robert
Re: SFTP - Max Users
Not sure what unix you're running, over here, uid_t is 32bit. Penned by Robert on 20090827 20:52.31, we have: | On Thu, 27 Aug 2009 13:23:18 -0400 | Morris, Roy rmor...@internetsecure.com wrote: | | G'day, | I searched around but couldn't find a simple answer to this | question. I want to host a sftp server and there could be | thousands of accounts, although not all used at once. I was | wondering if there is a limit to the number of user accounts | I can create on a machine? I had originally thought of using | a database for authentication but I don't see an easy way of doing | that on OpenBSD. | | thanks | Roy | | Number of local user accounts is liminted by the available user id's. | Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' | rule, that'd leave you with 64536 possible accounts. | | - Robert -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: /dev in mfs permissions
On 2009-08-27, Lars Nooden lars.cura...@gmail.com wrote: I'm running OpenBSD 4.6-current (GENERIC) #125: Tue Aug 25 06:13:48 MDT 2009 on an i386 and notice that mfs seems different than earlier versions. What have I missed in mounting /dev ram using MFS? From /etc/fstab: /dev/wd0a / ffs ro 1 1 swap /dev mfs rw,-P=/templates/dev.base,-s=3000,-i=1024 0 0 any errors at boot while populating the MFS with files from /templates/dev.base? how does df -hi look? I think with -s=3000 you're fairly close if not over the edge. I use 4096 to give me enough inodes (1024 seems to be the lower bound actually used for -i). if this is an ugprade, have you recreated the template directory with a new MAKEDEV?
Re: tmux status bar
On Thu, 27 Aug 2009, Nicholas Marriott wrote: This is probably because the behaviour changed a while ago so reverse is no longer in the default status-attr and message-attr, so this now sets the colours to black on black. Change these it should be fine (I guess you want green on black?). Actually did it, but forgot to restart the server. Working fine now. Thank you. -- Daniel Bolgheroni FEI - Faculdade de Engenharia Industrial http://www.dbolgheroni.eng.br/mykey ASCII ribbon campaign ( ) against HTML e-mail X / \
pppd
pppd: PPP device not available. Why? -- 4625
Re: Funny T22 Freezes with 4.5
Johan SANCHEZ wrote: Hi list, I m experiencing random freezes with few T22 fairly old laptops. I know those have crazy bios with few bugs. I tried a jump at UKC then disabled the acpi with no effect. I disabled the power mangement for cpu and pci bus with no more luke. I think you are going down the wrong path here. I ve been amused to discover at last boot the laptop is faster than ever (no explanation yet ) but i do have a really singular dmesg... # dmesg|grep cpu cpu0: Intel Pentium III (GenuineIntel 686-class) 186 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0 at mainbus0: (uniprocessor) Nope this is not a troll with modified frequency :)) no, but it could be a troll with a snipped dmesg. Some (at least) PIII-based IBM ThinkPads come up with really funny processor speeds. Don't sweat it, it has nothing to do with reality (which is a bummer, 90% of the time, I wish it DID run at 200MHz for battery life it; is only when I do something with a Mozilla product that I wish it ran at full speed...plus an extra zero...) I have a T2? laptop (t22? t23? too lazy to go look, and your snipped dmesg doesn't give me enough to figure out if yours is the same as mine (and yes, it says something about my social life that I'd probably recognize the dmesg more than the model number)). My A21 systems run fine on APM, but the T2? NEEDS to have APM disabled to use ACPI instead, otherwise the thing runs WAY too hot. IF you are having the same problem, I can easily see it locking up WHEN it got too warm. So instead of trying to force APM, try forcing ACPI, see if it runs better. You certainly don't want to be shutting down power management completely, you need it to be working, and on that thing, you seem to need it working perfectly. Watching my T22 or T23 (whatever it is) running on ACPI was amazing -- the hw sensors were rather comprehensive, and you could watch the temp drop as you could feel the thing cooling off...it was obviously MUCH happier. Nick.
Re: pppd
On Thu, Aug 27, 2009 at 6:59 PM, 46254625...@gmail.com wrote: pppd: PPP device not available. Why? Hmm, I don't see that message in pppd on an OpenBSD 4.6 system. Or rather, I only see it in the source as the beginning of a much longer message that describes what your next steps should be, so if that's all you're seeing it's a bit of a mystery. Posting dmesg and ifconfig -a output may help. Philip Guenther
