Re: [OpenBGPd = Cisco] error in OPEN message, unknown subcode 8
Janne Johansson icepic...@gmail.com wrote: 2013/12/3 Laurent CARON lca...@unix-scripts.info ** Note for future readers, don't copy and paste this config snippet as it does *NOT* work as you would expect it. ** $PEERv6=dead:beef::1 $MEv6=dead:beef::2 Think of the vegans... Don't get me started on mekmitasdigoat... ;-)
Re: ssh and relayd
On 4 December 2013, Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, This is trivial question but I am having a hard time wrapping my head around the possible use of relayd for ssh traffic redirecting. Namely I have a situation where I have multiple hosts behind firewall which I would like to make available for ssh loggin. [...] You can do that with ssh alone: Host internal_machine ProxyCommandssh -A -q -l %r -W %h:%p firewall Regards, Liviu Daia
Re: uvm_wait_pla() infinite loop
I wish I had a dmesg for you but I didn't save one offline from this vps. I can tell you this much. It's virtualbox'ed, has 2 cpu's and since yesterday has some memory intensive application that may cause some things to be moved to swap. I'm gonna have to see to reduce the memory on that I guess. Here then is the dmesg: OpenBSD 5.4-stable (GENERIC.MP) #0: Sat Nov 23 04:37:53 EST 2013 p...@namericas.centroid.eu:/home/src/sys/arch/amd64/compile/GENERIC.MP real mem = 788463616 (751MB) avail mem = 759803904 (724MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (9 entries) bios0: vendor innotek GmbH version VirtualBox date 12/01/2006 bios0: innotek GmbH VirtualBox acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz, 2442.54 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,SSSE3,NXE,LONG,LAHF,PERF cpu0: 6MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 999MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz, 2442.38 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,SSSE3,NXE,LONG,LAHF,PERF cpu1: 6MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibat0 at acpi0: BAT0 not present acpiac0 at acpi0: AC unit online pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: VBOX, CD-ROM, 1.0 ATAPI 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) vga1 at pci0 dev 2 function 0 InnoTek VirtualBox Graphics Adapter rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 Intel 82540EM rev 0x02: apic 2 int 19, address 08:00:27:af:35:d3 InnoTek VirtualBox Guest Service rev 0x00 at pci0 dev 4 function 0 not configured piixpm0 at pci0 dev 7 function 0 Intel 82371AB Power rev 0x08: SMBus disabled ahci0 at pci0 dev 13 function 0 Intel 82801HBM AHCI rev 0x02: apic 2 int 21, AHCI 1.1 ahci0: device on port 0 didn't come ready, TFD: 0x171ERR scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: ATA, VBOX HARDDISK, 1.0 SCSI3 0/direct fixed t10.ATA_VBOX_HARDDISK_VBc2bb66cd-51092c1b_ sd0: 10240MB, 512 bytes/sector, 20971520 sectors isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 mtrr: CPU supports MTRRs but not enabled vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (2dcea048a32f887d.a) swap on sd0b dump on sd0b WARNING: / was not properly unmounted Regards, -peter
Re: Are there any default password managers in OpenBSD?
On Thu, Dec 05, 2013 at 08:20:07AM +0100, obsd, cgi wrote: So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? Not sure how advisable this is, but I'm using a gpg encrypted file, which I keep somewhere hidden (just because). Just put them in file foo and do 'gpg -e foo' (assuming you've already setup gpg). When you need to look something up just do 'gpg -d foo' and the file gets decrypted to stdout. I use it mostly for mutt (see the top of http://nixtricks.wordpress.com/2010/05/20/mutt-multiple-email-accounts-using-hooks/) but you can keep anything in there, obviously. Again, not sure how recommendable this is, but it works for me(tm) and its not like I'm keeping the password to root accounts or anything of the like in there... Cheers Zé --
Re: Problem enabling quotas
On 05/12/13 16:02, Philip Guenther wrote: On Wed, Dec 4, 2013 at 8:42 PM, Cyrus cyrus_the_gr...@riseup.net wrote: I have followed the directions of the manual, but quotas still don't seem to be enabled. # cat /etc/fstab 784d82c953376542.b none swap sw 784d82c953376542.a / ffs rw,softdep,userquota=/var/quotas/quota.user 1 1 Since you failed to include a dmesg, I'll say that you're clearly not using a new enough snapshot. (quota(1) was fixed to work with duids last month.) I'm running stable, not a snapshot. I just changed the fstab entries to not use duids and quotas are now working. Philip Guenther -- CYRUSERV Onionland Hosting: http://cyruserv5hlagzhg.onion/ new email address: cyrus_the_gr...@lelantos.org PGP public key: http://cyruserv5hlagzhg.onion/PGP
Fan control on x201
Hi all, so, I installed the OpenBSD 5.4 in my laptop (hardware/configs dumps below) a few weeks ago and everything is running smoothly, with one exception: the fan is quite noisy. I tried already setting the hw.setperf to 0 by using the apmd(8) options -C, -A and -L, which indeed set this config although the fan speed keeps high (see below). I also found another related thread within OpenBSD's mailing lists here: http://openbsd.7691.n7.nabble.com/x201-fan-noise-td103277.html I just wondered whether there is some new i.e. built-in solution to that other than hacking the Thinkpad driver. This is what my apm(8), sysctl hw, and dmesg look like: $ apm Battery state: low, 39% remaining, unknown life estimate A/C adapter state: connected Performance adjustment mode: cool running (1197 MHz) $ sysctl hw hw.machine=amd64 hw.model=Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz hw.ncpu=4 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0:272254c340b88297,cd0: hw.diskcount=2 hw.sensors.cpu0.temp0=46.00 degC hw.sensors.cpu1.temp0=46.00 degC hw.sensors.cpu2.temp0=46.00 degC hw.sensors.cpu3.temp0=46.00 degC hw.sensors.acpitz0.temp0=54.50 degC (zone temperature) hw.sensors.acpibat0.volt0=11.01 VDC (voltage) hw.sensors.acpibat0.volt1=12.60 VDC (current voltage) hw.sensors.acpibat0.current0=0.28 A (rate) hw.sensors.acpibat0.amphour0=2.86 Ah (last full capacity) hw.sensors.acpibat0.amphour1=0.44 Ah (warning capacity) hw.sensors.acpibat0.amphour2=0.13 Ah (low capacity) hw.sensors.acpibat0.amphour3=1.13 Ah (remaining capacity), OK hw.sensors.acpibat0.raw0=2 (battery charging), OK hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.itherm0.temp0=0.00 degC (Thermometer) hw.sensors.itherm0.temp1=54.01 degC (Core 1) hw.sensors.itherm0.temp4=65.00 degC (CPU/GPU Max temp) hw.sensors.itherm0.temp9=65.00 degC (GPU/Memory controller abs.) hw.sensors.itherm0.temp10=74.00 degC (PCH abs.) hw.sensors.itherm0.power0=10.00 W (CPU power consumption) hw.cpuspeed=1197 hw.setperf=0 hw.vendor=Dell Inc. hw.product=Inspiron N5010 hw.version=A08 hw.serialno=2LTP3P1 hw.uuid=44454c4c-4c00-1054-8050-b2c04f335031 hw.physmem=4067500032 hw.usermem=4002664448 hw.ncpufound=4 hw.allowpowerdown=1 $ dmesg OpenBSD 5.4 (GENERIC.MP) #41: Tue Jul 30 15:30:02 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4067500032 (3879MB) avail mem = 3951497216 (3768MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xeb2e0 (54 entries) bios0: vendor Dell Inc. version A08 date 09/13/2010 bios0: Dell Inc. Inspiron N5010 acpi0 at bios0: rev 3 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC SSDT MCFG SLIC HPET OSFR acpi0: wakeup devices P0P1(S3) P0P2(S3) P0P3(S3) P0P4(S3) P0P5(S3) BR20(S3) PEX0(S3) PEX1(S3) PEX2(S4) PEX3(S3) PEX4(S3) PEX5(S3) PEX6(S3) PEX7(S3) GBE_(S4) EHC2(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, 2527.38 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 132MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, 2527.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, 2527.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, 2527.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 2, package 0 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 32 (BR20) acpiprt2 at acpi0: bus 17 (PEX0) acpiprt3 at acpi0: bus 18 (PEX1) acpiprt4 at acpi0: bus 19 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 21 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5)
Re: Are there any default password managers in OpenBSD?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 use sticky notes.. preferably on your monitor On 12/05/2013 08:20 AM, obsd, cgi wrote: So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Thanks for your time Mit freundlichen Grüßen Robert Garrett Senior System Engineer Technical Projects Solutions - -- InterNetX GmbH Maximilianstr. 6 93047 Regensburg Germany Tel. +49 941 59559-480 Fax +49 941 59559-245 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSoGh6AAoJEMrvovfl62c8u04IAMoYw96oGkcLWoSwcd1xm1fn E2sEsBb516TjstSUIq/xWTVuypLFR2K0Kaal9P+N8JeBTmqD9hK5FfniNyOWIXsG LCCRAPxt94SZ6PipWyKSyzcAHDg5NXGwo4FBluVD8qf8nctikqEpbbj/+/1g6pB7 xghvGguh9o/A0y7uYe/5vWy1oSOoVnJFXwJ7C1GpoxUYxD8hDs2ZDsEQVzdNd04B oZoeYG5PEC9TdB/txOxslb0NuqBo+5Hb9ZdthDm+C8cohKdiKDtoAMRI40U0NUQf PuH4jNRkhVlpWBM8S+NkuU+HpQu9lMgZaopF5oR5450mKU2xAjrlQdyqmHyXymw= =a7rF -END PGP SIGNATURE-
Re: Are there any default password managers in OpenBSD?
On Thu, Dec 5, 2013, at 05:50 AM, InterNetX - Robert Garrett wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 use sticky notes.. preferably on your monitor snip hahahaha -- Regards, 21
Re: Fan control on x201
On Thu, Dec 05, 2013 at 12:36:44PM +0100, Daniel Collaziol wrote: Hi all, so, I installed the OpenBSD 5.4 in my laptop (hardware/configs dumps below) a few weeks ago and everything is running smoothly, with one exception: the fan is quite noisy. I tried already setting the hw.setperf to 0 by using the apmd(8) options -C, -A and -L, which indeed set this config although the fan speed keeps high (see below). I also found another related thread within OpenBSD's mailing lists here: http://openbsd.7691.n7.nabble.com/x201-fan-noise-td103277.html I just wondered whether there is some new i.e. built-in solution to that other than hacking the Thinkpad driver. The thread you're referencing refers to the x201 thinkpad, but $ dmesg bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xeb2e0 (54 entries) bios0: vendor Dell Inc. version A08 date 09/13/2010 bios0: Dell Inc. Inspiron N5010 ... your bios doesn't make it look like a thinkpad. I have an x201i thinkpad with the latest BIOS, and it runs without too much fan noise on OpenBSD -current. bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version 6QET70WW (1.40 ) date 10/11/2012 bios0: LENOVO 3626EZ4
Re: Are there any default password managers in OpenBSD?
On 2013-12-05 Thu 12:50 PM |, InterNetX - Robert Garrett wrote: use sticky notes.. preferably on your monitor Just use the word 'incorrect' everywhere. Whenever a mistake is entered, the system will say: Your password is incorrect. Done, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Are there any default password managers in OpenBSD?
2013/12/5 InterNetX - Robert Garrett robert.garr...@internetx.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 use sticky notes.. preferably on your monitor JMO And sticky the wallet, with the credit card and bank passwords. /JMO On 12/05/2013 08:20 AM, obsd, cgi wrote: So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Thanks for your time Mit freundlichen Grüßen Robert Garrett Senior System Engineer Technical Projects Solutions - -- InterNetX GmbH Maximilianstr. 6 93047 Regensburg Germany Tel. +49 941 59559-480 Fax +49 941 59559-245 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSoGh6AAoJEMrvovfl62c8u04IAMoYw96oGkcLWoSwcd1xm1fn E2sEsBb516TjstSUIq/xWTVuypLFR2K0Kaal9P+N8JeBTmqD9hK5FfniNyOWIXsG LCCRAPxt94SZ6PipWyKSyzcAHDg5NXGwo4FBluVD8qf8nctikqEpbbj/+/1g6pB7 xghvGguh9o/A0y7uYe/5vWy1oSOoVnJFXwJ7C1GpoxUYxD8hDs2ZDsEQVzdNd04B oZoeYG5PEC9TdB/txOxslb0NuqBo+5Hb9ZdthDm+C8cohKdiKDtoAMRI40U0NUQf PuH4jNRkhVlpWBM8S+NkuU+HpQu9lMgZaopF5oR5450mKU2xAjrlQdyqmHyXymw= =a7rF -END PGP SIGNATURE-
Re: Are there any default password managers in OpenBSD?
On Thu, Dec 05, 2013 at 10:09:07AM +, Zé Loff wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
I use it mostly for mutt (see the top of
http://nixtricks.wordpress.com/2010/05/20/mutt-multiple-email-accounts-using-hooks/)
but you can keep anything in there, obviously.
I have this snippet in .kshrc, it needs the xclip tool from packages.
function getpass {
gpg --decrypt $HOME/pw.gpg | grep ^$1 | awk '{print $2}' \
| tr -d '\n' | xclip -i
}
The plaintext of pw.gpg has lines like this:
key password
Run 'getpass somekey', enter pgp passphrase, and you can paste the
password with the middle button (if you want it to go into the e.g.
GTK+ paste buffer instead, try the -selection option of xclip).
To generate passwords, I use 'pwgen 32' (see pwgen package).
its not like I'm keeping the password to root accounts or anything of
the like in there...
Me neither.
Re: Are there any default password managers in OpenBSD?
function getpass {
gpg --decrypt $HOME/pw.gpg | grep ^$1 | awk '{print $2}' \
| tr -d '\n' | xclip -i
}
The plaintext of pw.gpg has lines like this:
key password
I have something similar, but instead of having all the password in
a single file, I have only file by each password, so the script
is more simple.
Regards,
--
Roberto E. Vargas Caballero
Re: Are there any default password managers in OpenBSD?
On 12/05/13 07:20, obsd, cgi wrote: So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Thanks for your time There is password-gorilla in packages. hth Fred
Re: Are there any default password managers in OpenBSD?
On 12/05/13 07:20, obsd, cgi wrote: So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Thanks for your time Sorry - should have ready your mail more closely - I don't know of any default password managers but I do use password gorilla for remembering my web passwords... Fred
Re: ipsec or iked to deploy under openbsd carp fws
Searching in google and reading some docs, I have several doubts about which one to choose. If I am not wrong, iked doesn't supports sasyncd, is it correct?? I am *much* happier with my use of isakmpd since I got rid of sasyncd and just rely on dead peer detection (DPD), I use ifstated to kill isakmpd and flush ipsec if the state of the carp interface changes to backup, or start isakmpd and load ipsec rules when the state changes to master. When I used sasyncd I got into various situations where things wouldn't work until I disabled it and rebooted both vpn gateways.. Obviously this only works if your clients support DPD. Interesting. I've got sasyncd to work pretty well by introducing a rather long sleep before restoring the carp demote, with my main problem being the fallback/restore to the designated master after a short period of the backup being active (the failover from master to backup works well). However, with a standard IKE config, the tunnel restores itself within some time. I'm keen on debugging sasyncd; was you issues similar?
Re: ipsec or iked to deploy under openbsd carp fws
2013/12/5 Anders Berggren and...@halon.se Interesting. I've got sasyncd to work pretty well by introducing a rather long sleep before restoring the carp demote, with my main problem being the fallback/restore to the designated master after a short period of the backup being active (the failover from master to backup works well). However, with a standard IKE config, the tunnel restores itself within some time. I'm keen on debugging sasyncd; was you issues similar? I've seen this too. First flip goes fine, flip back is easiest done by ipsecctl flush-and-load and then it starts behaving as expected again. -- May the most significant bit of your life be positive.
Re: Are there any default password managers in OpenBSD?
Zé Loff zel...@zeloff.org wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
*takes a deep breath*
~/bin/pwsafe
---
#!/bin/sh
SAFE=$HOME/.pwsafe
TMPFILE=`mktemp /tmp/pwsafeXX` || exit 1
trap 'rm -P $TMPFILE' 0 1 2 15
STTY=`stty -g`
echo -n Password:
stty -echo
read PASSWORD
stty $STTY
set -e
echo -n $PASSWORD | openssl aes-256-cbc -d -in $SAFE -out $TMPFILE -pass
stdin
${EDITOR-${VISUAL-vi}} $TMPFILE
echo -n $PASSWORD | openssl aes-256-cbc -in $TMPFILE -out $SAFE -pass
stdin
---
--
Christian naddy Weisgerber na...@mips.inka.de
WAY OT Was: Potential scripting engine to integrate into mg?
On Wed, 4 Dec 2013, bsdclubho...@gmail.com wrote: On Mon, Dec 02, 2013 at 08:58:56PM -, Edward L. wrote: So why don't we have python in the base? Perl is in there. Just curious, not that I'm requesting. :-) Thanks. Absolutely. We also need Ruby, Lua, Scheme, Haskell, Cython and Java. That would be really great. SNIP Personally I think a forth interpreter should be embedded in the kernel. ;-) Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)
Re: Are there any default password managers in OpenBSD?
On Thu, Dec 05, 2013 at 10:09, Zé Loff wrote: Not sure how advisable this is, but I'm using a gpg encrypted file, which I keep somewhere hidden (just because). Just put them in file foo and do 'gpg -e foo' (assuming you've already setup gpg). When you need to look something up just do 'gpg -d foo' and the file gets decrypted to stdout. The same, but using scrypt.
Re: BGP changes to support CARP better
Hi,
Does anyone have an idea how I can get this nexthop qualify to work?
from the man page it says;
nexthop qualify via (bgp|default)
If set to bgp, bgpd(8) may use BGP routes to verify
nexthops. If
set to default, bgpd may use the default route to verify
nexthops. By default bgpd will only use static routes or
routes
added by other routing daemons like ospfd(8).
I've tried various things but nothing works..
The carp IP is on the 'carp' interface and not the phys interface and
so I think thats why the nexthop is not being applied correctly on the
master?
I've tried 'multihop' too.
Thanks, Andy.
On Tue 03 Dec 2013 17:06:40 GMT, Andy wrote:
Hi, I've got something really interesting to show, which shows this
clearly and should help point to the root cause.
In short, it seems that the desired nexthop is not applied by the CARP
master when it is in state 'nexthop 180.25.32.20 now valid: via
180.25.32.20'. I.e. when it is 'via' even though it is a local IP..
From the perspective of the 'backup' the CARP IP is a directly
connected IP which it can reach 'nexthop 180.25.32.20 now valid:
directly connected'.
NB; I haven't had a chance to test IPv6 or iBGP but from this
observation it looks like the same problem will be seen, unless there
is a way of telling OpenBGPd to use nexthops which are 'via' something..
THE SETUP;
- Two OpenBSD boxes with CARP on their BGP and LAN Interfaces.
- One or two upstream Cisco routers on BGP interface via switch (both
show same problem).
- PF disabled (just for this testing).
- 180.25.32.1 = iBGP Cisco Router
- 180.25.32.20 = CARP IP
- 180.25.32.21 = OBSD1
- 180.25.32.22 = OBSD2
- Neighbors are eBGP
OpenBSD Host 1 (master) /etc/bgpd.conf;
AS 66868
router-id 180.25.32.21
log updates
network 180.25.32.0/22
network 2a00:7ee0::/32
neighbor 180.25.32.1 {
remote-as 66868
announce self
local-address 180.25.32.21
tcp md5sig password secret
descr THN
}
match to 180.25.32.1 set nexthop 180.25.32.20
allow from any inet prefixlen 8 - 26
allow from any inet6 prefixlen 16 - 48
allow to any
OpenBSD Host 1 (backup) /etc/bgpd.conf;
AS 66868
router-id 180.25.32.22
log updates
network 180.25.32.0/22
network 2a00:7ee0::/32
neighbor 180.25.32.1 {
remote-as 66868
announce self
local-address 180.25.32.22
tcp md5sig password secret
descr THN
}
match to 180.25.32.1 set nexthop 180.25.32.20
allow from any inet prefixlen 8 - 26
allow from any inet6 prefixlen 16 - 48
allow to any
Cisco Host;
router bgp 12345
bgp router-id 180.25.32.1
bgp log-neighbor-changes
neighbor 180.25.32.21 remote-as 66868
neighbor 180.25.32.21 password secret
neighbor 180.25.32.22 remote-as 66868
neighbor 180.25.32.22 password secret
!
address-family ipv4
neighbor 180.25.32.21 activate
neighbor 180.25.32.22 activate
exit-address-family
!
!
TEST 1 - Start BGP on master then backup;
BGP Process is already running on the Cisco..
THN(config)#do show ip bgp
THN(config)#
OpenBSD Host 1 (MASTER) bgpd -dv;
[LIVE]root@OpenBSD1:~# bgpd -dv
startup
rereading config
route decision engine ready
session engine ready
new ktable rdomain_0 for rtableid 0
nexthop 180.25.32.20 now valid: via 180.25.32.20
listening on 0.0.0.0
listening on ::
SE reconfigured
neighbor 180.25.32.1 (THN): state change None - Idle, reason: None
neighbor 180.25.32.1 (THN): state change Idle - Connect, reason: Start
RDE reconfigured
neighbor 180.25.32.1 (THN): state change Connect - OpenSent, reason:
Connection opened
neighbor 180.25.32.1 (THN): state change OpenSent - OpenConfirm,
reason: OPEN message received
neighbor 180.25.32.1 (THN): state change OpenConfirm - Established,
reason: KEEPALIVE message received
THN(config)#do show ip bgp
BGP table version is 8, local router ID is 180.25.32.1
Status codes: s suppressed, d damped, h history, * valid, best, i -
internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next HopMetric LocPrf Weight Path
* 180.25.32.0/22 180.25.32.21 0 66868 i
NOTICE THIS IS THE WRONG NEXTHOP! :(
OpenBSD Host 2 (BACKUP) bgpd -dv;
[LIVE]root@OpenBSD2:~# bgpd -dv
startup
rereading config
route decision engine ready
session engine ready
new ktable rdomain_0 for rtableid 0
nexthop 180.25.32.20 now valid: directly connected
listening on 0.0.0.0
listening on ::
SE reconfigured
neighbor 180.25.32.1 (THN): state change None - Idle, reason: None
neighbor 180.25.32.1 (THN): state change Idle - Connect, reason: Start
RDE reconfigured
neighbor 180.25.32.1 (THN): state change Connect - OpenSent, reason:
Connection opened
neighbor 180.25.32.1 (THN): state change OpenSent - OpenConfirm,
reason: OPEN message received
neighbor 180.25.32.1 (THN): state change OpenConfirm - Established,
Re: Are there any default password managers in OpenBSD?
obsd, cgi obsd...@postafiok.hu wrote:
So I know the rule.. only remember a few very very long passwords (ex.:
based on several words and a few special chars), and keep the rest of the
passwords in a password manager (those aren't remembered and extreme long).
But this gets me to 2 questions:
- Are there any default password managers in OpenBSD (console/GUI based?)?
Or there are only from ports that are not very audited? What is the advise
to where to store the pwd's?
- Are there any best-practises to generate a password? - that are kept in
password manager, so ex.: 128 char long with special/random chars, etc.
Thanks for your time
I've personally been using a small utility I wrote to generate them from
a plain text database and typed master password. Its passwords aren't as
long as they could be and loss of the master password is catastrophic
since it is used directly and cannot be changed.
- Martin
---
Public domain, but use at your own risk.
#include stdio.h
#include string.h
#include errno.h
#include termios.h
#include openssl/hmac.h
#include openssl/evp.h
static char base64[64] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 't', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '$', '@'};
int main(void)
{
FILE *tty;
struct termios originalt, t;
char buf[100];
char buf2[100];
char *s;
char *mpass;
EVP_MD_CTX ctx;
unsigned char key[EVP_MAX_MD_SIZE];
unsigned int key_len;
char *site, *account, *date;
int malformed, hash_error;
int size;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int digest_len;
int i;
/* Read the master password. */
tty = fopen(/dev/tty, r+);
if (tty == NULL) {
fprintf(stderr, Could not read key.);
return -1;
}
fprintf(tty, Master password: );
fflush(tty);
tcgetattr(fileno(tty), originalt);
memcpy(t, originalt, sizeof(struct termios));
t.c_lflag = t.c_lflag (~ECHO);
tcsetattr(fileno(tty), TCSANOW, t);
if (fgets(buf, 100, tty) == NULL) {
if (ferror(tty)) {
fprintf(stderr, Could not read key: %s.,
strerror(ferror(tty)));
}
fprintf(stderr, Could not read key.);
return -1;
}
tcsetattr(fileno(tty), TCSANOW, originalt);
putc('\n', tty);
fclose(tty);
s = buf;
mpass = strsep(s, \n);
/* Generate the SHA512 of the master password. This is the HMAC
key. */
EVP_MD_CTX_init(ctx);
EVP_DigestInit_ex(ctx, EVP_sha512(), NULL);
EVP_DigestUpdate(ctx, mpass, strlen(mpass));
key_len = 64;
EVP_DigestFinal_ex(ctx, key, key_len);
EVP_MD_CTX_cleanup(ctx);
/* Read password parameters and calculate password. */
malformed = hash_error = 0;
while (fgets(buf, 100, stdin) != NULL) {
/* Split the input string. */
s = buf;
site = strsep(s, );
if (s == NULL) {
malformed = 1;
break;
}
s = s + strspn(s, );
account = strsep(s, );
if (s == NULL) {
malformed = 1;
break;
}
s = s + strspn(s, );
date = strsep(s, \n);
if (site == NULL || account == NULL || date == NULL) {
malformed = 1;
break;
}
printf(%s %s %s , site, account, date);
/* Perform HMAC-SHA512 on account+site+date. */
size = snprintf(buf2, 100, %s%s%s, account, site, date);
digest_len = 64;
if (HMAC(EVP_sha512(), key, key_len, buf2, size, digest,
digest_len) == NULL) {
hash_error = 1;
break;
}
/* Calculate the password.
Modified base 64 is the same as base 64 except + is
$ and / is @ */
for (i = 0; i 12; i+=3) {
putchar(base64[digest[i]20x3f]);
putchar(base64[(digest[i]0x3)4 |
digest[i+1]40xf]);
putchar(base64[(digest[i+1]0xf)2 |
digest[i+2]60x3]);
Re: Are there any default password managers in OpenBSD?
On Thu, Dec 5, 2013 at 8:57 AM, Christian Weisgerber na...@mips.inka.de wrote:
Zé Loff zel...@zeloff.org wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
*takes a deep breath*
~/bin/pwsafe
---
#!/bin/sh
SAFE=$HOME/.pwsafe
TMPFILE=`mktemp /tmp/pwsafeXX` || exit 1
trap 'rm -P $TMPFILE' 0 1 2 15
STTY=`stty -g`
echo -n Password:
stty -echo
read PASSWORD
stty $STTY
set -e
echo -n $PASSWORD | openssl aes-256-cbc -d -in $SAFE -out $TMPFILE
-pass stdin
this is tricky. some people will read and say ok i'll switch echo for
printf and get on w/my life
printf not being a builtin, will show up in ps(1), and so will $PASSWORD
not apparent from the simple syntax used that such a change could end
up leaking important things
it's better to use heredoc:
openssl aes-256-cbc -d -in $SAFE -out $TMPFILE -pass stdin !
$PASSWORD
!
${EDITOR-${VISUAL-vi}} $TMPFILE
echo -n $PASSWORD | openssl aes-256-cbc -in $TMPFILE -out $SAFE -pass
stdin
---
--
Christian naddy Weisgerber na...@mips.inka.de
Re: Are there any default password managers in OpenBSD?
but then if the shell implementation uses tmpfiles for heredoc, and
doesn't do the equivalent of rm -P, you have another leak you thought
was taken care of
conclusion: shell is not good for this
even if it keeps heredocs in memory you have no idea if it zeros it
out afterwards
On Thu, Dec 5, 2013 at 6:57 PM, Andres Perera andre...@zoho.com wrote:
On Thu, Dec 5, 2013 at 8:57 AM, Christian Weisgerber na...@mips.inka.de
wrote:
Zé Loff zel...@zeloff.org wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
*takes a deep breath*
~/bin/pwsafe
---
#!/bin/sh
SAFE=$HOME/.pwsafe
TMPFILE=`mktemp /tmp/pwsafeXX` || exit 1
trap 'rm -P $TMPFILE' 0 1 2 15
STTY=`stty -g`
echo -n Password:
stty -echo
read PASSWORD
stty $STTY
set -e
echo -n $PASSWORD | openssl aes-256-cbc -d -in $SAFE -out $TMPFILE
-pass stdin
this is tricky. some people will read and say ok i'll switch echo for
printf and get on w/my life
printf not being a builtin, will show up in ps(1), and so will $PASSWORD
not apparent from the simple syntax used that such a change could end
up leaking important things
it's better to use heredoc:
openssl aes-256-cbc -d -in $SAFE -out $TMPFILE -pass stdin !
$PASSWORD
!
${EDITOR-${VISUAL-vi}} $TMPFILE
echo -n $PASSWORD | openssl aes-256-cbc -in $TMPFILE -out $SAFE -pass
stdin
---
--
Christian naddy Weisgerber na...@mips.inka.de
Re: uvm_wait_pla() infinite loop
On Wed, Dec 4, 2013 at 11:44 PM, Peter J. Philipp p...@centroid.eu wrote: My brand new sparkling OpenBSD VPS is currently in crisis. Unfortunately there is no reset function to it and I forgot to set the break to ddb function. The vps admin staff is probably already asleep so I'll have to wait a few hours. On console it says repeatedly: pagedaemon: wait_pla deadlock detected! I have tracked it down to this function in uvm/uvm_pmemrange.c ... Now while the opportunist in me says we should really panic here instead of having a DEBUG kernel, the realist in me says to hold on and think of others. The question for me then is is the wait_pla pagedaemon deadlock situation recoverable, or is this really a bug? It's a bug. The situation should be permitted to get into that state but obviously it has gotten then. A backtrace and show uvmexp from ddb would probably help. Philip Guenther
Re: Are there any default password managers in OpenBSD?
On Fri, Dec 6, 2013 at 1:58 AM, Jan Stary h...@stare.cz wrote:
On Dec 05 19:09:05, andre...@zoho.com wrote:
but then if the shell implementation uses tmpfiles for heredoc,
does it?
ksh does:
~ $ :!
$(sleep 100)
!
[1] 469
~ $ ls /tmp/sh*
/tmp/shsWf2OXAO
src/bin/ksh/exec.c r1.50:
/* Create temp file to hold content (done before newenv so temp
* doesn't get removed too soon).
*/
h = maketemp(ATEMP, TT_HEREDOC_EXP, e-temps);
and
doesn't do the equivalent of rm -P, you have another leak you thought
was taken care of
conclusion: shell is not good for this
Yeah right.
Who would even think of doing this in shell.
apparently at least one person did
you aren't in sync with the quantity of real world shells that use
temp files for heredoc, and who feature combinations of { printf
(not)? being a builtin, alternatives like ``print'' and ``echo'' are
unportable }
even if it keeps heredocs in memory you have no idea if it zeros it
out afterwards
On Thu, Dec 5, 2013 at 6:57 PM, Andres Perera andre...@zoho.com wrote:
On Thu, Dec 5, 2013 at 8:57 AM, Christian Weisgerber na...@mips.inka.de
wrote:
Zé Loff zel...@zeloff.org wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
*takes a deep breath*
~/bin/pwsafe
---
#!/bin/sh
SAFE=$HOME/.pwsafe
TMPFILE=`mktemp /tmp/pwsafeXX` || exit 1
trap 'rm -P $TMPFILE' 0 1 2 15
STTY=`stty -g`
echo -n Password:
stty -echo
read PASSWORD
stty $STTY
set -e
echo -n $PASSWORD | openssl aes-256-cbc -d -in $SAFE -out $TMPFILE
-pass stdin
this is tricky. some people will read and say ok i'll switch echo for
printf and get on w/my life
printf not being a builtin, will show up in ps(1), and so will $PASSWORD
not apparent from the simple syntax used that such a change could end
up leaking important things
it's better to use heredoc:
openssl aes-256-cbc -d -in $SAFE -out $TMPFILE -pass stdin !
$PASSWORD
!
${EDITOR-${VISUAL-vi}} $TMPFILE
echo -n $PASSWORD | openssl aes-256-cbc -in $TMPFILE -out $SAFE
-pass stdin
---
--
Christian naddy Weisgerber na...@mips.inka.de
Re: uvm_wait_pla() infinite loop
On Thu, Dec 5, 2013 at 7:32 PM, I wrote: It's a bug. The situation should be permitted to get into that state but obviously it has gotten then. Hmm, I'd like to blame the incoherency of that on autocorrect and mental shorthands, but I don't think that's legit. The kernel should *not* let the uvm memory situation get into that state, but obviously it has gotten there. Philip Guenther
