Re: computer hangs after varying amount of data is received from network via ssh

[Robert Halberg]

On Wed, Oct 13, 2010 at 8:59 PM, Nick Holland
n...@holland-consulting.net wrote:

 On 10/13/10 17:25, Robert wrote:
  On Wed, 13 Oct 2010 16:55:18 -0400
  Ted Unangst ted.unan...@gmail.com wrote:
  can be done about it, and 10 year old quirky PC hardware doesn't
  attract a of interest...
 
  As long as it's on [1] I hope it does?
  I guess I'm not the only one who uses a Pentium 4 (or older stuff) for
  firewalls and other systems, since they are very cheap to buy and
  replace, and are more than sufficient (speed) for a lot of tasks.
 
  regards,
  Robert
 
  [1] http://www.openbsd.org/i386.html

 There are big differences between well-designed hardware, poorly
 designed and implemented hardware, hardware is working properly and
 hardware that is malfunctioning.

 A lot of hardware out there was tested with Windows-of-the-Day (and
 maybe the day before) and that's it.  Anything else it works with,
 great, but it was by luck, not design.

 A lot of early AMD stuff was junk.  I'm not talking about the AMD
 chips themselves, I'm talking about the REST of the computer.  I've got
 a few AMD K6 systems, and NONE of them can build from source at the
 rated speed with OpenBSD.  They'll run the OS just fine, but they can't
 build, giving sig11's at random places during the process.  Replace the
 RAM with stuff that has worked well in 133MHz bus machines, same thing.
  Slow down the bus speed, increase the multiplier, and suddenly they
 work fine.  I don't think that's an OpenBSD problem, and I really don't
 want developers fighting with that.  I have heard reports of these kinds
 of problems extending well into the Athlon days...


 In your case, though, yes, I'd look closely at your hardware.  Not sure
 why you have both a 150G disk and a 15G disk...double your chances of
 disk failure taking your system out...for 10% more storage.  I also see
 re2 is on irq12.  That's the PS/2 mouse IRQ.  Sure, you don't have a
 mouse on your machine, maybe you have the mouse port off in the
 BIOS...but I'd be completely unsurprised if your HW mfg screwed the
 pooch and didn't really disconnect the PS/2 hardware from IRQ
 controller, and that could be causing some of your issues there (twist
 knobs in the system BIOS, you can probably fix this).  And I'd not be
 surprised in the least if BOTH were problems for you...

 Nick.

Actually the same issue occurred previously when the only difference
was that I had configured re0 as the active interface.  I thought the
fact that it was using the same irq as pciide1 might be the source of
the issue.

Most recently, I have tried extracting the NIC in question.  The only
remaining NIC is now using irq 10 (along with pciide1.)  Similar
issues occurred.  I list here the output - similar sequences have been
listed many times, all values aside from c_bcount, c_skip, and
possibly cn vary.

pciide1:1:0: bus-master DMA error: missing interrupt, status=0x21
wd1a: device timeout writing fsbn 581104768 of 5811047680581104799
(wd1 bn 581184768; cn 576492 tn 13 sn 13), retrying
wd1(pciide1:1:0): timeout
type: ata
c_bcount: 16384
c_skip: 0

I am going to see if I can eliminate the old PATA drive and associated
controller / driver from the picture with hardware I have available.

--
Young man, in mathematics you don't understand things, you just get
used to them. - John von Neumann

Re: Force passwordcheck in login.conf

[Leif Blixt]

Brad Tilley brad at 16systems.com writes:

 
 I was experimenting with a program to meet PCI DSS 1.2 password length
 and content/complexity requirements and integrating it with login.conf
 for users who have shell access to OpenBSD systems. It seems to work as
 expected, but I wanted to run my configuration by misc.
 
 I appended the following two lines to the end of both default and staff
 in login.conf. Look OK?
 
 :passwordcheck=/path/to/program:\
 :passwordtries=0:
 
 I understand that it would be easy (and redundant) to use minpasswordlen
 to meet the length requirement, but it's easy to check that in the
 program itself.
 
 Brad
 
 


We are currently being reviewed for PCI DSS compliance, and the big problems
we have right now with the combination of PCI DSS and OpenBSD is the following
PCI DSS requirements:
8.5.12 Password history check - you may not use the last 4 passwords.
8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
automatically.
8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
minutes.

How have you addressed these requirements? I'm starting to think we need a
RADIUS solution, which seems a bit redundant working with OpenBSD...

Regards, Leif

Re: USB devices don't attach when urtw is under load

[Дмитрий Царьков]

On Thu, Oct 14, 2010 at 1:52 AM, Jacob Meuser jake...@sdf.lonestar.org
wrote:
 On Thu, Oct 14, 2010 at 12:33:34AM +0200, ??? ??? wrote:
 % ps -akx | grep usb
 B  B  8 ?? B DK B  B  B 0:00.26 (usbtask)
 B 7243 p1 B S+ B  B  B 0:00.01 grep usb
 % top -S -n 200 | grep usb
 B  B  8 root B  B  B -6 B  B 0 B  B 0K B  19M idle B  B  B usbsyn B  B 0:00
B 0.00% usbtask

 usbsyn - there's a synchronous usb transfer not finishing. B does this
 recover (i.e. usbtask thread is not waiting in usbsyn) when you remove
 the device?

After urtw device removal:

% top -S -n 200 | grep usb
8 root  1000K   19M sleep/0   usbtsk0:00  0.00% usbtask

Then, after some time (not immediately on plugging in) it reverts to:

% top -S -n 200 | grep usb
8 root  -600K   19M idle  usbsyn0:00  0.00% usbtask

 does this happen with all usb devices?

With the rest of devices everything is OK.

Actually I'm using this dongle because booting proccess stopped on
trying to attach the WiMax part on Intel Link 5150. While that device
is connected via MiniPCIe, the WiMax part connects to the USB bus, so
I think that could be somehow connected. In 4.7 there were no issues
with Intel device, and urtw was faulty, but didn't give these
problems.

B does it happen in all usb ports?

Yes. Regardless of usb port it attaches to the same EHCI hub and
behaves the same way.

Don't know whether it is somehow important or not, but power over usb
works for newly plugged devices that are not attached to the system.

--
Dmitrij D. Czarkoff

Urgent: Mise à jour de votre compte

[Service]

Mettre a jour votre Carte Credit en ligne


















Cher Client

Notre salutations Nous Vous Informons Que :Votre Carte Bancaire Sera suspendue
, pour la remarque d'un problC)me administratif .Pour proteger la votre et la
mettre a jour, Cliquez ici , et vous devez bien completer les informations
indiquC)es .Merci de votre confiance C  votre Banque

La Banque Postale Libre rC)ponse 83130 51049 ChClons en Champagne Cedex








Cliquez ici pour mettre a jour votre carte crC)dit.







ConformC)ment C  la loi du 6 janvier 1978, vous disposez d'un droit d'accC(s,
de rectification et d'opposition aux informations vous concernant lequel
s'exercera auprC(s de la Banque Postale. .

Re: Wireless Network GUI

[Dennis Davis]

On Wed, 13 Oct 2010, Christiano F. Haesbaert wrote:

 From: Christiano F. Haesbaert haesba...@haesbaert.org
 To: OpenBSD Questions misc@openbsd.org
 Date: Wed, 13 Oct 2010 17:17:16
 Subject: Re: Wireless Network GUI
 
 I use this silly script for wireless if someone is interested:
 
 http://github.com/haesbaert/scripts/blob/master/wifi

Pau Amaro-Seoane's wifiprobe script, posted to this mailing list in
2007, is useful.  See:

http://marc.info/?l=openbsd-miscm=119442609818795w=2

http://marc.info/?l=openbsd-miscm=119611252029773w=2

Also see the undeadly article from D. Adam Karin:

http://undeadly.org/cgi?action=articlesid=20071224164233

which is shows a useful method of connecting to known wireless
networks at boot time.

Here at work I can often see several available wireless connection
points.  So I've tweaked the above script to connect to the one with
the strongest signal.  Here's what I've run on my venerable T23
Thinkpad running OpenBSD4.7.  It's a shell archive.  Note you'll
need to make the /etc/rc.wireless script executable.


# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering sh file.  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#   netstart.diffs
#   rc.wireless
#   rc.wireless.conf
#
echo x - netstart.diffs
sed 's/^X//' netstart.diffs  'END-of-netstart.diffs'
X--- netstart.orig  Thu Mar 18 02:31:37 2010
X+++ netstart   Tue Aug 31 12:42:08 2010
X@@ -174,6 +174,12 @@
X # Re-read /etc/rc.conf
X . /etc/rc.conf
X 
X+# Wireless configuration, if present and known.
X+if [ -f /etc/rc.wireless -a -x /etc/rc.wireless \
X+ -a X$1 = Xautoboot ] ; then
X+  /etc/rc.wireless
X+fi
X+
X # If we were invoked with a list of interface names, just reconfigure these
X # interfaces (or bridges) and return.
X if [ $1x = autobootx ]; then
END-of-netstart.diffs
echo x - rc.wireless
sed 's/^X//' rc.wireless  'END-of-rc.wireless'
X#!/bin/sh
X
X# This script is executed by /etc/netstart when booting.  It
X# does the following:
X#
X# (1) extracts wifi card  DHCP parameters from
X# /etc/rc.wireless.conf
X#
X# (2) Performs a wifi scan looking for available wireless networks
X#
X# (3) Compares available wireless networks with those preconfigured
X# in /etc/rc.wireless.conf
X#
X# (4) Stores the details for any known network in /etc/hostname.if.
X# If there's more than one network, the one with the strongest
X# signal is chosen.
X#
X# This script can also be used in stand-alone mode,
X# /etc/rc.wireless followed by sh /etc/netstart {interface-name}.
X# So for removable wifi devices this script could form part of a
X# hotplugd script to connect to known wifi networks.
X
XIFS='  
X'
X
X# Commands we'll use.
Xcp=/bin/cp
Xecho=/bin/echo
Xifconfig=/sbin/ifconfig
Xmktemp=/usr/bin/mktemp
Xrm=/bin/rm
Xsed=/usr/bin/sed
Xsort=/usr/bin/sort
X
X# Make sure we have a configuration file...
XCONF=/etc/rc.wireless.conf
X[ -r $CONF ] || exit 1
X
X# ...that contains an interface name...
XIFNAME=$($sed -ne 's/^#wifi[[:space:]]IFNAME=\(.*\)$/\1/p' $CONF)
X[ -n $IFNAME ] || exit 1
X
X# ...that's plugged in.
X$ifconfig $IFNAME  /dev/null 21 || exit 1
X
X# Reset the wifi device if there's a command to do this.
XRESET=$($sed -ne 's/^#wifi[[:space:]]RESET=\(.*\)$/\1/p' $CONF)
X[ -n $RESET ]  { $ifconfig $IFNAME $RESET  /dev/null 21; }
X
X# If present, note the wifi device's MAC address.  It isn't crucial
X# that we have this.
XMAC_ADDR=$($sed -ne 's/^#wifi[[:space:]]MAC_ADDR=\(.*\)$/\1/p' $CONF)
X
X# Set DHCP parameters.  Use default values if nothing is set in our
X# configuration file.
XDHCP=$($sed -ne 's/^#wifi[[:space:]]DHCP=\(.*\)$/\1/p' $CONF)
XDHCP=${DHCP:-dhcp NONE NONE NONE}
X
X# Delete any existing hostname.if file.
XHFILE=/etc/hostname.$IFNAME
X$rm -fP $HFILE
X
X# Temporary file.  Note the permissions (-rw---) on this file
X# are *exactly* as required.
XTFILE=$($mktemp)
X
X# Wireless scan picking out any access points known to us.
X$ifconfig $IFNAME scan | \
X$sed -ne 's/^.*\(..:..:..:..:..:..\) \([0-9]*\).*$/\1 \2/p' | \
Xwhile read MAC STRENGTH
Xdo
X. $CONF  {
X
XDATA=$STRENGTH 
X
X[ -n $NWID ]DATA=$DATA nwid \$NWID\
X
X[ -n $BSSID ]   DATA=$DATA bssid $BSSID
X
X[ -n $CHAN ]DATA=$DATA chan $CHAN
X
X[ -n $NWKEY ]   DATA=$DATA nwkey $NWKEY
X
X[ -n $WPAKEY ]  DATA=$DATA wpa wpask $WPAKEY
X
X$echo $DATA  $TFILE
X}
Xdone
X
X# Make sure our temporary file gets deleted.
Xtrap $rm -fP $TFILE; trap - EXIT ERR HUP INT TERM
X
X# Check we have at least one known access point.
X[ -s $TFILE ] || exit 0
X
X# Pick out the access point with the strongest signal.
XDATA=$($sort -n -r $TFILE | $sed -ne 's/^[0-9]* \(.*\)$/\1/p' -e 1q)
X
X# Finally set up our hostname.if file...
X$echo $DHCP $DATA  $TFILE
X
X# ...and copy it to the right place.
X[ -s $TFILE ]  $cp -p 

Re: Force passwordcheck in login.conf

[Brad Tilley]

Leif Blixt wrote:
 Brad Tilley brad at 16systems.com writes:
 
 I was experimenting with a program to meet PCI DSS 1.2 password length
 and content/complexity requirements and integrating it with login.conf
 for users who have shell access to OpenBSD systems. It seems to work as
 expected, but I wanted to run my configuration by misc.

 I appended the following two lines to the end of both default and staff
 in login.conf. Look OK?

 :passwordcheck=/path/to/program:\
 :passwordtries=0:

 I understand that it would be easy (and redundant) to use minpasswordlen
 to meet the length requirement, but it's easy to check that in the
 program itself.

 Brad


 
 
 We are currently being reviewed for PCI DSS compliance, and the big problems
 we have right now with the combination of PCI DSS and OpenBSD is the following
 PCI DSS requirements:
 8.5.12 Password history check - you may not use the last 4 passwords.
 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
 automatically.
 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
 minutes.

I concluded the same for requirement 8. See my rough notes here. I plan
to add to that page as I do more testing:

http://16systems.com/OpenBSD/pci.html

 How have you addressed these requirements? I'm starting to think we need a
 RADIUS solution, which seems a bit redundant working with OpenBSD...
 
 Regards, Leif

RADIUS may do it if the backend can enforce those things (I don't know
enough about this to comment, but OpenLDAP may work). If that cannot do
it, read Appendix B of the PCI DSS carefully. They allow compensating
controls when the requirements cannot be followed precisely.

Brad

Re: Force passwordcheck in login.conf

[Brad Tilley]

Leif Blixt wrote:
 Hi!
 
 We have just figured out a different approach, and will discuss our new idea 
 with our QSA tomorrow. The idea is to completely turn of the possibility to 
 log in with passwords, and to use SSH key pairs with long and good 
 passphrases instead. It will lead to more work with administrating accounts 
 and there is a small problem on how to distribute the public key to all 
 servers, but we don't have to set up a RADIUS server just yet!
 
 I will let you know what the response from our QSA is.
 
 /Leif

Can you do that? I think local logon would still be an issue, at least
the way I read it. Anyone in front of the machine at a console would be
subject to the requirements.

Brad

Re: Force passwordcheck in login.conf

[Leif Blixt]

Well, I don't think so. You only need to logon to the console when you have
big problems, and we just have set a really long and complicated password for
the root user and stored it away for emergency use in a safe. You still have
the external shell protection by restricting who can access the server room.
All other users must use sudo anyway, so you don't need the root password on a
daily basis, and that's enough for PCI DSS.

/Leif

-Original Message-
From: Brad Tilley [mailto:b...@16systems.com]
Sent: den 14 oktober 2010 14:09
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck in login.conf

Leif Blixt wrote:
 Hi!

 We have just figured out a different approach, and will discuss our new idea
with our QSA tomorrow. The idea is to completely turn of the possibility to
log in with passwords, and to use SSH key pairs with long and good passphrases
instead. It will lead to more work with administrating accounts and there is a
small problem on how to distribute the public key to all servers, but we don't
have to set up a RADIUS server just yet!

 I will let you know what the response from our QSA is.

 /Leif

Can you do that? I think local logon would still be an issue, at least
the way I read it. Anyone in front of the machine at a console would be
subject to the requirements.

Brad

Re: Force passwordcheck in login.conf

[Leif Blixt]

Hi!

We have just figured out a different approach, and will discuss our new idea
with our QSA tomorrow. The idea is to completely turn of the possibility to
log in with passwords, and to use SSH key pairs with long and good passphrases
instead. It will lead to more work with administrating accounts and there is a
small problem on how to distribute the public key to all servers, but we don't
have to set up a RADIUS server just yet!

I will let you know what the response from our QSA is.

/Leif

-Original Message-
From: Brad Tilley [mailto:b...@16systems.com]
Sent: den 14 oktober 2010 13:36
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck in login.conf

Leif Blixt wrote:
 Brad Tilley brad at 16systems.com writes:

 I was experimenting with a program to meet PCI DSS 1.2 password length
 and content/complexity requirements and integrating it with login.conf
 for users who have shell access to OpenBSD systems. It seems to work as
 expected, but I wanted to run my configuration by misc.

 I appended the following two lines to the end of both default and staff
 in login.conf. Look OK?

 :passwordcheck=/path/to/program:\
 :passwordtries=0:

 I understand that it would be easy (and redundant) to use minpasswordlen
 to meet the length requirement, but it's easy to check that in the
 program itself.

 Brad




 We are currently being reviewed for PCI DSS compliance, and the big
problems
 we have right now with the combination of PCI DSS and OpenBSD is the
following
 PCI DSS requirements:
 8.5.12 Password history check - you may not use the last 4 passwords.
 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
 automatically.
 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
 minutes.

I concluded the same for requirement 8. See my rough notes here. I plan
to add to that page as I do more testing:

http://16systems.com/OpenBSD/pci.html

 How have you addressed these requirements? I'm starting to think we need a
 RADIUS solution, which seems a bit redundant working with OpenBSD...

 Regards, Leif

RADIUS may do it if the backend can enforce those things (I don't know
enough about this to comment, but OpenLDAP may work). If that cannot do
it, read Appendix B of the PCI DSS carefully. They allow compensating
controls when the requirements cannot be followed precisely.

Brad

Re: which monitoring do you use (on OpenBSD)

[Toni Mueller]

Hi,

On Sat, 14.08.2010 at 23:49:49 -0700, Bryan Irvine sparcta...@gmail.com wrote:
 understand.  Also, the OP wanted something that he can run on OpenBSD
 and Zenoss runs on Linux.

hmmm from my perspective, Zenoss looks like an ordinary Zope
application, and should therefore run on OpenBSD as well.


Kind regards,
--Toni++

Re: Force passwordcheck in login.conf

[Brad Tilley]

Leif Blixt wrote:
 Well, I don't think so. You only need to logon to the console when you have 
 big problems, and we just have set a really long and complicated password for 
 the root user and stored it away for emergency use in a safe. You still have 
 the external shell protection by restricting who can access the server room. 
 All other users must use sudo anyway, so you don't need the root password on 
 a daily basis, and that's enough for PCI DSS.
 
 /Leif


Requirement 8.5 applies to non-consumer users and administrators I
would assume that means root at a local console. Let me know what your
QSA determines. It seems some of this is open to interpretation and
depends on the opinion of the QSA.

Brad


 -Original Message-
 From: Brad Tilley [mailto:b...@16systems.com] 
 Sent: den 14 oktober 2010 14:09
 To: Leif Blixt; openbsd-misc
 Subject: Re: Force passwordcheck in login.conf
 
 Leif Blixt wrote:
 Hi!

 We have just figured out a different approach, and will discuss our new idea 
 with our QSA tomorrow. The idea is to completely turn of the possibility to 
 log in with passwords, and to use SSH key pairs with long and good 
 passphrases instead. It will lead to more work with administrating accounts 
 and there is a small problem on how to distribute the public key to all 
 servers, but we don't have to set up a RADIUS server just yet!

 I will let you know what the response from our QSA is.

 /Leif
 
 Can you do that? I think local logon would still be an issue, at least
 the way I read it. Anyone in front of the machine at a console would be
 subject to the requirements.
 
 Brad

Re: Force passwordcheck in login.conf

[Joachim Schipper]

On Wed, Oct 13, 2010 at 09:09:29AM +, Leif Blixt wrote:
 Brad Tilley brad at 16systems.com writes:
 
  
  I was experimenting with a program to meet PCI DSS 1.2 password length
  and content/complexity requirements and integrating it with login.conf
  for users who have shell access to OpenBSD systems. It seems to work as
  expected, but I wanted to run my configuration by misc.
  
  I appended the following two lines to the end of both default and staff
  in login.conf. Look OK?
  
  :passwordcheck=/path/to/program:\
  :passwordtries=0:
  
  I understand that it would be easy (and redundant) to use minpasswordlen
  to meet the length requirement, but it's easy to check that in the
  program itself.
  
  Brad
  
  
 
 
 We are currently being reviewed for PCI DSS compliance, and the big problems
 we have right now with the combination of PCI DSS and OpenBSD is the following
 PCI DSS requirements:
 8.5.12 Password history check - you may not use the last 4 passwords.
 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
 automatically.
 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
 minutes.
 
 How have you addressed these requirements? I'm starting to think we need a
 RADIUS solution, which seems a bit redundant working with OpenBSD...

Locking out accounts is actually fairly easy to do if you wrap
/usr/libexec/auth/login_whatever. Read the AUTHENTICATION section of
login.conf(5).

Joachim

Re: iked(8) and ikectl(8)

[Toni Mueller]

Hi,

On Thu, 03.06.2010 at 23:06:58 +0200, Reyk Floeter r...@openbsd.org wrote:
 IPsec.  In difference to isakmpd(8), which supports the ISAKMP/Oakley
 a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at
 present.  The IKEv2 protocol in RFC 4306 has been simplified and
 provides many benefits over ISAKMP/IKEv1.

this means...

(1) that only either iked OR isakmpd can run on one box?
(2) on one IP, but share the same box?

(3) or that iked has a dispatch mechanism to forward IKEv1 connections
to a bystanding isakmpd, and cooperate with it to allow for using both
types of connections on one IP?


My guess is that it's (1), but my preference would be (3), of course.


-- 
Kind regards,
--Toni++

FW: Force passwordcheck in login.conf

[Stuart VanZee]

For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords.  I just stored a hash of them
in a file and have it check to see if the new password hash
matches any of the old 4 password hashes.

for 8.5.13 see login.conf man page, look for auth.  You will
(again) have to write a program that does this.  In this
case, you will be writing a new login authentication method.
I haven't figured out how to integrate this with ssh, but in
my case that doesn't apply as I disabled password login into
ssh and everyone uses keys.

Sadly, when I did all of this it was for work so the place I
work owns the code and I have not been given permission to
give that code away.  I wrote mine in python because I know
and understand python, but it could probably be done using
any language.

 s


 We are currently being reviewed for PCI DSS compliance, and
 the big problems
 we have right now with the combination of PCI DSS and OpenBSD
 is the following
 PCI DSS requirements:
 8.5.12 Password history check - you may not use the last 4
passwords.
 8.5.13 Lockout after 6 failed attempts - OpenBSD does not
 lock accounts
 automatically.
 8.5.14 If 8.5.13 takes affect, the account must be locked for
 at least 30
 minutes.

 How have you addressed these requirements? I'm starting to
 think we need a
 RADIUS solution, which seems a bit redundant working with OpenBSD...

 Regards, Leif

Re: FW: Force passwordcheck in login.conf

[Brad Tilley]

Stuart VanZee wrote:
 For 8.5.12 see login.conf man page, look for passwordcheck.
 You will have to write (or find) a program that keeps track
 of previously used passwords.  I just stored a hash of them
 in a file and have it check to see if the new password hash
 matches any of the old 4 password hashes.

I considered that as a possible solution as well, but it seems that
approach would weaken the security of the passwords, especially if you
just use an unsalted hash (md5 or sah1) to store them.

Brad

machine-dependent tweaks to /usr/src/etc

[Christopher Dukes]

On Wed, 2010-10-13 at 19:47 -0600, Theo de Raadt wrote:

 There has been talk about going thourgh /usr/src/etc and building
 machine-dependent (that means architecture-dependent for those of
 you who are not on The Team) variations for this.
 
 People who dug into this got scared and didn't finish. We'd be willing
 to look at things other people start for this... and then provide a
 long series of comments... if someone has the staying power...

Perhaps lower hanging fruit would be for those that regularly tweak /etc
to occasionally send in sanitized diffs against the originals with
comments as to why the changes were made.
Changes that appear for many people probably should eventually go into
the FAQ.

(Sorry, I don't have any tweaks...  4.7 required no tweaks outside of
turning on IP forwarding in /etc/sysctl.conf...)

Thanks,
Chris Dukes

Re: FW: Force passwordcheck in login.conf

[Bret S. Lambert]

On Thu, Oct 14, 2010 at 10:16:12AM -0400, Brad Tilley wrote:
 Stuart VanZee wrote:
  For 8.5.12 see login.conf man page, look for passwordcheck.
  You will have to write (or find) a program that keeps track
  of previously used passwords.  I just stored a hash of them
  in a file and have it check to see if the new password hash
  matches any of the old 4 password hashes.
 
 I considered that as a possible solution as well, but it seems that
 approach would weaken the security of the passwords, especially if you
 just use an unsalted hash (md5 or sah1) to store them.

You could use blowfish to store them; the code already exists
in the openbsd base. Storing multiple previous passwords has
always seemed gratuitous to me, but we're not discussing technical
merits, just technical solutions to management fiats...

 
 Brad

Cher Client de La Banque Postale : Attention! Votre Compte � ete limite!

[notification]

Les informations concernant votre compte:

Cher Client de La Banque Postale :

Attention! Votre Compte ` ete limite!

Dans le cadre de nos mesures de sicuriti, nous procedons regulierement `
la virification du bien jtre de nos clients .Postale d'apprendre
recemment Vous ont contacte apres avoir releve un probleme sur votre
Account.We demande des informations Aupres de vous pour la raison
suivante:

Notre systeme a detecte charges inhabituelles  une carte de credit liee `
votre Compte La Banque Postale.

Cliquez Ici pour activer votre compte

Cordialement,

La Banque Postale Email ID: 5138-8872

Departement de l'examen des comptes de La Banque Postale.

Le Corp Copyright 1999-2010 La Banque Postale. Tous droits reserves.

Re: computer hangs after varying amount of data is received from network via ssh

[Stuart Henderson]

On 2010-10-13, Robert Halberg robert.halb...@gmail.com wrote:
 bios0: vendor Award Software, Inc. version ASUS A7V-E ACPI BIOS
 Revision 1002D date 03/08/2001
 bios0: ASUSTeK Computer INC. A7V-E
 apm0 at bios0: Power Management spec V1.2 (BIOS management disabled)

You could try boot -c, disable apm and quit, preferably with
4.8 or -current. Might help, might not.

There are also newer bioses available, there's a chance they may help,
but there's also a chance you end up with a dead motherboard by attempting
to flash.

From what I remember some of those early VIA KT chipsets had
pretty broken PCI implementations...

Re: Force passwordcheck in login.conf

[Stuart Henderson]

On 2010-10-13, Brad Tilley b...@16systems.com wrote:
 Mark Romer wrote:
 use passwdqc  it is in packages.
 
 in login.conf under default I have:
 :minpasswordlen=12:\
 :login-tries=4:\
 :passwordtries=3:\
 :passwordcheck=/usr/local/libexec/passwdqc -3 12
 
 Mark

 I've heard complaints that it is too stringent (I tend to agree, no
 offense to Solar). PCI DSS 1.2 only requires numbers and alphabetic
 chars in the password. So, letmein123 meets the requirement.

See passwdqc.conf(5).

Re: Trouble with FTP install on virtual machine

[Hugo Osvaldo Barrera]

On 09/15/2010 07:33 PM, li...@telus.net wrote:
 I hope it's not inappropriate to ask about VM's in this forum. If anyone
 cares to offer some advice, here's what I'm having trouble with:
 
 I've created a virtual computer on Windows Hyper-V Server 2008 R2.
 I'm trying to install -current via FTP or HTTP. I can boot from either
 floppy48.fs or cd48.iso. The virtual NIC is detected as de0. Basic
 network functionality seems to be working. I can ping hosts by name,
 for example.
 
 I can proceed through the installation, partition the virtual disk and so
 on, until I get about this far:
 
 Location of sets? (cd disk ftp http or 'done') [cd] ftp
 HTTP/FTP proxy URL? (e.g. 'http://proxy:8800', or 'none') [none]
 Server? (hostname, list#, 'done' or '?') [ftp.OpenBSD.org] 
 ftp5.usa.openbsd.org
 Server directory? [pub/OpenBSD/snapshots/i386]
 Login? [anonymous]
 
 Select sets by entering a set name, a file name pattern or 'all'. De-select
 sets by prepending a '-' to the set name, file name pattern or 'all'. Selected
 sets are labelled '[X]'.
 [X] bsd[X] etc48.tgz  [X] game48.tgz [X] xfont48.tgz
 [X] bsd.rd [X] misc48.tgz [X] xbase48.tgz[X] xserv48.tgz
 [ ] bsd.mp [X] comp48.tgz [X] xect48.tgz
 [X] xbase48.tgz[X] man48.tgz  [X] xshare48.tgz
 Set names(s)? (or 'abort' or 'done') [done]
 bsd 7% |**| 677 KB - stalled -
 
 I've tried this with a few different mirrors. Sometimes it got a bit farther
 before stalling. Sometimes it times out completely. I'm guessing that the
 'legacy' virtual NIC (de0) is at fault, but I don't know what (if anything)
 I might do about it.
 
 I can see from searching online that other people have succeeded with
 OpenBSD on virtual machines. Has anyone here tried on a Hyper-V server?
 
 Any advice would be appreciated.
 
 Thanks,
 Richard Koett.
 

Have you tried install48.iso (which includes the sets)?  You should be
able to get OpenBSD installed correctly, one that's done, you can test
the network properly.

Re: snapshot packages?

[Jan Stary]

On Oct 14 15:18:49, frantisek holop wrote:
 hmm, on Thu, Oct 14, 2010 at 03:02:42PM +0200, Jan Stary said that
Snapshots and snapshot packages move forward all the time, unlike
your installed system.  If you have a system that provides
libcurses.so.10.0, and (a new version of) a package comes out that
requires libcurses.so.11.0, there is simply no way to upgrade the
package, because your system does not meet the package's requirements.
That's exactly what pkg_add is telling you.
   
   at the time of writing i was using the latest OS snapshot..
   as far as i know snapshot packages are compiled on snapshot
   systems.  i am curious how can i get bad major errors
   from packages on the latest snapshot.
   
   i simply expected the oct 9/10 snapshot packages to match
   with the oct 6 system snapshot.
  
  That exactly is your wrong expectation.
 
 what is the good one then?
 
 if i cannot expect the latest system snapshot to use the
 latest package snapshots, how is one supposed to keep
 using -current?


The only point in time when the base system, ports and packages
are guaranteed to be in sync is a release.

I cannot be bothered to find this in the faq somewhere.

 i have been using -current exactly like this for
 more than 10 years.  1. install snaphost, 2. install snapshot packages.
 99% of the time this worked great.

Exactly. That's what I am doing too. You just hit the case
when a package (built on 10/9) requires a library which
a sytem built on 10/6 does not have. So what?

EuroBSDCon 2011 Call for Proposals

[Peter N. M. Hansteen]

EuroBSDCon 2011
===

EuroBSDCon is the European technical conference for users and
developers on BSD based systems. The EuroBSDCon 2011 conference
will be held in the Netherlands from thursday 6 october 2011
to sunday 9 october 2011, with tutorials on thursday and friday
and talks on saturday and sunday.

Call for Proposals
--

The EuroBSDCon conference is inviting developers and users of
BSD based systems to submit innovative and original papers not
submitted to other European conferences on BSD related topics.

Topics of interest to the conference include, but are not limited
to applications, architecture, implementation, performance and
security of BSD based operating systems, as well as topics
concerning the economic or organizational aspects of BSD use. 

Presentations are expected to be 45 or 90 minutes, please indicate
the approximate time slot size when submitting your abstract. 

Call for Tutorial Proposals
---

The EuroBSDCon conference is inviting qualified practitioners in
their field to submit proposals for half or full day tutorials on
topics relevant to development, implementation and use of BSD
based systems.

Submission address
--

Proposals should be submitted by email to submiss...@eurobsdcon.org

Important dates
---

The EuroBSDCon conference is accepting abstracts and tutorial
proposals until May 15th, 2011. Other important dates will be
announced soon at the conference website http://2011.eurobsdcon.org/

Trouble getting groups through ypldap

[John Danks]

I'm attempting to setup OpenLDAP, Samba and ypldap on 4.7. OpenLDAP is
up and running along with Samba, and I've used the smbldap tools to
populate the directory.

I'm having trouble getting the full list of LDAP groups with getent.
At first I ran getent group and didn't see any of the LDAP groups.
Then I noticed that the ypldap.conf example uses basedn
ou=Users,dc=domain,dc=tld, so I changed it to basedn
dc=domain,dc=tld. Now getent group shows only the first of the LDAP
groups:

# getent group
...
nogroup:*:32766
nobody:*:32767
_openldap:*:544
_dbus:*:572
_avahi:*:629
_avahi-autoipd:*:630
_cups:*:541
Domain Admins:*:512:root

I ran the equivalent search that ypldap was doing (based on watching
OpenLDAP in the foreground) and got the full list of groups. So it
looks like something between OpenLDAP and ypldap isn't working quite
right. I looked at the changes to ypldap since 4.7 and there doesn't
seem to be anything relevant.

I'm out of ideas for troubleshooting short of trying a snapshot, which
I'll try later today.

Any ideas where to look next?

Here's my ypldap.conf:

domain pmh.org
interval 30

provide map passwd.byname
provide map passwd.byuid
provide map group.byname
provide map group.bygid

directory ldap.pmh.org {
binddn cn=Manager,dc=pmh,dc=org
bindcred secret
#   basedn ou=Users,dc=pmh,dc=org
basedn dc=pmh,dc=org

passwd filter (objectClass=posixAccount)

attribute name maps to uid
fixed attribute passwd *
attribute uid maps to uidNumber
attribute gid maps to gidNumber
attribute gecos maps to cn
attribute home maps to homeDirectory
fixed attribute shell loginShell
fixed attribute change 0
fixed attribute expire 0
fixed attribute class ldap

group filter (objectClass=posixGroup)

attribute groupname maps to cn
fixed attribute grouppasswd *
attribute groupgid maps to gidNumber
list groupmembers maps to memberUid
}

And dmesg:

OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 898 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
R,SSE
real mem  = 266694656 (254MB)
avail mem = 249700352 (238MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/23/01, BIOS32 rev. 0 @ 0xfda74, SMBIOS
rev. 2.3 @ 0xf0ff0 (49 entries)
bios0: vendor Intel Corp. version CB81010A.15A.0026.P05.0108230926 date 08/23/
2001
bios0: Gateway E-1600
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3370/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E Host rev 0x03
vga1 at pci0 dev 1 function 0 Intel 82810E Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
fxp0 at pci1 dev 8 function 0 Intel 82562 rev 0x01, i82562: irq 5, address 00:
03:47:a3:9b:b8
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x02: 24-bit timer at
 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x02: DMA, channel 0 w
ired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRD-8483B, 1.06 ATAPI 5/cdrom removab
le
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd0 at pciide0 channel 1 drive 0: Maxtor 2F040L0
wd0: 16-sector PIO, LBA, 39205MB, 80293248 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x02: irq 10
ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x02: irq 9
iic0 at ichiic0
admtm0 at iic0 addr 0x2d: adm1025
spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL3
auich0 at pci0 dev 31 function 5 Intel 82801BA AC97 rev 0x02: irq 9, ICH2 AC97
ac97: codec id 0x4352594d (Cirrus Logic CS4201 rev 5)
ac97: codec features 20 bit DAC, 18 bit ADC, Crystal Semi 3D
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7

Re: Auto Logout Idle Users

[Brad Tilley]

Brad Tilley wrote:
 I created the file /etc/profile to force sh and ksh to logout users
 after a certain period of idleness:
 
 $ cat /etc/profile
 
 # Force sh and ksh to logout idle users after 15 minutes
 # Prevent normal users from disabling this setting
 readonly TMOUT=900
 export TMOUT
 
 That works great. I've tried to do the same to the other default shell
 in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
 /etc/csh.login as well (I'm turning knobs like a good clueless user).
 
 I then read the csh man page, but saw no mention of autologout. Perhaps
 the OpenBSD version of csh does not support this? Is there a way to do
 this with csh? If not, I'll need to remove access to the shell.

Replying to myself. I can't seem to make csh auto logout inactive users.
So I did this:

rm /bin/csh
cp /bin/ksh /bin/csh

Any good reason to not do this?

Brad

Re: Auto Logout Idle Users

[Adam M. Dutko]

 Any good reason to not do this?


They're not the same shell.  I can't think of any security reasons because
I'm not familiar with the code but as far as logs and noise factor I imagine
it would go up or various things might start breaking that depend on csh.

Re: Auto Logout Idle Users

[Brad Tilley]

Adam M. Dutko wrote:
 Any good reason to not do this?


 They're not the same shell.  

Yes, I know that part :)

 I can't think of any security reasons because
 I'm not familiar with the code but as far as logs and noise factor I imagine
 it would go up or various things might start breaking that depend on csh.

Base seems to only have two shells as ksh and sh have the same md5
checksum. I'm hoping csh is only included for historical reasons or in
honor of Bill Joy or something such as that.

Brad

Re: Auto Logout Idle Users

[Jan Stary]

On Oct 14 15:28:20, Brad Tilley wrote:
 Brad Tilley wrote:
  I created the file /etc/profile to force sh and ksh to logout users
  after a certain period of idleness:

Why do you want to logout idle users?
There is sysutils/idled if you need it.

  $ cat /etc/profile
  
  # Force sh and ksh to logout idle users after 15 minutes
  # Prevent normal users from disabling this setting
  readonly TMOUT=900
  export TMOUT
  
  That works great. I've tried to do the same to the other default shell
  in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
  /etc/csh.login as well (I'm turning knobs like a good clueless user).
  
  I then read the csh man page, but saw no mention of autologout. Perhaps
  the OpenBSD version of csh does not support this? Is there a way to do
  this with csh? If not, I'll need to remove access to the shell.

Why?

 Replying to myself. I can't seem to make csh auto logout inactive users.
 So I did this:
 
 rm /bin/csh
 cp /bin/ksh /bin/csh

lol wut?

 Any good reason to not do this?

You just forced your csh users to use ksh. Why do you want them to hate you?
Why don't you also 'mv /bin/rm /bin/ls' while you are at it?

 Base seems to only have two shells as ksh and sh
 have the same md5 checksum.

And the same inode number.

 I'm hoping csh is only included for historical reasons or in
 honor of Bill Joy or something such as that.

Or maybe to be used by the thousands of people that want to use it.

Re: Auto Logout Idle Users

[Brad Tilley]

Jan Stary wrote:

 Why do you want to logout idle users?
 There is sysutils/idled if you need it.

I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements. I'm trying to avoid using any software outside the
base system.

 rm /bin/csh
 cp /bin/ksh /bin/csh

 You just forced your csh users to use ksh. Why do you want them to hate you?

It's just a shell, they'll get over it.

 Why don't you also 'mv /bin/rm /bin/ls' while you are at it?

Not a very similar comparison.

Re: Auto Logout Idle Users

[Darrin Chandler]

  rm /bin/csh
  cp /bin/ksh /bin/csh
 
  You just forced your csh users to use ksh. Why do you want them to hate you?
 
 It's just a shell, they'll get over it.

Remove it from /etc/shells instead. Replacing csh with ksh is evil, and
I don't mean that in a good way.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Auto Logout Idle Users

[Jan Stary]

On Oct 14 17:01:30, Brad Tilley wrote:
 Jan Stary wrote:
 
  Why do you want to logout idle users?
  There is sysutils/idled if you need it.
 
 I'm experimenting with getting an OpenBSD base system to meet the PCI
 DSS requirements.

Does PCI DSS require you to log users out?

 I'm trying to avoid using any software outside the base system.
 
  rm /bin/csh
  cp /bin/ksh /bin/csh
 
  You just forced your csh users to use ksh. Why do you want them to hate you?
 
 It's just a shell, they'll get over it.

Unbelievable.

Re: Auto Logout Idle Users

[Abel Abraham Camarillo Ojeda]

On Thu, Oct 14, 2010 at 4:01 PM, Brad Tilley b...@16systems.com wrote:
 Jan Stary wrote:

 Why do you want to logout idle users?
 There is sysutils/idled if you need it.

 I'm experimenting with getting an OpenBSD base system to meet the PCI
 DSS requirements. I'm trying to avoid using any software outside the
 base system.

 rm /bin/csh
 cp /bin/ksh /bin/csh

 You just forced your csh users to use ksh. Why do you want them to hate you?

 It's just a shell, they'll get over it.

Also their scripts, and transparently...


 Why don't you also 'mv /bin/rm /bin/ls' while you are at it?

 Not a very similar comparison.

Licitaciones Públicas de Adquisiciones en México D.F., 27 de Octubre

[Sandra Lozano]

[IMAGE]

!Promociones Especiales para Grupos!

Mayores informes responda este correo electrsnico con los siguientes
datos.

Empresa:

Nombre:

Telifono:

Email:

Nzmero de Interesados:

Y en breve le haremos llegar la informacisn completa del evento.

O bien comunmquense a nuestros telifonos un ejecutivo con gusto le
atendera
Tels. (33) 8851-2365, (33)8851-2741.

Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas.

ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn
tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA
PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son
propiedad de sus respectivas corporaciones y se utilizan con fines
informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.

Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.

Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJA

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJA Tenga en cuenta que la gestisn de nuestras bases de
datos es de suma importancia y no es intencisn de la empresa la
inconformidad del receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
=?windows-1252?Q?licitaciones_p=FAblicas.jpg?=]

Re: Auto Logout Idle Users

[Brad Tilley]

On 10/14/2010 05:08 PM, Darrin Chandler wrote:
 rm /bin/csh
 cp /bin/ksh /bin/csh

 You just forced your csh users to use ksh. Why do you want them to hate you?

 It's just a shell, they'll get over it.
 
 Remove it from /etc/shells instead. Replacing csh with ksh is evil, and
 I don't mean that in a good way.
 

I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.

Brad

Re: Auto Logout Idle Users

[Brad Tilley]

On 10/14/2010 05:13 PM, Jan Stary wrote:
 On Oct 14 17:01:30, Brad Tilley wrote:
 Jan Stary wrote:

 Why do you want to logout idle users?
 There is sysutils/idled if you need it.

 I'm experimenting with getting an OpenBSD base system to meet the PCI
 DSS requirements.
 
 Does PCI DSS require you to log users out?

After 15 minutes of inactivity, users must re-enter the password.
Something such as that.

 I'm trying to avoid using any software outside the base system.

 rm /bin/csh
 cp /bin/ksh /bin/csh

 You just forced your csh users to use ksh. Why do you want them to hate you?

 It's just a shell, they'll get over it.
 
 Unbelievable.

I'm not actually doing this to users on an existing system. I'm just
experimenting. Thinking out loud about the issues before having to deal
with it.

Atención Almacenistas: Seminario de Actualización este 25 de Octubre.

[Veronica Solis]

[IMAGE]

Duracisn: 10 Horas de entrenamiento.

Presentado por nuestro experto consultor: Lic. Gerardo Coronado L.

!Promociones Especiales para Grupos!

Mayores informes responda este correo electrsnico con los siguientes
datos.

Empresa:

Nombre:

Telifono:

Email:

Nzmero de Interesados:

Y en breve le haremos llegar la informacisn completa del evento.

O bien comunmquense a nuestros telifonos un ejecutivo con gusto le
atendera
Tels. (33) 8851-2365, (33)8851-2741.

Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas.

ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn
tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA
PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son
propiedad de sus respectivas corporaciones y se utilizan con fines
informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.

Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.

Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJAASISTENTES

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAASISTENTES Tenga en cuenta que la gestisn de nuestras
bases de datos es de suma importancia y no es intencisn de la empresa la
inconformidad del receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
almacenes.jpg]

Re: Auto Logout Idle Users

[Ben Niccum]

On Thu, 14 Oct 2010 18:17:23 -0400
Brad Tilley b...@16systems.com wrote:

 On 10/14/2010 05:08 PM, Darrin Chandler wrote:
  rm /bin/csh
  cp /bin/ksh /bin/csh
 
  You just forced your csh users to use ksh. Why do you want them
  to hate you?
 
  It's just a shell, they'll get over it.
  
  Remove it from /etc/shells instead. Replacing csh with ksh is evil,
  and I don't mean that in a good way.
  
 
 I thought about doing that too. I need to test it more to see what
 happens when ksh is the shell and the user executes csh manually. I
 suppose ksh will still honor TMOUT in that case.
 
 Brad
 

Don't mean to complicate things for you, but just thought I should
mention that if the user does:

# exec /bin/csh

Then csh takes over ksh's active process, and even though the TMOUT
variable is still there, csh doesn't honor it, and ksh is no longer
around to object.

-Ben

-- 
be...@bendtel.com

Re: Trouble getting groups through ypldap

[Nigel Taylor]

It could be the groups your missing have no members, which fails to output the
group. You can confirm this my adding a user to one of the groups, and see if
the group is displayed. This following change, rather than skipping output of
the group, outputs group with a null list of members.

Regards

Nigel Taylor

$ cvs -R -q -d /cvs diff -u
Index: ldapclient.c
===
RCS file: /cvs/src/usr.sbin/ypldap/ldapclient.c,v
retrieving revision 1.14
diff -u -r1.14 ldapclient.c
--- ldapclient.c6 Jun 2009 05:02:58 -   1.14
+++ ldapclient.c5 Jul 2009 18:18:35 -
@@ -611,7 +611,7 @@
}
} else if (idm-idm_list  F_LIST(i)) {
if (aldap_match_entry(m, attrs[j++],
ldap_attrs) == -1)
-   goto next_grpentry;
+   continue;
if (ldap_attrs[0] == NULL)
goto next_grpentry;
for (k = 0; k = 0  ldap_attrs[k] != NULL; 
k++) {





On 10/14/10 20:15, John Danks wrote:
 I'm attempting to setup OpenLDAP, Samba and ypldap on 4.7. OpenLDAP is
 up and running along with Samba, and I've used the smbldap tools to
 populate the directory.
 
 I'm having trouble getting the full list of LDAP groups with getent.
 At first I ran getent group and didn't see any of the LDAP groups.
 Then I noticed that the ypldap.conf example uses basedn
 ou=Users,dc=domain,dc=tld, so I changed it to basedn
 dc=domain,dc=tld. Now getent group shows only the first of the LDAP
 groups:
 
 # getent group
 ...
 nogroup:*:32766
 nobody:*:32767
 _openldap:*:544
 _dbus:*:572
 _avahi:*:629
 _avahi-autoipd:*:630
 _cups:*:541
 Domain Admins:*:512:root
 
 I ran the equivalent search that ypldap was doing (based on watching
 OpenLDAP in the foreground) and got the full list of groups. So it
 looks like something between OpenLDAP and ypldap isn't working quite
 right. I looked at the changes to ypldap since 4.7 and there doesn't
 seem to be anything relevant.
 
 I'm out of ideas for troubleshooting short of trying a snapshot, which
 I'll try later today.
 
 Any ideas where to look next?
 
 Here's my ypldap.conf:
 
 domain pmh.org
 interval 30
 
 provide map passwd.byname
 provide map passwd.byuid
 provide map group.byname
 provide map group.bygid
 
 directory ldap.pmh.org {
 binddn cn=Manager,dc=pmh,dc=org
 bindcred secret
 #   basedn ou=Users,dc=pmh,dc=org
 basedn dc=pmh,dc=org
 
 passwd filter (objectClass=posixAccount)
 
 attribute name maps to uid
 fixed attribute passwd *
 attribute uid maps to uidNumber
 attribute gid maps to gidNumber
 attribute gecos maps to cn
 attribute home maps to homeDirectory
 fixed attribute shell loginShell
 fixed attribute change 0
 fixed attribute expire 0
 fixed attribute class ldap
 
 group filter (objectClass=posixGroup)
 
 attribute groupname maps to cn
 fixed attribute grouppasswd *
 attribute groupgid maps to gidNumber
 list groupmembers maps to memberUid
 }
 
 And dmesg:
 
 OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010
 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 898 MHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
 R,SSE
 real mem  = 266694656 (254MB)
 avail mem = 249700352 (238MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 08/23/01, BIOS32 rev. 0 @ 0xfda74, 
 SMBIOS
 rev. 2.3 @ 0xf0ff0 (49 entries)
 bios0: vendor Intel Corp. version CB81010A.15A.0026.P05.0108230926 date 
 08/23/
 2001
 bios0: Gateway E-1600
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3370/144 (7 entries)
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
 pcibios0: PCI bus #1 is the last bus
 bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1000
 cpu0 at mainbus0: (uniprocessor)
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82810E Host rev 0x03
 vga1 at pci0 dev 1 function 0 Intel 82810E Video rev 0x03
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 intagp0 at vga1
 agp0 at intagp0: aperture at 0xf800, size 0x400
 ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x02
 pci1 at ppb0 bus 1
 fxp0 at pci1 dev 8 function 0 Intel 82562 rev 0x01, i82562: irq 5, address 
 00:
 03:47:a3:9b:b8
 inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
 ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x02: 

Re: Auto Logout Idle Users

[Brad Tilley]

On 10/14/2010 06:45 PM, Ben Niccum wrote:

 I thought about doing that too. I need to test it more to see what
 happens when ksh is the shell and the user executes csh manually. I
 suppose ksh will still honor TMOUT in that case.

 Brad

 
 Don't mean to complicate things for you, but just thought I should
 mention that if the user does:
 
 # exec /bin/csh
 
 Then csh takes over ksh's active process, and even though the TMOUT
 variable is still there, csh doesn't honor it, and ksh is no longer
 around to object.
 
 -Ben

Great point. That's precisely the sort of thing I'd like to have thought
about. Much of the compliance efforts may look good on paper, but have
no impact on actual usage or may be trivially circumvented as you point
out. So while disabling a shell may get a check mark during PCI
compliance efforts, that may be all you end up with.

Brad

Re: Auto Logout Idle Users

[Ingo Schwarze]

 Much of the compliance efforts may look good on paper, but have
 no impact on actual usage or may be trivially circumvented

or even worse, will likely end up compromising security
in case somebody aiming for hardening manipulates the
system without fully understanding the consequences.

Re: Trouble getting groups through ypldap

[John Danks]

On Thu, Oct 14, 2010 at 2:38 PM, Nigel Taylor
njtay...@asterisk.demon.co.uk wrote:

 It could be the groups your missing have no members, which fails to output the
 group. You can confirm this my adding a user to one of the groups, and see if
 the group is displayed. This following change, rather than skipping output of
 the group, outputs group with a null list of members.

Thanks, that was the problem. Adding a member to the groups made them
show up through getent.

Re: Auto Logout Idle Users

[Rodrigo Mosconi]

2010/10/13 Brad Tilley b...@16systems.com:
 That works great. I've tried to do the same to the other default shell
 in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
 /etc/csh.login as well (I'm turning knobs like a good clueless user).

 I then read the csh man page, but saw no mention of autologout. Perhaps
 the OpenBSD version of csh does not support this? Is there a way to do
 this with csh? If not, I'll need to remove access to the shell.

I know that TCSH have the autologout feature.

Deveolpers, just for curiosity (no flame war please):
There is any problem IF the tcsh replaces the csh on the base system?

Thanks,

Mosconi