Re: For Google+ users: BSD community
I was hoping openbsd misc mailing list would remain free from ads but here we are :( -- Marko Cupać
LDAP TLS/SSL certificates and easy-rsa
This is not an OpenBSD question but when it comes to competency this group is second to none so I am asking here for help. I am trying to secure my LDAP server (stack OpenBSD ldapd) using starttls method. Since I recently I dealt quite a bit with OpenVPN it occurred to me that easy-rsa could be used to generate certificates for LDAP. Could somebody please confirm this? P.S. I have read man smarttls and have no problem following it.
SASL auth, SSL via StartTLS vs Kerberized SSL via StartTLS
I am trying to get my head wrapped around securing LDAP so please forgive me this n00b questions. My final goal is to replace our current NFS+NIS with NFS+LDAP+[Kerberos] set up. I see by default OpenLDAP clients are authenticating via SASL. I also see the Kerberos can be used with SASL. Could somebody point me to a document describing pros and cons of Kerberazing SASL on secure network? As described in an earlier e-mail I opted for OpenBSD stack LDAP server and I would use stack Kerberos server. Thanks, Predrag
Re: LDAP TLS/SSL certificates and easy-rsa
Em 19-11-2013 13:09, Predrag Punosevac escreveu: This is not an OpenBSD question but when it comes to competency this group is second to none so I am asking here for help. I am trying to secure my LDAP server (stack OpenBSD ldapd) using starttls method. Since I recently I dealt quite a bit with OpenVPN it occurred to me that easy-rsa could be used to generate certificates for LDAP. Could somebody please confirm this? P.S. I have read man smarttls and have no problem following it. Predrag, In short, openvpn's easy-rsa can indeed generate the certs. Now, elaborating, to securely use your server, you will have to distribute the ca certificate across all your ldap clients and make sure they're using it to validate the cert your ldap server presents. Better yet, generate ssl client certs and use them to communicate with the server, so you can have the same level of security that openvpn has between servers and clients (the only thing you won't have is the hmac firewall). The easy-rsa scripts provide a full PKI and I did used it's certs for other uses than openvpn itself. Regards, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Are there OpenBSD users who are not IT professionals?
Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf
Re: Are there OpenBSD users who are not IT professionals?
On Tue, Nov 19, 2013, at 09:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I have a lot of tech knowledge and have no trouble using a CLI, but I'm not an IT professional at least in the sense that I do not get a paycheck from working in IT. I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Taken by itself, the reasoning is solid. It's the same reason I use OpenBSD for a system which is primarily a firewall/router. Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Using OpenBSD as a desktop may be more painful for you than anticipated depending on your exact hardware configuration and exactly what you want to do. For example, thanks to HTML5, at least watching YouTube videos is now possible without having to resort to the computing equivalent of a game of Twister. (Before, one either did without YouTube or used youtube-dl and mplayer.) Some things may be more difficult than necessary if certain boneheads in charge assumed handing out a GNU/Linux binary the same way they hand out Windows and MacOS X binaries is enough (happens way too often). Due to secure by default there are a lot of things that would just work on a GNU/Linux system that will not work on OpenBSD without twiddling a sysctl or two, or running something as root that wouldn't require it on GNU/Linux. -- Shawn K. Quinn skqu...@rushpost.com
Re: Are there OpenBSD users who are not IT professionals?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenBSD is for the world. You have to ask yourself a few questions. Are you an open source advocate? Do you like the freedom to use an operating system the way you want to? Do you value stability and code correctness in an operating system? Is security paramount in your computing world? Do you value accurate documentation and a developer world who pride themselves on correctness? If the answer to these few question is yes, then OpenBSD is for you. If you like for someone to tell you, how to use an operating system and don't mind your OS crashing and security exploits, then you're in the wrong place. On 11/19/2013 10:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf - -- Salim A. Shaw System Administrator OpenBSD / Free Software Advocate Need stability and security --- Try OpenBSD. BSD, ISC license all the way: Sell services, don't lease secrets Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSi4k7AAoJELO0Z/gjFO4kryMIAKifERLcoPeYtYo544vMC+c3 c18nb275QTLp7bMEl+iZqfuEcRsQ0V4cHfO+IsJ6Z1RAWwwEFu5GtYvWm01KOWk/ PIdh+A5e3N5aHsu0VWpgBLZeyJPH2x4QzQwOOITNk6ak5mLyVmPr8PkTDV083zNl /U+NKoOR7o/V+EMcvzrvxd3GQh5TB+pnFaEuqXU7JkqcHdLdS2NhTDy2W7zAp5LQ EL8GWpBKzN/dXD1vUhRq7c7fez5TZxoQ2tL3IvsMyds7P/BSl21B7tTwUIx/oo5O hjB9bF13OCy+WXYWDESKMOodMlREm7wUETMpdubCGVOpxD61L/TZCGWcgKGEXew= =K6m4 -END PGP SIGNATURE-
Re: Are there OpenBSD users who are not IT professionals?
On Tue, Nov 19, 2013 at 04:37:25PM +0100, za...@gmx.com wrote: Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? One of the things that makes code good and secure is simplicity. That focus on keeping things simple is a way of life that make OpenBSD a good choice for people with a low bullshit tolerance. And I think it makes it more approachable, not less, than Linux and certain other not to be named GUI malware with a EULA parading around as an OS. OpenBSD makes a clear separation between the OS and most of the applications that run on it. That is not true of many other OS and OS-like systems. If you go to one of the mirrors and find the packages for your architecture (presumably you're using either 32 or 64 bit Intel) you can see which applications are available. A desktop means different things to different people. If all the apps you need and want are available then there is no reason why you won't be happy with OpenBSD. If they aren't, you'll have to do a little more thinking and research. You can build many apps on OpenBSD but there is a general problem of Linux people not realizing there is more to the world than Linux and not everything that builds on Linux will build without changes on OpenBSD. Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. I don't really think you can make a decision on paper unless your goals and requirements are pretty clear. If you have to have apps that only run on Linux or Windows that's an easy decision. Otherwise it's worth looking into your options and trying them out. If you overcommit you can always buy another box. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Are there OpenBSD users who are not IT professionals?
On Nov 19 16:37:25, za...@gmx.com wrote: I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? My whole family, none of whom have anything to do with IT. I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? It depends, of course, on your requirements. If, for example, there is a certain application that you absolutely have to use, and it only comes as a Windows binary, or a Linux binary, then of coure you are out of luck. But you would have noticed that by now. For a simple day to day use, my wife uses the current/macppc I installed for her, with fvwm2 on top, without even knowing what OS it is (or what an OS is). Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? After some time with OpenBSD, you might actually appreciate the _utmost_simplicity_ of OpenBSD, as compared to Linux or Windows.
Re: Are there OpenBSD users who are not IT professionals?
OpenBSD has one of the fastest easiest installs of any operating system out there. The doc is clean and excellent. I've never heard less is more as an OpenBSD philosophy, but it is my philosophy and part of why I like OpenBSD. I'm a geologist who does programming in high level, dynamic languages as a hobby and part of my job. My sysadmin skills go as far as I need them to to administer an OpenBSD laptop. The community (this list, for example) will expect you to refer to the documentation and experiment a bit before coming here and asking for help. The one time I got help here on a wireless setup for my Verizon MIFI unit, I got an answer almost right away. People were pretty kind, too, as I did not have a handle on the ins and outs of encryption keys and what a wpa key was. Since then, through working through more than once, I've learned those things. As your machine's admin, you will learn things through using it with OpenBSD. This can take time and it helps to have an interest in these things. Your reward is a machine that behaves the way you expect it to and fewer security problems (every Windows user I know complains bitterly about viruses :-\ ). My 2 cents. On Tue, Nov 19, 2013 at 8:52 AM, Salim Shaw salims...@vfemail.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenBSD is for the world. You have to ask yourself a few questions. Are you an open source advocate? Do you like the freedom to use an operating system the way you want to? Do you value stability and code correctness in an operating system? Is security paramount in your computing world? Do you value accurate documentation and a developer world who pride themselves on correctness? If the answer to these few question is yes, then OpenBSD is for you. If you like for someone to tell you, how to use an operating system and don't mind your OS crashing and security exploits, then you're in the wrong place. On 11/19/2013 10:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf - -- Salim A. Shaw System Administrator OpenBSD / Free Software Advocate Need stability and security --- Try OpenBSD. BSD, ISC license all the way: Sell services, don't lease secrets Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSi4k7AAoJELO0Z/gjFO4kryMIAKifERLcoPeYtYo544vMC+c3 c18nb275QTLp7bMEl+iZqfuEcRsQ0V4cHfO+IsJ6Z1RAWwwEFu5GtYvWm01KOWk/ PIdh+A5e3N5aHsu0VWpgBLZeyJPH2x4QzQwOOITNk6ak5mLyVmPr8PkTDV083zNl /U+NKoOR7o/V+EMcvzrvxd3GQh5TB+pnFaEuqXU7JkqcHdLdS2NhTDy2W7zAp5LQ EL8GWpBKzN/dXD1vUhRq7c7fez5TZxoQ2tL3IvsMyds7P/BSl21B7tTwUIx/oo5O hjB9bF13OCy+WXYWDESKMOodMlREm7wUETMpdubCGVOpxD61L/TZCGWcgKGEXew= =K6m4 -END PGP SIGNATURE-
Re: Are there OpenBSD users who are not IT professionals?
On Tue, Nov 19, 2013 at 10:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? You can't lump Linux distros together, in terms of sys-administration difficulty. Some, e.g., Mint or Ubuntu, try to be easy to administer and hide the details from you. Others, such as Slackware or Arch, require more knowledge. OpenBSD is certainly more comparable to the latter than the former. It's not a point-and-shoot camera; it's more like a Leica or a Hasselblad. You have to be willing to focus it yourself (heaven forfend!) and know something about exposure. But if you are willing to learn (and learning will not be impeded by poor documentation; one of the things that is unusual about OpenBSD is the care devoted to the documentation), the results will be gratifying. Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf
Re: Are there OpenBSD users who are not IT professionals?
za...@gmx.com wrote: I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Yes, it does most of the stuff Linux does, mostly except where prevented from doing so by closed source of the sort acceptable to Linux but not to OpenBSD Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? It is a tad more technical. It is not hideously difficult. It's fast enough to install and try that you might as well grab a spare computer and try it once. Read the directions, they're concise and accurate. -- Jack Woehr # We commonly say we have no time when, Box 51, Golden CO 80402 # of course, we have all that there is. http://www.softwoehr.com # - James Mason, _The Art of Chess_, 1905
Re: Are there OpenBSD users who are not IT professionals?
On 19.11.2013 10:37, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I am sure there are many OpenBSD users who are not IT professionals - I am one of them. I don't know what your specific needs are, but I would say that OpenBSD is good for anyone who is willing to read the FAQ and other official documentation including man pages and spend time learning the system and how it works. Also, I would suggest searching the misc@ archives if there is a question before posting to the mailing list. Put it on an extra partition or a spare computer and see where it takes you. You'll never really know if OpenBSD is for you until you try it. -- Chess Griffin
Re: Are there OpenBSD users who are not IT professionals?
Salim Shaw salims...@vfemail.net writes: OpenBSD is for the world. You have to ask yourself a few questions. Are you an open source advocate? Do you like the freedom to use an operating system the way you want to? Do you value stability and code correctness in an operating system? Is security paramount in your computing world? Do you value accurate documentation and a developer world who pride themselves on correctness? If the answer to these few question is yes, then OpenBSD is for you. I'd like to point out that yes is not a required answer to all those questions. Just pick what you like... [...] -- jca | PGP : 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: OpenBSD DNS/Web Infrastructure
On Mon, Nov 18, 2013 at 05:07:08PM -0200, Giancarlo Razzolini wrote: One thing I've been doing is using dnscrypt, because my ISP did use transparent dns proxying Nice! I use DNSCurve. Now, I'd like to ask why the openbsd infrastructure servers (www, anoncvs, packages), do not make use of SSL certs, SSHFP DNS records, etc. One of the recent changes of OpenSSH was to trust SSHFP records by default when the domain zone is using DNSSEC. But the main anoncvs server, which is the source of all code, do not have such record. DNSSEC is a massive outage risk, is fragile, and attracts DDoS due to record sizes. You say you are concerned about spying (me too). If the concern is over a global, *passive* adversary, then DNSSEC doesn't solve anything, since DNSSEC is not encrypted. Instead it glues you into a system that seems to have gone out of its way to allow surveillance. Not even on the anoncvs page there isn't the fingerprint published. http://www.openbsd.org/anoncvs.html Fingerprints for most servers are listed. I know that the most secure way is to buy the CD's and use then. But what about the errata patches? Errata patches are included in the -stable branch. And security related packages updates? Security updates are in ports but not packages. You can see recent updates including to ports here: https://twitter.com/OpenBSD_stable None of those can be reliably verified. I know and use the binpatches + packages updates from M:Tier. But the trust is placed on a third party, not on the OpenBSD project itself. Great job M:Tier, by the way. It's worth noting that M:Tier employs at least one OpenBSD developer, so it's not like they're a random organization that just happens to be trustworthy. :) But if we could at least verify the signature with an OpenBSD provided cert that is installed with the release itself, this would be awesome. This could be relatively easy for AnonCVS. For AnonCVS maintainers who support it, key fingerprints could be listed in a local file for easy comparison. (The blunt approach would be to pre-populate root's known keys, but that could provoke irritation for various reasons.) I recall a previous discussion about signing packages (did you check the archives?) and it sounded like it would be a lot of work that developers were not keen on. Anyway, these are just suggestions, and I would be happy to help implement them. What you guys think? Implement something on your own, pretending your server(s) are responsible for OpenBSD's http, ftp, anoncvs, etc. Then show (not say) how you did it and that it works correctly with real OpenBSD machines of various configurations. That will get more attention. Actually this should always be the route for making suggestions. DIY and then show and tell. Nicolai
Re: Are there OpenBSD users who are not IT professionals?
Zaf, I am not an IT professional and I run OpenBSD on my pc and laptops. I've used it for years (since 3.0) and am very, very happy. I haven't looked at comparable programs for powerpoint files, so I boot Windows for those. On Tue, Nov 19, 2013 at 6:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf
Re: Are there OpenBSD users who are not IT professionals?
There are actually rather a few of us. I have a fairly large IT skillset, but haven't had the opportunity to use them in some time. ALso, I am virtually the only blind user of OpenBSD that I know of (use a remote login as some tools won't work directly from console). I won't harp on that point (people are aware and leave it at that). There are lots of resources available for the starting user. the document man afterbot is very important if you wish to set up some ancillary services. There is also a fairly large ports tree for some items that might not have been packaged yet. THere are also plenty of people around here to ask questions of, though it is recommended that you do some legwork first. Just be aware, like any community, there are personalities here. SO don't take some of the comments personally. -eric On Nov 19, 2013, at 8:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf
Re: OpenBSD DNS/Web Infrastructure
Em 19-11-2013 16:04, Nicolai escreveu: On Mon, Nov 18, 2013 at 05:07:08PM -0200, Giancarlo Razzolini wrote: One thing I've been doing is using dnscrypt, because my ISP did use transparent dns proxying Nice! I use DNSCurve. First, thank your for your response Nicolai. DNSCurve adds a lot in security for the client and prevent eavesdropping and increase the confidentiality in general, provided that you trust the server. Now, I'd like to ask why the openbsd infrastructure servers (www, anoncvs, packages), do not make use of SSL certs, SSHFP DNS records, etc. One of the recent changes of OpenSSH was to trust SSHFP records by default when the domain zone is using DNSSEC. But the main anoncvs server, which is the source of all code, do not have such record. DNSSEC is a massive outage risk, is fragile, and attracts DDoS due to record sizes. You say you are concerned about spying (me too). If the concern is over a global, *passive* adversary, then DNSSEC doesn't solve anything, since DNSSEC is not encrypted. Instead it glues you into a system that seems to have gone out of its way to allow surveillance. Yes dns is insecure and yes dnssec left many things unsolved. But it is better to have than not. I am speaking from the client point of view. The other two major BSD projects have it, and not that many linux distributions have it, but some do. DDoS attacks can be mitigated. Not even on the anoncvs page there isn't the fingerprint published. http://www.openbsd.org/anoncvs.html Fingerprints for most servers are listed. The only anoncvs server in Canada do not have it's fingerprints published. It's under openbsd.org domain. I know that the most secure way is to buy the CD's and use then. But what about the errata patches? Errata patches are included in the -stable branch. Which have the same issue. And security related packages updates? Security updates are in ports but not packages. You can see recent updates including to ports here: https://twitter.com/OpenBSD_stable None of those can be reliably verified. I know and use the binpatches + packages updates from M:Tier. But the trust is placed on a third party, not on the OpenBSD project itself. Great job M:Tier, by the way. It's worth noting that M:Tier employs at least one OpenBSD developer, so it's not like they're a random organization that just happens to be trustworthy. :) Yes, I am aware of that. I do trust them.I use their binpatches on my machines. But if we could at least verify the signature with an OpenBSD provided cert that is installed with the release itself, this would be awesome. This could be relatively easy for AnonCVS. For AnonCVS maintainers who support it, key fingerprints could be listed in a local file for easy comparison. (The blunt approach would be to pre-populate root's known keys, but that could provoke irritation for various reasons.) I recall a previous discussion about signing packages (did you check the archives?) and it sounded like it would be a lot of work that developers were not keen on. Signing packages or even releases would be a bonus, but not strictly necessary, provided the possibility of checking the source securely. Anyway, these are just suggestions, and I would be happy to help implement them. What you guys think? Implement something on your own, pretending your server(s) are responsible for OpenBSD's http, ftp, anoncvs, etc. Then show (not say) how you did it and that it works correctly with real OpenBSD machines of various configurations. That will get more attention. Actually this should always be the route for making suggestions. DIY and then show and tell. I can do all of that, I already done so in the past with the exception of the anoncvs. But my point was to push for it on the main domain, so at least one link in the chain can be trusted (as much as anything on the web can be). As things are now, if someone was eavesdropping when you checked the source tree, and changed anything, you are screwed (unless you always review, all the code). If you go for the releases, and changes happen on the way, the same thing. As I mentioned, what I do to mitigate this today is to download releases and hashes from different mirrors, using two different ISP's and check things. There are a lot of other issues, trusting trust, evil developer attacks, but the goal is to improve the way to get access to the most secure operating system on this planet. Nicolai Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Are there OpenBSD users who are not IT professionals?
On Tue, 19 Nov 2013, Michael wrote: From: Michael ber...@opensuse.us To: misc misc@openbsd.org Date: Tue, 19 Nov 2013 19:44:29 Subject: Re: Are there OpenBSD users who are not IT professionals? ... I haven't looked at comparable programs for powerpoint files, so I boot Windows for those. Impress: http://www.libreoffice.org/features/impress/ from LibreOffice may do what you want. Haven't used it myself. LibreOffice is in ports/packages on the amd64 i386 platforms. -- Dennis Davis dennisda...@fastmail.fm
Re: Are there OpenBSD users who are not IT professionals?
Tue, 19 Nov 2013 16:37:25 +0100 tarihinde za...@gmx.com yazmýþ: to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. I am not an IT Pro :) On the other hand I do run OpenBSD on desktop/laptop. I am quite comfortable with it. Michael W. Lucas wrote an excellent book about OpenBSD. It is Absolute OpenBSD 2nd Edition It helps a lot. Besides I suggest you to watch Michael W. Lucas about OpenBSD for Linux users. https://www.youtube.com/watch?v=BXPV3vJF99k It all sums up; how to work with openbsd, do daily computing and etc. -- Gökþin Akdeniz goksin.akde...@gmail.com [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Are there OpenBSD users who are not IT professionals?
On Tue, Nov 19, 2013 at 01:28:30PM -0700, eric oyen wrote: [...] ALso, I am virtually the only blind user of OpenBSD that I know of [...] Which reminds me... If I recall correctly, one of your issues was the installation procedure being targeted at sighted users. -current has an option for automatic installation via previously prepared answers to the questions bsd.rd asks. Did you give that a try, and if so, how did it work out? I'd be really interested in if it can improve the installation process for you and other visually impaired users. -- Gregor Best
Re: Are there OpenBSD users who are not IT professionals?
Hi Zaf, I am an IT professional myself even though my daily work is far away from the OpenBSD world, which is also the major reason I find OpenBSD attractive. I would say your reasons make good sense and so do your choice. It takes time to learn but if you value the security-by-default philosophy then you are the right place. The way I see it there is no replacement for OpenBSD. If you should consider an alternative, I would suggest to compare to other BSD distributions and not Linux. The contribution part of the community is another story though. My impression so far is that a highly specialized technical knowledge is required to be able to contribute at all. But as a user I guess only basic UNIX skills are required. Best wishes --- I have been following these mailing lists for some months now On 11/19/2013 16:37, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? Please, give me some advice. If OpenBSD is not for me, I would rather know it sooner than later. Thanks Zaf
Re: Are there OpenBSD users who are not IT professionals?
On 11/19/13 22:38, Carsten Larsen wrote: Hi Zaf, I am an IT professional myself even though my daily work is far away from the OpenBSD world, which is also the major reason I find OpenBSD attractive. I would say your reasons make good sense and so do your choice. It takes time to learn but if you value the security-by-default philosophy then you are the right place. The way I see it there is no replacement for OpenBSD. If you should consider an alternative, I would suggest to compare to other BSD distributions and not Linux. The contribution part of the community is another story though. My impression so far is that a highly specialized technical knowledge is required to be able to contribute at all. But as a user I guess only basic UNIX skills are required. Best wishes Contributing is easy just buy the great stuff at: http://www.openbsd.org/orders.html or give a donation... Fred :~)
Re: Are there OpenBSD users who are not IT professionals?
On Tue, Nov 19, 2013 at 10:37 AM, za...@gmx.com wrote: Hi I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? I am a simple user who learned about OpenBSD upon beginning to share space with a sysadmin. I was given a sparc to experiment with, installed femail and used it as a mailserver, then got the bug and quickly built a webserver as well. I now default to using OpenBSD for various things and I often tackle complicated projects just for fun. I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? I set up a desktop machine several years ago using similar reasoning, also figuring that even if it didn't end up any more secure when I was done, I'd learn more by using the machine every day than by playing with others just when I had a project in mind. I spent a lot of time learning how the new packages I'd installed sat on top of the base system, so at least from an educational perspective it was pretty fascinating. Made for a nice, clean system, too, since every time I debated installing yet more applications, I'd be reminded of that nice secure base I'd started with and had been chipping away at ever since. It did take me some time to get mine set up nicely into desktop system form back then, especially compared to the easy job I'm used to when setting up OpenBSD as a server. I couldn't get the hang of cwm for an embarrassingly long time and a Brother HL-2040 printer and I nearly fought to the death. But it worked/works fine. Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? For me it was more a matter of figuring out what types of useful things OpenBSD could do for me as only a casual user. Once I had a cool thing I wanted in mind and knew it was possible, I rarely encountered difficulty in making it happen, given some lead time for manual reading. You might be surprised at how quickly working with it starts to seem very comfortable. It helps that it's so streamlined. I never felt that way about, say, Ubuntu, no matter how much time I spent with the command line. There's some unifying logic to how things are organized and what is included by default that makes learning and exploring on your own a little easier. Regarding relative difficulty, I'm not sure I saw much of a difference between learning OpenBSD and the couple flavors of Linux I originally tried out at around the same time, but I began with almost no Unix background. It's not a matter of difficulty or technical knowledge so much as knowing where to look for the information you need. If you're firmly in the simple computer user category, sometimes you end up spending time trying to guess what names and terms people in the know might use for things before you can even get a useful result from apropos. This is, incidentally, a great use for the mailing list archives, where many useful man page directions have already been given. I'll echo the recommendation for Michael W. Lucas' Absolute OpenBSD 2nd edition. It's a great general refresher for those of us who don't use the OS heavily enough to really memorize the basics and it complements the documentation well. It also contains some quality of life tips - turning off incessant beeping, moving windows around, etc. - that might help out a lot if you do decide to dive into desktop use and don't yet know what all your options are. If you're using OpenBSD in the workplace its advantages are obvious. If you are thinking about it for fun or personal use, it all kind of boils down to your personal level of curiosity. If you love knowing how and why things work, you'll probably be really happy getting to know OpenBSD and will appreciate how useful it can be.
Re: Are there OpenBSD users who are not IT professionals?
On Nov 19 16:37:25, za...@gmx.com wrote: I am new to OpenBSD. In fact, I am a total newbie here. After reading many posts on this list, I formed the impression that all or most OpenBSD users are high-end IT professionals. I was wondering: are there OpenBSD users who are not so advanced in terms of IT expertise? That is, who are simple computer *users*, not IT professionals? You are wrong assuming that all or even most people on this list are IT professionals. However, I think I have one of more interesting stories to share with misc. I started using OpenBSD six years ago. Being a research mathematician one of the most important computer tools for my job is typesetting system TeX. At that time I was an avid FreeBSD user but I needed some fancy TeX features which were not present at that time standard distribution of TeX for UNIX called teTeX. I looked around and OpenBSD was the second (only to Debian) UNIX-like system to switch from teTeX from TeXLive distribution of TeX. Over the night I switched from FreeBSD to OpenBSD and discovered how simple and predictable is OpenBSD comparing to FreeBSD let alone to Ubuntu I had on my office desktop at that time. Couple years prior I started running FreeBSD in frustration with the attitude and incompetence of Linux IT guys after most U.S. research universities switched from Solaris which was running on X client to Linux. But my story doesn't end up here. As the time went by I became thank to OpenBSD philosophy and design more competent computer and in particularly UNIX user than I have ever been in my lifetime. I used those skills to greatly increase my efficiency in performing my day job which became more demanding as economic crisis hit hard U.S. academia. I have never taught of myself as an IT professional until my colleagues and IT personal started relaying on my computer skills to get things done. Thanks to new computer skills I acquired using OpenBSD about six months ago I got a job offer from an academic data mining lab. I accepted the job offer and now the large part of my paycheck comes from doing computer work and more interestingly using OpenBSD not just on my desktop computer. Am I an IT professional? Not by a long stretch of imagination but I probably more competent than many who consider themselves IT professionals I need to know this because I am starting feeling that, as an average computer user, I might be out of place here. My kids who just learned how to read use OpenBSD. They can tell you everything about booting, buffering and many other things. They even do their homework on OpenBSD. I was attracted to OpenBSD by its security-by-default philosophy. Admittedly, I don't know much about security and I would not be able to set the proper security settings on my own, so I have decided to adopt OpenBSD and use it for simple day-to-day tasks, as a desktop OS (as I would any popular Linux distribution). Does this choice of mine, and its underlying reasoning, make sense? Ironically the major downside of making leaving at least in part by playing with OpenBSD was that for the first time I was forced to use Linux. At work we have to use proprietary software as MATLAB which doesn't run on OpenBSD but besides that there are simply situations in which OpenBSD is not the most appropriate tool (for example to do scientific computing) or even storing large amounts of data (HAMMER comes to mind). I am becoming semi-competent RedHat users and I could not begin to describe you my frustration with inconsistencies, shear complexity and unpredictability of the Linux in general and RedHat in particular which is rock stable comparing to a distro like Ubuntu. Are there any significant drawbacks to my adoption of OpenBSD (such as OpenBSD being too technical and too difficult, as compared, say, to Linux distros)? I would say that it is the other way around. Linux is too technical and too difficult. Don't belive me. Try writing semi serious firewall rules using IP tables and then compare to PF. Try configuring something as trivial as DHCP server or even client on Linux. Try getting NFS to work properly or OpenVPN. The situation gets just worse with more complicated services. Actually for people who need proprietary software at least on the Desktop level and plug and play features OS X offers significant advantages over Linux. If you know how to use it OS X is even interesting for UNIX guys who do not want to think.
OT: OpenBSD website scores high in Google PageSpeed Insight
Check this out: http://developers.google.com/speed/pagespeed/insights/?url=www.openbsd.org If OpenBSD code is very textbook-worthy, how about the high score in Google PageSpeed Insight? Whatever the OpenBSD web development crew is doing, their effort is worth praising. Keep it up guys, your work is nothing short of a gold standard for website development. Congratulations!
npppd l2tp/ipsec - openbsd client
Hello list!
If anyone could shed some light to the following i would be thankful..
i have 2 5.4-current boxes, one acting as an npppd server over ipsec
and the other one wishing to be a client.
My understanding is that to accomplish that the client needs
to use xl2tpd from ports.
The problem is that although linux and windows clients connect
ok with the same setup, i can't get the openbsd client to connect.
server /etc/ipsec.conf:
local_ip=A.B.C.D
ike passive esp transport proto udp from $local_ip to any port 1701 \
main auth hmac-sha enc aes group modp2048 \
quick auth hmac-sha enc aes \
psk x
obsd client /etc/ipsec.conf:
remote_ip=A.B.C.D
local_ip=E.F.G.H
ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \
main auth hmac-sha enc aes group modp2048 \
quick auth hmac-sha enc aes \
psk x
now when both endpoints run start isakmpd and run ipsecctl we see the flows
being created.
the same kinds of flows get created for the other windows and linux clients.
server /etc/npppd/npppd.conf:
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
l2tp-accept-dialin yes
authentication-method mschapv2
pipex yes
}
ipcp IPCP {
pool-address 10.0.10.2-10.0.10.254
dns-servers 8.8.8.8
}
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun0 address 10.0.10.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0
obsd client's /etc/xl2tpd/xl2tpd.conf:
[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
[lac foo]
lns = A.B.C.D
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
autodial=yes
obsd client's /etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
name x
password x
the problem is that as we see from the logs the obsd client refuses
to cope with mschap-v2 and various options from that last file.
if we remove all the offending options we end up with no authentication
protocols are agreeable on npppd logs ideas? suggestions for other
approaches??
Help me misc@openbsd.org, you're my only hope... ;)
thanks guys.
low-power/small form factor server (supermicro X9SCL-F w Core i3-3220T)
I was recently looking for a low-power small form factor box and was initially thinking of the supermicro SuperServer 5017A-EF, which seemed a good fit. Unfortunately, the fairly new atom SoC in that box isn't currently supported, nor is the crappy not-quite-AHCI Marvell sata controller. So, I'm thinking of putting something together from parts instead. I'm looking at the supermicro X9SCL-F motherboard which has an Intel C202 PCH chipset and 2 gigabit interfaces (Intel 82579LM and 82574L), combined with a Core i3-3220T, stuffed in a 510T-203B chassis. I see from the em man page and the list archives that those two Intel ethernet chipsets seem reasonably well supported. I couldn't find any specific mention of the C202 chipset, but I believe the Intel AHCI SATA interface is actually AHCI compliant, so trust it would work fine with the standard ahci driver. The i3 processor has a 35w TDP versus the atom's 8.5w, but actually working with openbsd is a bit more important than saving a few watts :). According to the Intel ARK this i3 processor should support ECC memory when installed on a board with a server class chipset. I really appreciated the heads up I got last week about the unsupported atom, that definitely saved me from ordering a box I couldn't use 8-/, so if anybody sees any potential issues with this combination for an openBSD server I'd appreciate hearing about it :). Thanks much.
Re: OT: OpenBSD website scores high in Google PageSpeed Insight
That is the score you get when you don't leverage all the latest new cool but heavy shit. Check this out: http://developers.google.com/speed/pagespeed/insights/?url=www.openbsd.org If OpenBSD code is very textbook-worthy, how about the high score in Google PageSpeed Insight? Whatever the OpenBSD web development crew is doing, their effort is worth praising. Keep it up guys, your work is nothing short of a gold standard for website development. Congratulations!
Re: low-power/small form factor server (supermicro X9SCL-F w Core i3-3220T)
On Tue, Nov 19, 2013 at 07:45:46PM -0800, Paul B. Henson wrote:
I'm looking at the supermicro X9SCL-F motherboard which has an Intel
C202 PCH chipset and 2 gigabit interfaces (Intel 82579LM and 82574L),
combined with a Core i3-3220T, stuffed in a 510T-203B chassis.
I have lots of X9SCL-F, X9SCL+-F, X9SCM-F, X9SCI-LN4, X9SCI-LN4F,
X9SCM-iiF boards running OpenBSD in production. Both network interfaces
work flawlessly. I mostly use the CSE-510-200B, CSE-510T-200B, and
CSE-512L-200B chassis options from Supermicro. I use the Kingston
KVR13E9 Unbuffered ECC memory chips in all the various sizes (2GB, 4GB,
and 8GB). Although I'm not using any of the low power chips since I've
found that heat is really not an issue and the non T chips scale down
just the same, I have used lots of chips including the Pentium G620,
G860, Core i3 2120, Core i3 3240, Xeon E3 1220, Xeon E3 1260L, and Xeon
E3 1230v2. You will also want the Supermicro SNK-P0046P heatsink for any
of those 1U cases and an LGA1155 CPU.
If you want to use the IPMI feature, it works fine with the Java
IPMIview software on OS X (presumably Windows and Linux too) with the
KVM Console option with the addition of a couple of
Supermicro-provided Java libraries (do a search to find blog posts about
this on OS X).
If you don't need IPMI, you could save a few dollars and go with the non
F versions of the boards. I have found that the IPMI Text Console
never works right for anything I've tried including OpenBSD.
I see from the em man page and the list archives that those two Intel
ethernet chipsets seem reasonably well supported. I couldn't find any
specific mention of the C202 chipset, but I believe the Intel AHCI SATA
interface is actually AHCI compliant, so trust it would work fine with the
standard ahci driver. The i3 processor has a 35w TDP versus the atom's 8.5w,
but actually working with openbsd is a bit more important than saving a few
watts :).
The C202, C204, C206, C212, C214, and C216 controllers all work
perfectly with hard drives or SSDs.
According to the Intel ARK this i3 processor should support ECC memory when
installed on a board with a server class chipset. I really appreciated the
heads up I got last week about the unsupported atom, that definitely saved
me from ordering a box I couldn't use 8-/, so if anybody sees any potential
issues with this combination for an openBSD server I'd appreciate hearing
about it :).
You'll have no issues at all. It's a great combination. I tell my
customers and everyone else to just go with an X9SC{L,M} board, an
LGA1155 Pentium, Core i3, or Xeon E3 (if absolutely necessary) and be
done with it. The cheaper Pentium chips and Core i3 support ECC
perfectly and that saves a lot of money that would be wasted on fast
CPUs for minimal workloads.
Bryan
Re: Looking for a laptop in the Toronto area
On Wed, Oct 30, 2013 at 05:33:56PM -0700, Dag Richards wrote: Theo de Raadt wrote: But really, those of you are telling him that are MISSING THE POINT ENTIRELY. Oh time to help is it? Where to send the cheque? I'm sending $500 so we can get this done. Details are here in case anyone else needs them: http://www.undeadly.org/cgi?action=articlesid=20131118060855 Bryan
